Why:
The Fedora 44 container build helper kept a redundant post-run status
check even though the script already exits on command failure.
Impact:
No behavior change; the helper still prints the push command only after a
successful container smoke test.
Before/After:
Before, the script carried a shellcheck suppression for an unreachable
failure branch. After, normal set -e flow controls the success path.
Technical Overview:
Remove the explicit `$?` check after the `docker run` smoke test.
Keep the READY TO PUSH output directly after the smoke test command.
This matches the existing `set -e` contract and avoids unnecessary local
lint suppression in the new Fedora 44 helper.
Validation:
- shellcheck packaging/docker/dev_env/fedora/base/44/build.sh
With the help of AI-Agents: OpenAI Codex
Why: Fedora 44 is now the useful fast feedback target for pull
requests, while Fedora 43 remains the supported compatibility check for
daily coverage.
Impact: PR CI now uses Fedora 44 and daily distro CI uses Fedora 43.
The obsolete Fedora 42 dev-container definition is removed.
Before/After: PR CI used Fedora 43 and daily CI used Fedora 42; now PR
CI uses Fedora 44 and daily CI keeps Fedora 43 coverage.
Technical Overview:
- Add a Fedora 44 dev-container definition.
- Adjust the Fedora 44 image for Java 25 package names.
- Pass the CMake compatibility policy needed by libfaup under Fedora 44.
- Point the regular run_checks Fedora lane at the Fedora 44 image.
- Move the daily distro Fedora lane from Fedora 42 to Fedora 43.
- Remove the Fedora 42 dev-container definition from git.
Validation:
- Built rsyslog/rsyslog_dev_base_fedora:44 locally.
- Ran the container build script smoke test successfully.
- Ran a full Fedora 44 all-module build with make -j80 successfully.
- actionlint .github/workflows/run_checks.yml .github/workflows/run_distro_daily.yml
- shellcheck packaging/docker/dev_env/fedora/base/44/build.sh packaging/docker/dev_env/fedora/base/44/tag-previous.sh
With the help of AI-Agents: Codex
Why:
CI requested --enable-compile-warnings=error, but some lanes used a singular configure spelling that was never accepted by configure, and some bootstrap or package-build paths lacked the Autoconf Archive macros needed by AX_COMPILER_FLAGS. The singular typo was masked because git-tree builds already default to warning level error. Dev-container definitions also had no PR gate that validates changed container build inputs.
Impact:
Fixes CI warning-policy plumbing, package-build macro dependencies, warnings exposed by that policy across Linux and macOS builds, and a branch-protection-friendly dev-container definition build gate.
Before/After:
Before, missing macros or stale configure flags could make -Werror ineffective or leave literal AX_* macro calls in regenerated configure scripts, and container definition changes were not validated by PR CI. After, required macros are installed or declared in bootstrap and package environments, stale internal configure flags are corrected to the supported spelling, changed dev-container Dockerfiles are built by the check workflow, and runtime sources compile cleanly under the restored warning-as-error policy.
Technical Overview:
Require AX_IS_RELEASE and AX_COMPILER_FLAGS when building with a GCC-like compiler instead of silently falling back to weaker warning flags. Add an m4_pattern_forbid guard so missing AX_* macro expansion is reported during bootstrap instead of later as a confusing configure shell syntax error.
Keep the Autoconf Archive option surface unchanged: the supported option is --enable-compile-warnings. The singular --enable-compile-warning spelling was introduced in an internal dev-container definition in 2019, is reported as unrecognized on older release labels such as v8.2504.0, and is corrected here rather than promoted into a new rsyslog alias.
Install or declare autoconf-archive in direct GitHub-hosted bootstrap paths, Debian/RPM package build metadata that reruns autoreconf, and the cross-arch helper image. Update stale internal dev-container configure defaults to use --enable-compile-warnings=error.
Add a dev container definition CI job to run_checks.yml. It uses changed-files to detect devtools/ci and packaging/docker/dev_env container-definition changes, builds only the affected Dockerfiles, handles shared dev_env/common context users, and exits successfully with a skip message when no concrete container build is relevant.
Mark recovered-queue-size and non-Linux network namespace helpers as intentionally unused where their feature-specific code paths are not compiled. Keep inotify and epoll bookkeeping scoped to the feature guards that consume it, avoid deprecated raw syscall use for macOS thread-id debug output, and make the JSON escape cleanup path explicit for 32-bit compiler analysis.
