Re-enable low-risk inactive tests that still add CI coverage, and remove obsolete inactive tests plus dead cert-chain fixtures.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Why: issue 2965 shows that disk-assisted queues and
saveOnShutdown could be read as crash-loss guarantees,
especially for OOM or power-loss cases.
Impact: Documentation now distinguishes graceful shutdown
persistence from crash durability for disk-assisted queues.
Before/After: Queue docs implied broad reliability; they now
call out when pure disk queues and sync settings are needed.
Technical Overview:
Clarify that disk queue durability depends on checkpoint and fsync
tuning.
Document that saveOnShutdown only runs during orderly shutdown.
Explain that disk-assisted queues can still hold messages in memory.
Point reliability-focused forwarding users at pure disk queues plus
durability-oriented settings when crash resistance is required.
refs https://github.com/rsyslog/rsyslog/issues/2965
With the help of AI-Agents: codex
Why:
Agents often skip the mutating format step because it is not part of the
regular deterministic local validation path. That lets formatting issues
escape to review even when the local check helper is otherwise used.
Impact:
Changed C and header files are now checked by the local validation helper
without rewriting files. Missing clang-format remains a warning, not a local
workflow blocker.
Before/After:
Before, the local helper called the mutating formatter. After, it runs a
clang-format dry-run check and keeps explicit formatting as a separate action.
Technical Overview:
Add --check and --check-if-available modes to devtools/format-code.sh.
Use clang-format's dry-run and Werror mode for read-only validation.
Extend the changed C/H file helper to include committed branch changes,
staged and unstaged edits, and untracked C/H files.
Pass the validation planner base ref into the format helper so both scripts
classify the same delta.
Document the workflow in AGENTS.md and the local validation/commit skills.
Validation:
- shellcheck devtools/format-code.sh devtools/list-git-changed-c-h-files.sh devtools/local-validation-plan.sh
- checkbashisms -p devtools/local-validation-plan.sh
- bash -n devtools/format-code.sh devtools/list-git-changed-c-h-files.sh
- sh -n devtools/local-validation-plan.sh
- devtools/local-validation-plan.sh --run
- devtools/format-code.sh --git-changed --check --check-if-available
- untracked C probe with devtools/list-git-changed-c-h-files.sh
- untracked C probe with devtools/format-code.sh --git-changed --check --check-if-available
- cubic review --print-logs --base origin/main
With the help of AI-Agents: OpenAI Codex
Why:
The Fedora 44 container build helper kept a redundant post-run status
check even though the script already exits on command failure.
Impact:
No behavior change; the helper still prints the push command only after a
successful container smoke test.
Before/After:
Before, the script carried a shellcheck suppression for an unreachable
failure branch. After, normal set -e flow controls the success path.
Technical Overview:
Remove the explicit `$?` check after the `docker run` smoke test.
Keep the READY TO PUSH output directly after the smoke test command.
This matches the existing `set -e` contract and avoids unnecessary local
lint suppression in the new Fedora 44 helper.
Validation:
- shellcheck packaging/docker/dev_env/fedora/base/44/build.sh
With the help of AI-Agents: OpenAI Codex
Why: Fedora 44 is now the useful fast feedback target for pull
requests, while Fedora 43 remains the supported compatibility check for
daily coverage.
Impact: PR CI now uses Fedora 44 and daily distro CI uses Fedora 43.
The obsolete Fedora 42 dev-container definition is removed.
Before/After: PR CI used Fedora 43 and daily CI used Fedora 42; now PR
CI uses Fedora 44 and daily CI keeps Fedora 43 coverage.
Technical Overview:
- Add a Fedora 44 dev-container definition.
- Adjust the Fedora 44 image for Java 25 package names.
- Pass the CMake compatibility policy needed by libfaup under Fedora 44.
- Point the regular run_checks Fedora lane at the Fedora 44 image.
- Move the daily distro Fedora lane from Fedora 42 to Fedora 43.
- Remove the Fedora 42 dev-container definition from git.
Validation:
- Built rsyslog/rsyslog_dev_base_fedora:44 locally.
- Ran the container build script smoke test successfully.
- Ran a full Fedora 44 all-module build with make -j80 successfully.
