Disable use of "@SECLEVEL" in default cipher string and
avoid SSL_CONF_CTX_set_flags() API when LIBRESSL is used.
This means tlscommands will not work.
closes: https://github.com/rsyslog/rsyslog/issues/4210
Instead of hardcoded SHA-256 KSI_getHashAlgorithmByName("default")
is used to get default hash function.
Function rsksiSetHashFunction and SetCnfParam updated.
In async. mode all pending signature requests are closed immediately and
unsigned block marker is attached with message about sudden closure.
Similar approach is used for blocks that already contain some records.
Empty blocks are just closed without any metadata.
We have some false positives with imfile checks and this commit
both improves the testbench framework slightly and adds debug
info.
The debug info should be remove when we finally find the cause
of the issue, but it does not hurt if it stays for a quite a
while. Thus we can analyze the false positives over an extended
period of time - what is what it looks like we need to do to
find the root cause.
fix the following compiler errors with 4.19 kernel:
imudp.c:1216:2: error: implicit declaration of function 'prctl'
[-Werror=implicit-function-declaration]
if(prctl(PR_SET_NAME, thrdName, 0, 0, 0) != 0) {
^
Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
In theory, rsyslog should call parsers on the queue worker threads whenever
possible. This enables the parsers to be executed in parallel. There are
some cases where parsers needs to be called earlier, namely when parsed
data is needed for rate-limiting.
The logic to do this previously did not work correctly and was fixed six
years ago (!) by b51dd22. Unfortunately, b51dd22 was overly agressive:
it actually makes the early parser call now mandatory, effectively moving
parsing to the input side where there is no to little concurrency.
We still do not need to call the parser when all messages, regardless of
severity, need to be rate-limited. This is the default and very frequent
case. This patch introduces support for this and as such makes parsers
able to run in parallel in the frequent case again.
closes https://github.com/rsyslog/rsyslog/issues/4187
- topic check was done on wrong (hardcoded topic)
- rsyslog_out_log was overwritten by kafkacat check which caused the
seq_check to fail at the end.
closes: https://github.com/rsyslog/rsyslog/issues/4134
This parameter controls whether or not rsyslog aborts when a name ID
lookup fails (for user and group names). This is necessary as a security
measure, as otherwise the wrong permissions can be assigned or privileges
are not dropped.
CHANGE OF BEHAVIOR
The default for this parameter is "on". In previous versions, the default
was "off" (by virtue) of this parameter not existing. As such, existing
configurations may now error out.
We have decided to accept this change of behavior because of the potential
security implications.
closes https://github.com/rsyslog/rsyslog/issues/4164
We use the test_id to generate unique files during parallel
runs. So far we used a combination of ms-based timestamp and
hash of test name. Practice shows that under some circumstances
the generated ids are not unique and thus test get file conflicts
and false positives.
This is now changed so that the test_id we add 4 bytes of random
data to the test ID. This is hopefully sufficient to make the IDs
of test runing in parallel unique.
The timeout feature was soley based on timeouts of the poll()
system call. On a very busy system, this would probably happen
very seldomly. Moreover, the timeout could occur later than
expected on any system with high load.
The issue was not reported from practice but discovered during
CI system improvements.
Add MaxBytesPerMinute and MaxLinesPerMinute options.
These take integer values and, respectively, limit the number
of bytes or lines that may be sent in a minute.
This can be used to put a limit on the count or volume of logs
that may be sent for an imfile.
This was accidentally set to "no". Test for imfile should by
default run when imfile is enabled.
We also temporarily disable the failing tests - this makes
it posible to run the remaining tests during CI and prevent
future errors. That is better than nothing. Tests are to be
re-enabled when the imfile bug mentioned below is fixed.
see also https://github.com/rsyslog/rsyslog/issues/4120
Signed-off-by: Rainer Gerhards <rgerhards@adiscon.com>