With the help of AI-Agents: OpenAI Codex
Why:
Fedora 42 and CentOS 8 still provide useful portability and
image-drift signal, but they mostly duplicate adjacent PR runtime
lanes. Keeping them in every PR makes the regular matrix slower
without adding enough per-change confidence to justify the cost.
The Debian sid PR lane no longer provides reliable rolling-Debian
signal because its devcontainer image is not rebuilt frequently.
Impact:
Regular PR CI runs fewer duplicate or misleading distro lanes; daily CI
keeps full configured coverage for the moved distro lanes and opens or
updates tracking issues when scheduled lanes fail.
Before/After:
Before, centos_8, fedora_42, and a stale debian_sid image ran on every
PR. After, centos_8 and fedora_42 run as full-suite daily distro lanes,
and the stale debian_sid lane/container is removed.
Technical Overview:
Remove centos_8, fedora_42, and debian_sid from the run_checks.yml PR
matrix.
Add run_distro_daily.yml for full configured distro test runs using the
same devcontainer images and configure options as the removed centos_8
and fedora_42 PR lanes.
Delete the Debian sid devcontainer definition because an unreliably
rebuilt sid image is a stale snapshot rather than a trustworthy
upcoming-Debian canary.
Do not apply PR relevance pruning to daily distro runs; scheduled runs
must test the full configured lane because any code may have changed
since the previous run.
Use the same ci-failure artifact naming and log globs as regular PR CI
so the flake collector can process scheduled failures through the same
path.
Add or align tracking issue reporting for the touched daily and weekly
scheduled workflows so failures provide a persistent triage handle.
Restrict tracking issue search to open issues so failures cannot update
a closed tracker and become hidden.
Clarify in issue summaries that failures must be classified as one-off
flakes or regressions and that the long-term expectation is fewer
flakes as recurring causes are fixed.
Keep issue-write permission scoped to reporting jobs only.
With the help of AI-Agents: Codex
Why: reduce the shell lint backlog with mechanical, low-risk fixes.
Impact: no intended behavior change; scripts now preserve assignment failures.
Before/After: the full-tree ShellCheck warning count drops from 521 to 370.
Technical Overview:
Split test export/local command substitutions into separate assignment and declaration steps.
Leave tests/diag.sh for a later focused pass because its helpers need more review.
Add explicit cd failure handling to dev_env packaging helper scripts.
Clean older ShellCheck warnings in touched files so the PR diff is ShellCheck-clean.
With the help of AI-Agents: Codex
Why:
Improve system reliability, resolve obsolete modules, and prevent
potential out-of-bounds reads, memory leaks, and unbounded dynamic
allocations in key runtime components and output plugins.
Impact:
Percentile stats parsing, HTTP authorization headers, and cryptography
key-script length validation are hardened against invalid input. The
obsolete omfile-hardened module is fully removed.
Before/After:
Unchecked configuration/script parameters and unsafe realloc functions
are replaced with strict bounds validation and safe pointers.
Technical Overview:
- Excised the outdated and unused omfile-hardened module from build
files, package copyright lists, and component-package maps.
- Enforced configured percentile ranges [0, 100] in perctile_stats.c,
gracefully aborting on out-of-bounds parameter values.
- Implemented temporary-pointer reassignment for HTTP headers realloc
in omhttp.c, avoiding dynamic memory leaks on allocation failure.
- Constrained the external cryptography key provider length output to
be within (0, 65536] bytes in libcry_common.c, preventing potential
integer wrap-around and massive heap allocations.
With the help of AI-Agents: Antigravity
Why: make shell lint results actionable and deterministic.
Impact: no intended behavior change beyond small portability and lint
cleanup fixes.
Before/After: ShellCheck error-level findings are clear for changed
scripts, and CodeFactor reports fewer legacy shell lint findings.
Technical Overview:
- add explicit shebangs to scripts that started with commands
- mark sourced packaging config fragments as bash for ShellCheck
- replace ash-incompatible source and == usage in Alpine helpers
- clean up CodeFactor-reported ShellCheck findings in diag.sh and
selected test helpers
- fix SC2035, SC2006, SC2028, SC2268, SC2319, and SC2145 buckets
- fix remaining small one-offs for SC2003, SC2103, SC2219, SC1001,
SC2166, SC2062, SC2216, and SC2005
- preserve complex command status explicitly where direct if-command
checks would be less clear
With the help of AI-Agents: Codex
Why:
Help agents run useful CodeFactor-style linters locally without making
tool availability a hard local build dependency.
