8cd8784825
Ubuntu Noble ships with an enforcing rsyslogd apparmor profile. This profile prevents our haproxy container from opening the syslog socket we bind mount into the container. I discussed this in #ubuntu-security which resulted in this issue: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/2098148 which includes many details on what is going on. This change implements the suggested workaround for our haproxy nodes. I believe this is the only place we are currently attempting to directly access rsyslog sockets from within containers. The tl;dr on the fix is that we have to tell rsyslogd to attach disconnected connections as the container runs in a different filesystem namespace which disconnects the paths for the socket. Unfortunately sarnold indicates that we have to edit the primary profile configuration file as this flag applies to the top level of the profile. We cannot use one of the files this profile #includes. Change-Id: I4e09211a1bdc4dfbf3012a66e79c181c6fb957a4
42 lines
1.4 KiB
Python
42 lines
1.4 KiB
Python
# Copyright 2018 Red Hat, Inc.
|
|
# Copyright 2022 Acme Gating, LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import json
|
|
|
|
|
|
testinfra_hosts = ['zuul-lb02.opendev.org']
|
|
|
|
|
|
def test_zuul_listening(host):
|
|
zuul_https = host.socket("tcp://0.0.0.0:443")
|
|
assert zuul_https.is_listening
|
|
zuul_http = host.socket("tcp://0.0.0.0:80")
|
|
assert zuul_http.is_listening
|
|
zuul_finger = host.socket("tcp://0.0.0.0:79")
|
|
assert zuul_finger.is_listening
|
|
|
|
def test_haproxy_statsd_running(host):
|
|
cmd = host.run("docker inspect haproxy-docker-haproxy-statsd-1")
|
|
out = json.loads(cmd.stdout)
|
|
assert out[0]["State"]["Status"] == "running"
|
|
assert out[0]["RestartCount"] == 0
|
|
|
|
def test_haproxy_logging(host):
|
|
# rsyslog is configured to add a unix socket at this path
|
|
assert host.file('/var/lib/haproxy/dev/log').is_socket
|
|
# Haproxy logs to syslog via the above socket which produces
|
|
# this logfile
|
|
assert host.file('/var/log/haproxy.log').is_file
|