- actionlint .github/workflows/run_checks.yml .github/workflows/run_distro_daily.yml
- shellcheck packaging/docker/dev_env/fedora/base/44/build.sh packaging/docker/dev_env/fedora/base/44/tag-previous.sh
With the help of AI-Agents: Codex
Why:
The Solaris Buildbot exposed that this regression test could inject the
recovery message before the helper had actually produced the oversized
first response and entered the restart path. The short downstream output
wait then measured scheduler timing rather than the mmexternal invariant.
Impact:
The test keeps the same product behavior oracle but removes a slow-runner
race from the setup sequence.
Before/After:
Before, the test used a fixed five-second output wait; after, it waits for
helper side-file milestones and then checks the downstream output.
Technical Overview:
The helper already records side-file milestones for the oversized reply,
helper starts, and recovery message handling. The test now injects the
second message only after the oversized first reply has been observed, then
waits for the recovery milestone before checking the downstream file. This
preserves the original assertions: the helper emits an oversized reply,
rsyslog restarts it, both messages continue to omfile, and exactly one
recovery happens in a later helper instance.
Evidence:
Buildbot failure analyzed at:
https://build.rsyslog.com/#/builders/77/builds/7132
With the help of AI-Agents: Codex
Why:
CI requested --enable-compile-warnings=error, but some lanes used a singular configure spelling that was never accepted by configure, and some bootstrap or package-build paths lacked the Autoconf Archive macros needed by AX_COMPILER_FLAGS. The singular typo was masked because git-tree builds already default to warning level error. Dev-container definitions also had no PR gate that validates changed container build inputs.
Impact:
Fixes CI warning-policy plumbing, package-build macro dependencies, warnings exposed by that policy across Linux and macOS builds, and a branch-protection-friendly dev-container definition build gate.
Before/After:
Before, missing macros or stale configure flags could make -Werror ineffective or leave literal AX_* macro calls in regenerated configure scripts, and container definition changes were not validated by PR CI. After, required macros are installed or declared in bootstrap and package environments, stale internal configure flags are corrected to the supported spelling, changed dev-container Dockerfiles are built by the check workflow, and runtime sources compile cleanly under the restored warning-as-error policy.
Technical Overview:
Require AX_IS_RELEASE and AX_COMPILER_FLAGS when building with a GCC-like compiler instead of silently falling back to weaker warning flags. Add an m4_pattern_forbid guard so missing AX_* macro expansion is reported during bootstrap instead of later as a confusing configure shell syntax error.
Keep the Autoconf Archive option surface unchanged: the supported option is --enable-compile-warnings. The singular --enable-compile-warning spelling was introduced in an internal dev-container definition in 2019, is reported as unrecognized on older release labels such as v8.2504.0, and is corrected here rather than promoted into a new rsyslog alias.
Install or declare autoconf-archive in direct GitHub-hosted bootstrap paths, Debian/RPM package build metadata that reruns autoreconf, and the cross-arch helper image. Update stale internal dev-container configure defaults to use --enable-compile-warnings=error.
Add a dev container definition CI job to run_checks.yml. It uses changed-files to detect devtools/ci and packaging/docker/dev_env container-definition changes, builds only the affected Dockerfiles, handles shared dev_env/common context users, and exits successfully with a skip message when no concrete container build is relevant.
Mark recovered-queue-size and non-Linux network namespace helpers as intentionally unused where their feature-specific code paths are not compiled. Keep inotify and epoll bookkeeping scoped to the feature guards that consume it, avoid deprecated raw syscall use for macOS thread-id debug output, and make the JSON escape cleanup path explicit for 32-bit compiler analysis.
With the help of AI-Agents: OpenAI Codex
Why: Regex trailing extra-data detection must not let a bounded search
window change the meaning of end-anchored patterns.
Impact: Prevents false trailing-token removal for regex patterns that
match only a truncated prefix.
Before/After: Before, '$' could match an artificial NUL at the search
limit; after, it only matches a real token end.
Technical Overview: When the regex input is temporarily NUL-terminated
at the configured search limit, pass REG_NOTEOL to regexec(). This keeps
the bounded input optimization and the start-anchored behavior, but
prevents '$' from matching the artificial boundary. Add a regression test
with an end-anchored numeric pattern and a longer alphanumeric final
token to prove the token remains parsed data instead of extradata.
With the help of AI-Agents: GPT-5.3-Codex
Why:
Operators may configure imudp to publish its bound UDP port before
privilege drop. The handoff file must not let a local user abuse
symlinks or special files in attacker-writable directories.