Impact:
Docs-only workflow guidance plus a shebang for an Alpine helper touched
by this PR.
Before/After:
Agents knew about Python style checks. They now also have optional
shell, Dockerfile, config, and duplication checks.
Technical Overview:
Document optional shellcheck, hadolint, trivy config, and jscpd passes
for local PR validation.
Guard the commands with tool availability checks and keep missing tools
advisory.
Keep cppcheck out of the routine checklist because it is too noisy for
this repository.
Use null-delimited diff file lists for copied shellcheck and hadolint
examples.
Add a /bin/sh shebang to the Alpine setup helper so shellcheck can
classify it correctly.
Validation:
git diff --check; devtools/format-python.sh.
actionlint python_style.yml.
Ran optional shellcheck command successfully after the shebang fix.
trivy config on python_style.yml and jscpd on changed docs were clean.
hadolint was run and reported existing Dockerfile backlog, so it remains
advisory.
With the help of AI-Agents: Codex
Why:
Make Python style cleanup repeatable without forcing forks or local
agent environments to preinstall the same tools.
Impact:
Python-only style cleanup plus an optional changed-file PR check.
Runtime behavior should be unchanged.
Before/After:
pycodestyle noise was ad hoc. The repo now has a 120-column baseline,
helper, workflow, and dev image support.
Technical Overview:
Normalize tracked Python files with autopep8 and pycodestyle, using
shared setup.cfg configuration.
Add devtools/format-python.sh so local agents can check or
intentionally fix Python formatting when tools are installed.
Add a pull-request workflow that installs pycodestyle and checks only
changed Python files to avoid full-tree style churn.
Document optional local behavior in AGENTS.md and rsyslog agent skills,
including Debian/Ubuntu install guidance.
Add pycodestyle and autopep8 packages to maintained development
container definitions and codex setup.
Register omotel_proxy_server.py in tests/Makefile.am because the
omotel-proxy test uses it.
Validation:
devtools/format-python.sh; actionlint python_style.yml;
git diff --check.
CentOS 7 image has Python 2.7.5; py_compile only failed for
already-Python-3-only files.
Full container CI was intentionally left to the PR matrix.
With the help of AI-Agents: Codex
Add a native regex lookup-table filter to the base container image so operators can drop known noisy events before packaged outputs process them. Document the inherited behavior and cover the default and named-ruleset paths with a testbench scenario.
closes https://github.com/rsyslog/rsyslog/issues/5821
Add libyaml development packages to the Fedora 42 and 43 dev-base images and remove the matching CI --disable-libyaml opt-outs.
Keep mbedTLS on TLS 1.2 for Mbed TLS releases before 3.6.1, because upstream documents TLS 1.3 regressions before that release. For Mbed TLS 3.6.1 and newer, limit only weak authentication modes that still fail the mixed-driver rsyslog TLS tests. Stronger authentication modes can negotiate TLS 1.3.
Log the TLS 1.2 cap once through an atomic compare-and-swap so concurrent connections do not race on the warning flag.
Document the mbedTLS TLS version split, including the upstream Mbed TLS workaround reference, so users who require TLS 1.3 can choose a stronger auth mode or another TLS netstream driver as appropriate.
Also defer certificate verification result handling until the Mbed TLS handshake has completed successfully.
Validation:
- Fedora 42 CI-style run-ci.sh testbench passed locally with libyaml enabled.
- Fedora 43 CI-style run-ci.sh testbench passed locally with libyaml enabled.
- ./autogen.sh --enable-debug --enable-testbench --enable-gnutls --enable-mbedtls --enable-openssl --disable-elasticsearch-tests --disable-kafka-tests --disable-Werror
- make -j40
- ./tests/sndrcv_tls_gtls_serveranon_mbedtls_clientanon.sh
- ./tests/sndrcv_tls_gtls_servercert_mbedtls_clientanon.sh
- ./tests/sndrcv_tls_servercert_mbedtls_clientanon.sh
- ./tests/sndrcv_tls_servercert_bad_eku_no_chk_mbedtls_clientanon.sh
- cd tests && ./sndrcv_tls_mbedtls_certvalid.sh
- git diff --check
- actionlint .github/workflows/run_checks.yml
- zizmor --strict-collection .github/workflows
Why:
imbeats can receive connections from several thousand agents. The old
one-thread-per-session model did not scale to that deployment shape and
could exhaust process resources before useful work was done.
