puppet-rsyslog
puppet-rsyslog copied to clipboard
saz
Some parameters are not compatible with RHEL6
Hi,
I have found that following parameters are causing a troubles with rsyslog-5.8.10-10.el6_6.x86_64 :
$imjournalRatelimitInterval $imjournalRatelimitBurst
Those parameters are specified inside of templates/rsyslog.conf.erb:
<% if scope.lookupvar('rsyslog::im_journal_ratelimit_interval') and scope.lookupvar('rsyslog::im_journal_ratelimit_interval') != :undef -%> $imjournalRatelimitInterval <%=scope.lookupvar('rsyslog::im_journal_ratelimit_interval') %> <% end -%> <% if scope.lookupvar('rsyslog::im_journal_ratelimit_burst') and scope.lookupvar('rsyslog::im_journal_ratelimit_burst') != :undef -%> $imjournalRatelimitBurst <%=scope.lookupvar('rsyslog::im_journal_ratelimit_burst') %> <% end -%>
This module should protect user from putting an invalid options and impacting the rsyslog service. It is not the cleanest idea to accomplish this due to defining undef in params.pp. This undef can be overloaded and cause impact. User should be protected by extra condition that will protect RHEL6 rsyslog config from containing those parameters no matter if variable is undef or not
Kind Regards, Bart
That looks like a job for validate calls. There seems to be no validation in this module. Would you be able to create a PR, or at least what kind of data is expected there? Integer only?
Hi,
For RHEL6 we have rsyslog-5.8.10 but in RHEL7 ... rsyslog-7.4.7-. Somewhere in between imjournal module was added. I believe that depending on a rsyslog version those two parameters should not appear in a config file. This will apply not only for RHEL but also for other distros and OSes.
Above this version both parameters are optional and should be validated as integers >0 but i have not yet seen any documentation that confirms that for good.
I use this module with RHEL6 servers without problem. What you mean is that if someone sets a value to either $imjournalRatelimitInterval or $imjournalRatelimitBurst, rsyslog will not start, right?
There is two things to blame in my environment:
- hiera configuration
Efficiently i am stacking two files: Rhel6/common.yaml (i can define everyting here) common.yaml (i am not permitted to touch this one in our deployment)
The clue is that common.yaml contains definitions that are siuted for RHEL7. $imjournalRatelimitInterval someint $imjournalRatelimitBurst someint
So for RHEL6 i have do undefine the default hiera. Please correct me if i am wrong but this simply can't be done.
- unfortunate conditionals inside of rsyslog.conf.erb
Since I cannot touch default hiera and cannot undefine options that was once defined (look for paragraph 1) i have no other way than editing the template.
No matter what hiera architecture i am forced to use - for RHEL6 rsyslog following parameters are invalid (and erb have to be set in a correct way to keep them out): $imjournalRatelimitInterval someint $imjournalRatelimitBurst someint
... And also following should be off: # Comment form RHEL7 rsyslog.conf # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging off
My opinion is that module by default should prevent using invalid parameters and causing a service impact. Please let me know Your opinion since we may consider mitigation by implementing #266 as well.
Regards
According the the puppet 4 documentation (https://puppet.com/docs/puppet/4.10/lang_template_erb.html#scopevariable-or-scopelookupvarvariable) you should use nil to check for undef, not :undef. This module works fine on RHEL7 but for RHEL6 is adds the following section with blank values:
$imjournalStateFile
$imjournalIgnorePreviousMessages
$imjournalRatelimitInterval
$imjournalRatelimitBurst
If I change the code in rsyslog.conf.erb so it tests for nil instead of :undef, the imjournallines don't get added to the config file as expected. So for this module to work correctly (for me anyway) the :undef tests need to change to nil in the templates. So this section:
# Settings for imjournal (If supported)
<% if scope.lookupvar('rsyslog::im_journal_statefile') != :undef -%>
$imjournalStateFile <%=scope.lookupvar('rsyslog::im_journal_statefile') %>
<% end -%>
<% if scope.lookupvar('rsyslog::im_journal_ignore_previous_messages') != :undef -%>
$imjournalIgnorePreviousMessages <%=scope.lookupvar('rsyslog::im_journal_ignore_previous_messages') %>
<% end -%>
<% if scope.lookupvar('rsyslog::im_journal_ratelimit_interval') != :undef -%>
$imjournalRatelimitInterval <%=scope.lookupvar('rsyslog::im_journal_ratelimit_interval') %>
<% end -%>
<% if scope.lookupvar('rsyslog::im_journal_ratelimit_burst') != :undef -%>
$imjournalRatelimitBurst <%=scope.lookupvar('rsyslog::im_journal_ratelimit_burst') %>
<% end -%>
Needs to change to:
# Settings for imjournal (If supported)
<% if scope.lookupvar('rsyslog::im_journal_statefile') != nil -%>
$imjournalStateFile <%=scope.lookupvar('rsyslog::im_journal_statefile') %>
<% end -%>
<% if scope.lookupvar('rsyslog::im_journal_ignore_previous_messages') != nil -%>
$imjournalIgnorePreviousMessages <%=scope.lookupvar('rsyslog::im_journal_ignore_previous_messages') %>
<% end -%>
<% if scope.lookupvar('rsyslog::im_journal_ratelimit_interval') != nil -%>
$imjournalRatelimitInterval <%=scope.lookupvar('rsyslog::im_journal_ratelimit_interval') %>
<% end -%>
<% if scope.lookupvar('rsyslog::im_journal_ratelimit_burst') != nil -%>
$imjournalRatelimitBurst <%=scope.lookupvar('rsyslog::im_journal_ratelimit_burst') %>
<% end -%>
@bojleros - you can undefine a previously set value in hiera using the ~ (tilda) character.
ie: rsyslog::im_journal_ratelimit_interval: ~ at a higher level in the hierarchy will undefine the value.