Impact:
Symlink, FIFO, and other special-file handoff paths now fail startup.
Before/After:
imudp used fopen("w"); now it opens and validates regular files.
Technical Overview:
Replace stdio truncation with open(2) using O_NOFOLLOW, O_CLOEXEC,
O_NONBLOCK, and owner-only creation mode.
Inspect the configured path before opening so existing non-regular
files are rejected without blocking on FIFOs.
Validate the opened descriptor with fstat before writing so races and
device files do not become handoff targets.
Write the port through a retrying write loop and preserve close-error
propagation.
Add a regression test that configures listenPortFileName as a symlink
and verifies the target content remains unchanged.
Update the documentation example to use /run/rsyslog and warn against
untrusted writable directories.
With the help of AI-Agents: Codex
Why: avoid worker CPU spin when TLS send progress needs peer input.
Impact: nonblocking TLS send now re-arms I/O readiness instead of looping.
Before/After: send-side WANT_READ retried immediately; now it returns retry.
Technical Overview:
OpenSSL and GnuTLS send paths may need a receive operation to process TLS control traffic before a write can continue. The receive helpers already return RS_RET_RETRY for nonblocking not-ready states and set internal retry state. After clearing that temporary receive retry state, Send() must still return RS_RET_RETRY to its caller so the event loop can wait for socket readiness. Restore that propagation in both TLS backends while keeping buffered application-data handling unchanged.
With the help of AI-Agents: GPT-5.3-Codex
When sd_journal_next() reports no entries, probe the journal tail with a separate handle and emit a rate-limited warning if the newest journal entry is ahead of current wall clock time. This gives operators a concrete diagnostic for post-crash/time-jump stalls without disturbing the main journal cursor.
closes https://github.com/rsyslog/rsyslog/issues/4945
Rebind teardown already drops the target transport state and lets poolTryResume() establish the next connection. Re-running initTCP() during each rebind overwrote the worker tcpclt pointers, leaking the old objects on every interval.
Keep the per-worker tcpclt objects for the worker lifetime and add a Valgrind regression that drives repeated TCP rebinds.
closes https://github.com/rsyslog/rsyslog/issues/6663
Harden list-template rendering against unexpected NULL property values before copying into the action parameter buffer.
Add a regression test for issue #3311's queued list template with missing JSON fields so action workers render empty values instead of crashing.
When imuxsock sanitized a raw message containing an embedded NUL, tag parsing continued to walk the original receive buffer while using the sanitized length. That could read beyond initialized datagram bytes and was reported by Valgrind in issue #4941.
Rebase parsing onto the sanitized raw message buffer, initialize the reserved listener slot used during cleanup, and add focused normal plus Valgrind regression coverage for embedded-NUL Unix datagrams.
Why: The retry wrappers execute shared skeletons as child scripts, so VPATH builds need the source directory available in that child environment.
Impact: The wrappers no longer depend on skeleton executable bits and preserve the Bash testbench environment.
Before/After: Before, child skeletons could lose srcdir; after, srcdir is exported and skeletons run explicitly with bash.
Technical Overview: Export the resolved srcdir value before computing the skeleton path.
Technical Overview: Invoke the Bash skeletons with bash instead of direct execution.
Technical Overview: Keep the retry loop and fail-marker suppression behavior unchanged.
Refs: https://github.com/rsyslog/rsyslog/issues/6308
With the help of AI-Agents: Codex
Why: CI occasionally trips over a known TCP timing race in the omfwd one-target retry variants, especially on constrained workers.
Impact: The 1-byte-buffer wrappers now get the same bounded retry tolerance as the full-buffer wrapper.
Before/After: Before, two wrappers failed the suite on one unlucky reconnect window; after, they retry once and still fail if the scenario remains broken.
Technical Overview: Keep the existing skeletons as the single source of test behavior.
Technical Overview: Execute each 1-byte-buffer wrapper through a two-attempt loop.
Technical Overview: Suppress the fail marker only on the first attempt so final failure reporting remains intact.
Technical Overview: Preserve the forced target-failure and normal one-target scenarios unchanged.
Technical Overview: Document the retry as a flake mitigation, not a semantic oracle change.
Refs: https://github.com/rsyslog/rsyslog/issues/6308
With the help of AI-Agents: Codex