Impact:
imbeats handles many idle or active clients through bounded workers.
Before/After:
Before, each accepted session owned a pthread. After, sessions are
multiplexed through listener readiness and a configurable worker pool.
Technical Overview:
Add native imbeats session multiplexing around the Lumberjack parser.
The listener owns accept/readiness handling and workers process session
state machines without using syslog TCP framing.
Add an epoll path with one-shot session ownership and rearm handling.
Keep a poll-based fallback for platforms without epoll support.
Add maxSessions, workerThreads, and starvationProtection.maxReads so
operators can bound accepted clients and worker fairness explicitly.
Expose counters for active, rejected, and starvation-protected sessions.
Derive peer IP and port metadata from the accepted socket address. This
avoids relying on driver-owned remote IP properties in the imbeats
session path while preserving message and metadata fields.
Enable imbeats in the Ubuntu 26.04 dev container, add a configure
summary line, and run focused imbeats scripts in the CI imbeats job.
Publish the refreshed 26.04 dev image so CI can pick up the module.
Document the new parameters and add tests for maxSessions and for
making progress while several idle sessions remain connected. Also add
the missing maxBatchBytes module toctree entry identified by cubic and
comment defensive compressed-frame rejection paths from AI review.
With the help of AI-Agents: Codex, Herschel
Enable imbeats (Lumberjack v2 / Beats input) in the EL8/EL9 spec with
%package/%description/%files and --enable-imbeats in %configure. Bump
release and changelog. Synced with upstream so plugins/imbeats is in
the tree used for builds.
Why:
Elastic Agent and Beats can send events through the Logstash output using the
Lumberjack protocol. rsyslog needs a native input for this protocol so these
agents can feed existing rsyslog processing and forwarding pipelines directly.
Impact:
Adds the optional imbeats input module, documentation, tests, and a sample
container for receiving Beats data over plain TCP or TLS.
Before/After:
Before, rsyslog had no native Beats/Lumberjack input. After, imbeats can accept
Lumberjack v2 JSON events, preserve the original payload, expose parsed fields
under $!, and acknowledge received batches.
Technical Overview:
The new imbeats module uses rsyslog netstream listeners to accept Lumberjack v2
window, JSON, compressed, and ACK flows. It decodes event JSON into message
properties, stores receiver metadata under $!metadata!imbeats, and provides
bounds for window size, frame size, and decompressed payload size. The module
supports TLS through the existing stream driver configuration surface. The
change wires imbeats into configure and Automake, adds RainerScript and YAML
tests, documents module and parameter usage, adds an imbeats CI job, and
provides a sample user-facing container definition without adding it to the
release container build flow.
With the help of AI-Agents: Codex
Why: local devcontainer runs should not depend on a password for maintenance commands such as starting mysql.
Impact: Ubuntu dev containers grant passwordless sudo to all users, and devcontainer.sh now supplies passwd/group/shadow entries for numeric uid/gid mappings when needed.
Before/After: mapped uid 1000 and unknown numeric users could fail sudo; now both can run sudo -n in the devcontainer path.
Technical Overview: Add a final sudoers rule to the active Ubuntu 20.04, 22.04, 24.04, and 26.04 development base images so every user known inside the image gets NOPASSWD sudo.
Teach devtools/devcontainer.sh to normalize RSYSLOG_CONTAINER_UID into real docker -u arguments, preserving the empty value that selects the image default user.
When a numeric uid:gid mapping is used, copy passwd, group, and shadow from the image into temporary files and add a synthetic user/group for missing ids. Bind those files read-only into the container so sudo can resolve and validate the invoking account.
Validate the wrapper with shell syntax checks, shellcheck, an arbitrary uid userdb smoke test, sudoers validation, and a rebuilt Ubuntu 26.04 image sudo/mysql smoke test.
With the help of AI-Agents: Codex
Why:
Container image CI validates the PPA-backed container package family, not
ordinary source changes, and it must not mix Ubuntu archive rsyslog
modules with Adiscon PPA core packages.
Impact:
Container CI now runs only for container workflow/package changes or a
manual dispatch. Container builds fail if the selected PPA cannot be
refreshed or if rsyslog packages would come from Ubuntu's archive.
Before/After:
Before, the workflow produced no-op results for unrelated PRs and apt
could continue after a PPA refresh warning; after, the workflow is
path-scoped and rsyslog packages are pinned to the selected Adiscon PPA.
Technical Overview:
Restrict the pull_request trigger to packaging/docker/rsyslog and this
workflow file, matching the purpose of the container smoke tests.
Remove the changed-files no-op gate because the workflow is no longer a
broad branch-protection placeholder.
Keep the short SHA output out of the shell script body by passing it via
the smoke-test step environment.
Pass the selected PPA origin into the minimal image build and install an
apt preferences file that prefers rsyslog packages from that origin and
rejects rsyslog packages from Ubuntu.
Use APT::Update::Error-Mode=any for all PPA-dependent image layers so a
PPA refresh problem fails before apt can use stale or fallback indexes.
With the help of AI-Agents: Codex
Why:
Keep CI current with the Ubuntu toolchain that developers and future
runners will increasingly see. Ubuntu 26.04 brings newer compiler,
libc, curl, CMake, and clang analyzer behavior, so it is useful as an
early warning lane before broader CI migration.
Impact:
Only the clang static analyzer job moves to Ubuntu 26.04 for now. The
rest of CI stays on the existing images. Follow-up commits are expected
to move additional CI jobs after this canary lane has proven stable.
Before/After:
Before, the static analyzer used the Ubuntu 24.04 dev image. After, it
uses the Ubuntu 26.04 image and the current clang analyzer toolchain.
Technical Overview:
Duplicate the Ubuntu 24.04 dev base image definition for 26.04 and keep
its DockerHub tag as rsyslog/rsyslog_dev_base_ubuntu:26.04.
Use the 24.04 OBS package repository where 26.04 packages are not yet
published, and update bootstrap details for current Ubuntu behavior.
Set the 26.04 container analyzer defaults to the installed clang 21
scan-build tools and llvm-symbolizer.
Switch only the GitHub Actions clang static analyzer job to the new
26.04 image.
Fix the 26.04 image helper script so cleanup does not hide test failure,
and remove a stale sudoers entry for a user that is not created.
Docker Definitions:
Add packaging/docker/dev_env/ubuntu/base/26.04 as the new Ubuntu 26.04
base image directory. It contains the Dockerfile, build helper,
tag-previous helper, and the ClickHouse TLS/config files copied from the
24.04 environment so the new image has the same test support surface.
The Dockerfile remains a direct 24.04 derivative, with only the changes
needed for Ubuntu 26.04 package availability, current tool behavior, and
the clang static analyzer canary.
Static Analyzer Findings:
The newer analyzer found several real defensive gaps. These are fixed
with normal runtime checks and error handling rather than suppressions:
path rewriting now updates the intended byte, empty TCP worksets are
rejected before dereference, template creation errors are propagated,
decrypt reads handle EOF and stream errors cleanly, and statefile,
journal, DTLS socket, and Kubernetes metadata paths now guard invalid
or missing values.
The newer Ubuntu headers also exposed portability issues in libcurl
calls. Those were not analyzer bugs, but the 26.04 toolchain correctly
requires long or size-typed arguments for several curl options. The
affected HTTP, ClickHouse, Elasticsearch, Kubernetes, HTTPFS, and fmhttp
paths now pass the expected types.
One report led to hygiene rather than a proven runtime bug: omfwd now
stores errno immediately after sendto so later logging cannot obscure
the original send failure.
The remaining analyzer reports were reviewed as false positives and are
suppressed narrowly for clang analyzer builds only. KSI state restore
and IV seeding are serialized by module_lock, and omprog status reads
are bounded by the preceding poll timeout. The suppression sites include
inline comments explaining those assumptions.
Docker image:
rsyslog/rsyslog_dev_base_ubuntu:26.04
sha256:576d27bf5c9c783989caf8aeeae0c6bce1434b547b09fdf1ae956033058144f5
Validation:
devtools/format-code.sh --git-changed
Docker image rebuild and post-build tool/user checks.
sh -n packaging/docker/dev_env/ubuntu/base/26.04/build.sh
git diff --check
static analyzer in rsyslog/rsyslog_dev_base_ubuntu:26.04
with SCAN_BUILD=scan-build, SCAN_BUILD_CC=clang, and
SCAN_BUILD_REPORT_DIR=scan-build-report.
The run starts from make clean inside the dev container and reports:
scan-build: No bugs found.
static analyzer result: 0
With the help of AI-Agents: Codex, Rawls
Why:
Container image CI validates the PPA-backed container package family, not
ordinary source changes, and it must not mix Ubuntu archive rsyslog
modules with Adiscon PPA core packages.
Impact:
Container CI now runs only for container workflow/package changes or a
manual dispatch. Container builds fail if the selected PPA cannot be
refreshed or if rsyslog packages would come from Ubuntu's archive.
Before/After:
Before, the workflow produced no-op results for unrelated PRs and apt
could continue after a PPA refresh warning; after, the workflow is
path-scoped and rsyslog packages are pinned to the selected Adiscon PPA.
Technical Overview:
Restrict the pull_request trigger to packaging/docker/rsyslog and this
workflow file, matching the purpose of the container smoke tests.
Remove the changed-files no-op gate because the workflow is no longer a
broad branch-protection placeholder.
Keep the short SHA output out of the shell script body by passing it via
the smoke-test step environment.
Pass the selected PPA origin into the minimal image build and install an
apt preferences file that prefers rsyslog packages from that origin and
rejects rsyslog packages from Ubuntu.
Use APT::Update::Error-Mode=any for all PPA-dependent image layers so a
PPA refresh problem fails before apt can use stale or fallback indexes.
With the help of AI-Agents: Codex
BEFORE: omotel not compiled or packaged during RPM builds.
AFTER: omotel built and shipped as rsyslog-omotel sub-package.
Add --enable-omotel to configure flags and introduce %package,
%description, and %files sections. All required build deps
already present in the spec.
Why:
Users need official rsyslog container images on ARM64 systems, including
SBCs and ARM64 cloud instances.
Impact:
Manual container releases can now publish amd64 and arm64 manifests.
Before/After:
Before, release publishing produced single-architecture Docker images.
After, release publishing uses Buildx for linux/amd64 and linux/arm64.
Technical Overview:
Add Buildx release targets for all published container image variants.
Keep local Docker builds single-platform by default.
Add an optional DOCKER_BUILD_PLATFORM knob for CI validation builds.
Pass release platforms through release-images.sh with --platforms.
Update container CI to build each image variant for amd64 and arm64.
Document the multi-platform release flow and manifest-based latest tags.
Validation:
bash packaging/docker/rsyslog/release-images.sh --help
bash -n packaging/docker/rsyslog/release-images.sh
Closes: https://github.com/rsyslog/rsyslog/issues/6738
Why:
The collector image documentation said omkafka was available, but
its package was never installed in the image.
Impact:
Collector containers now ship rsyslog-kafka and the docs describe
that Kafka use still requires mounted custom config.
Before/After:
Before the collector image lacked omkafka; after it ships the
module and documents the supported config boundary.
Technical Overview:
Install rsyslog-kafka in the collector Dockerfile together with the
existing collector-focused packages.
Update the collector container reference and Docker Hub metadata to
state that omkafka is included for custom rules.
Clarify that environment variables only control the packaged
collector snippets and do not provide a built-in Kafka forwarding
interface.
Closes https://github.com/rsyslog/rsyslog/issues/6471
With the help of AI-Agents: Codex
Why:
The PR review correctly pointed out that one Docker build
argument was passed but never consumed. Keeping it produces
unnecessary builder noise and weakens the change.
Impact:
Container builds no longer pass an unused build argument.
Before/After:
Before: docker build received an unused RSYSLOG_PPA_CHANNEL arg.
After: docker build only receives the consumed PPA arg.
Technical Overview:
Remove RSYSLOG_PPA_CHANNEL from PPA_BUILD_ARGS in the Docker
Makefile.
Keep RSYSLOG_APT_PPA as the single build argument that controls
the selected package source inside the minimal image build.
This preserves the stable-by-default and daily override
behavior without Docker warnings about unconsumed arguments.
With the help of AI-Agents: Codex
Why:
Operators rebuilding user-facing images after a stable rsyslog
release should not silently pull packages from daily-stable.
The workflow needs a stable-first default with an explicit
opt-in path for daily builds.
Impact:
Container builds and release pushes now use v8-stable by
default and can switch to daily-stable explicitly.
Before/After:
Before: rsyslog image builds always installed from daily-stable.
After: builds default to v8-stable and daily-stable is opt-in.
Technical Overview:
Add PPA_CHANNEL to the container Makefile and validate the
accepted channel values.
Pass the selected Adiscon PPA into the minimal image build as
an explicit Docker build argument.
Keep release_build, release_push, and release_publish aligned
with the selected release channel.
Add a release-images.sh wrapper that uses stable by default and
exposes explicit long options plus a --daily shortcut.
Update the Docker documentation to describe the stable default,
the daily override, and the wrapper workflow.
With the help of AI-Agents: Codex
Why:
The service-input hardening pass needs imczmq to reject malformed
configuration early and CI to have the dependencies needed to cover
that path reliably.
Impact:
Invalid imczmq topic and socktype settings now fail closed, and the
Ubuntu 24.04 check lanes install the missing libevent dependency.
Before/After:
Before, imczmq mutated owned topic state, leaked topic strings, and
accepted oversize topics until listener setup; after, config parsing
validates and preserves topic state up front and CI can exercise it.
Technical Overview:
Add a topic validator that rejects per-topic entries longer than the
fixed subscription buffer before runtime setup.
Convert imczmq config string extraction to checked allocations and
reject unsupported socktype values explicitly.
Stop mutating the owned topics pointer while iterating subscriptions,
so listener setup works from stable config state.
Free topics during config teardown to close the matching lifecycle gap.
Register a direct N1 regression for oversize topics and extend its
module search path to include the contrib build output.
Install libevent-dev in the Ubuntu 24.04 check workflow and the
matching dev container source so imhiredis coverage is available.
With the help of AI-Agents: Codex
Why: The Ubuntu package job was able to pass without actually
running the container-side build script, which meant it no longer
proved that any binary packages were built.
Impact: The Dockerized package-build script now executes in CI, and
the job fails if no .deb artifacts are produced in the workspace.
Before/After: Before, docker run returned immediately and the host
script reported success with no package artifacts. After, the
container receives the heredoc script and the host asserts that
.deb files exist.
Technical Overview:
Pass stdin through to the package-build container with docker run -i
so bash -s inside the container actually reads and executes the
embedded bootstrap script.
Add an explicit artifact check after the container exits so the
script fails if the expected .deb files were not copied back to the
workspace.
Keep the existing retry and mirror-selection logic unchanged.
With the help of AI-Agents: Codex
Why: Automatic fallback should help the default archive path recover,
but it must not silently replace a mirror that was explicitly chosen
by CI or a local operator.
Impact: Explicit archive or security mirror overrides now disable the
automatic fallback switch while preserving all existing retry logic.
Before/After: Before, retry exhaustion could reroute even explicit
mirror selections to the fallback mirror. After, only the default
mirror path can auto-fallback.
Technical Overview:
Track whether the primary archive or security mirror was configured
explicitly through the environment.
Guard switch_to_fallback_mirror so it only rewrites sources when the
current primary mirrors came from the built-in defaults.
Leave proxy handling and the existing fallback-aware retry coverage
unchanged.
With the help of AI-Agents: Codex
Why: The package build hardening should cover every command in the
container bootstrap that can fail due to mirror instability.
Impact: Universe enablement is retried, and mk-build-deps now uses
the fallback-aware retry path like the other apt-driven steps.
Before/After: Before, two package bootstrap steps still bypassed the
full retry and fallback handling. After, they follow the same policy
as the rest of the container apt setup.
Technical Overview:
Wrap add-apt-repository for universe in the retry helper to keep the
bootstrap sequencing consistent.
Switch mk-build-deps from apt_retry to apt_retry_with_fallback so it
can also trigger the mirror reroute when dependency installation
fails on the primary archive path.
Keep the existing fallback and retry behavior unchanged elsewhere.
With the help of AI-Agents: Codex
Why: Ubuntu package jobs keep failing because the fresh build
container depends on archive paths that can stay unreachable
long enough for apt retries alone to be ineffective.
Impact: Ubuntu package CI now defaults to HTTPS archive access,
automatically falls back to a secondary mirror after archive
failures, and still allows explicit proxy or mirror overrides.
Before/After: Package jobs failed on sustained archive outages;
now they automatically reroute and retry within the container.
Technical Overview:
Move the Dockerized Ubuntu package bootstrap to a heredoc-based
script so container-side apt behavior can be managed clearly.
Add environment-controlled apt proxy and mirror settings for the
package build container, and pass those settings from run_checks.
Default the container to HTTPS Ubuntu archive endpoints instead of
plain HTTP, and keep explicit overrides higher priority.
Add bounded retry helpers around apt update, package installs, and
mk-build-deps with IPv4 and timeout hardening.
Automatically switch to an Azure-backed fallback mirror when the
primary Ubuntu archive path still fails after the bounded retries.
Keep the source-package path unchanged aside from documentation of
the new environment knobs.
With the help of AI-Agents: Codex
Why: The Alpine dev image build script should show the exact image tag
to push after a successful local build.
Impact: `packaging/docker/dev_env/alpine/build.sh` now prints a push
command after the image build completes.
Before/After: Before, the script stopped after `docker build`; after, it
prints the matching `docker push` target for the Alpine image.
Technical Overview:
Keep the Alpine container build flow unchanged.
Add a short post-build message that matches the container tag used by the
script.
Make the push target explicit so local image publication is unambiguous.
With the help of AI-Agents: Codex
Why: Add Alpine coverage for the compile workflow and container.
Impact: run_checks now exercises an Alpine dev image in the compile matrix.
Before/After: Before, Alpine builds were not checked; after, the
compile job runs inside the Alpine dev container.
Technical Overview:
Update `.github/workflows/run_checks.yml` to add an Alpine matrix entry
and watch the Alpine dev container tree.
Refresh `packaging/docker/dev_env/alpine/Dockerfile` and
`setup-system.sh` for the current build image and package set.
Keep the Alpine dev container working from `/rsyslog` so the existing
devcontainer scripts can run the configure/build path unchanged.
Align the Alpine configure options with the packages available in the
container and keep the setup helper in sync.
With the help of AI-Agents: Codex
Summary
Ensures Docker images include timezone data for correct timestamp
handling in containerized environments. This improves reliability
and avoids subtle issues with missing timezone info in logs.
Impact: Containers now have timezone data available; image size
increases slightly.
Before: minimal and standard images installed rsyslog packages
without tzdata, which could lead to missing timezone information
at runtime.
After: tzdata is installed alongside rsyslog packages in both
images, ensuring consistent timezone support.
References
Refs: #6623
Why:
Enable automated Ubuntu package builds in CI and allow running the
same pipeline locally for testing and package building.
Impact:
New package_build_ubuntu job runs after compile. Local script
mirrors CI for validation and .deb builds.
Before:
No Ubuntu package CI. Local builds failed with dpkg-deb 777,
debian/clean executable, pip PEP 668, qpid-proton corruption,
DEB_BUILD_OPTIONS quoting, lintian abort.
After:
CI builds .deb for focal/jammy/noble. Local script runs same steps.
Builds succeed via build in /tmp, debhelper chmod fixes,
qpid-proton re-fetch, CRLF normalization, pip --break-system-packages,
unquoted DEB_BUILD_OPTIONS, lintian non-fatal.
Technical overview:
- Add package_build_ubuntu job to run_checks.yml (matrix focal/jammy/noble)
- Add devtools/run-deb-ubuntu-build.sh to run CI pipeline locally
- Add packaging/ubuntu/build-ubuntu.sh and config.sh
- Add Debian packaging for focal/jammy/noble
- Build binary in container /tmp to avoid bind-mount permission issues
- Fix debhelper config modes (clean, not-installed, .install) in container
- Normalize CRLF in debian/ before dpkg-source -b
- Re-fetch qpid-proton in container to avoid host tarball corruption
- Fix DEB_BUILD_OPTIONS export in jammy/focal rules (no quotes)
- Add pip --break-system-packages for noble (PEP 668)
- Make lintian non-fatal (|| true)
- Switch doc vendor JS to non-minified for file:// compatibility
- Update .gitignore for Ubuntu build artifacts
Closes: https://github.com/rsyslog/rsyslog/issues/6585
