Mailing List Archive

gss-api support for rsyslog
Hi,

here is a patch that enables rsyslog to use gss-api for authentication
and encryption.
It adds a new commandline option '-g<port>' to listen for a connection
wrapped with gss-api and few new configuration directives:
for server:
$gsslistenservicename <service name>
for client:
$gssforwardservicename <service name>
$gssmode <encryption|integrity|none>

With gssmode set to "encryption" or "integrity" all tcp selectors will
be forwarding messages via gss-api.

http://people.redhat.com/pvrabec/rpms/rsyslog/rsyslog-1.19.10-gssapi.patch

Comments are welcome.
gss-api support for rsyslog [ In reply to ]
2007/11/14, theinric at redhat.com <theinric at redhat.com>:
> Hi,
>
> here is a patch that enables rsyslog to use gss-api for authentication
> and encryption.
> It adds a new commandline option '-g<port>' to listen for a connection
> wrapped with gss-api and few new configuration directives:
> for server:
> $gsslistenservicename <service name>
> for client:
> $gssforwardservicename <service name>
> $gssmode <encryption|integrity|none>
>
> With gssmode set to "encryption" or "integrity" all tcp selectors will
> be forwarding messages via gss-api.

Nice work! The only thing missing imho is documentation:
rsyslogd --help does not list the paramenter, man rsyslogd also.
man rsyslog.conf should document the new configuration directives and
a html file in doc/ would be nice too.

Cheers,
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
gss-api support for rsyslog [ In reply to ]
On 11/14/2007 06:50 PM, Michael Biebl wrote:
> 2007/11/14, theinric at redhat.com <theinric at redhat.com>:
>> Hi,
>>
>> here is a patch that enables rsyslog to use gss-api for authentication
>> and encryption.
>> It adds a new commandline option '-g<port>' to listen for a connection
>> wrapped with gss-api and few new configuration directives:
>> for server:
>> $gsslistenservicename <service name>
>> for client:
>> $gssforwardservicename <service name>
>> $gssmode <encryption|integrity|none>
>>
>> With gssmode set to "encryption" or "integrity" all tcp selectors will
>> be forwarding messages via gss-api.
>
> Nice work! The only thing missing imho is documentation:
> rsyslogd --help does not list the paramenter, man rsyslogd also.
> man rsyslog.conf should document the new configuration directives and
> a html file in doc/ would be nice too.

You're right, documentation hasn't been added yet. I want to wait for
more feedback and maybe someone will come up with better directives
names. :)
gss-api support for rsyslog [ In reply to ]
In any case, it's a real nice piece of work. I have just returned from
the US (this Monday) and there is still a pile of work I need to look
at. I think next Monday I'll go back to rsyslog and integrating that
patch is probably the #1 thing to do ;)

Thanks,
Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of theinric at redhat.com
> Sent: Thursday, November 15, 2007 11:01 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] gss-api support for rsyslog
>
> On 11/14/2007 06:50 PM, Michael Biebl wrote:
> > 2007/11/14, theinric at redhat.com <theinric at redhat.com>:
> >> Hi,
> >>
> >> here is a patch that enables rsyslog to use gss-api for
> authentication
> >> and encryption.
> >> It adds a new commandline option '-g<port>' to listen for a
> connection
> >> wrapped with gss-api and few new configuration directives:
> >> for server:
> >> $gsslistenservicename <service name>
> >> for client:
> >> $gssforwardservicename <service name>
> >> $gssmode <encryption|integrity|none>
> >>
> >> With gssmode set to "encryption" or "integrity" all tcp selectors
> will
> >> be forwarding messages via gss-api.
> >
> > Nice work! The only thing missing imho is documentation:
> > rsyslogd --help does not list the paramenter, man rsyslogd also.
> > man rsyslog.conf should document the new configuration directives
and
> > a html file in doc/ would be nice too.
>
> You're right, documentation hasn't been added yet. I want to wait for
> more feedback and maybe someone will come up with better directives
> names. :)
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
gss-api support for rsyslog [ In reply to ]
thnx. Rainer,

this is very important functionality for us. If you need any help or you have
some questions drop us email.

btw. F8 is out for a week and there are no bug reports on rsyslog, I hope it
will continue this way ;-)

peace :-)

On Thursday 15 November 2007 11:02:58 am Rainer Gerhards wrote:
> In any case, it's a real nice piece of work. I have just returned from
> the US (this Monday) and there is still a pile of work I need to look
> at. I think next Monday I'll go back to rsyslog and integrating that
> patch is probably the #1 thing to do ;)
gss-api support for rsyslog [ In reply to ]
Hi all,

I have just done a rough review of the patch. From the code point of
view it looks very well. So I have committed it to CVS, its now
available.

However, I am not yet 100% sure on how it is used. Maybe you can give me
a jump start with a few notes on how to set it up and what to expect.
That would enable me to better follow the code. And, yes, I know its all
there in the code... ;)

Thanks again for your great help. This indeed looks like a very
important addition to rsyslog.

Rainer


On Thu, 2007-11-15 at 11:12 +0100, Peter Vrabec wrote:
> thnx. Rainer,
>
> this is very important functionality for us. If you need any help or you have
> some questions drop us email.
>
> btw. F8 is out for a week and there are no bug reports on rsyslog, I hope it
> will continue this way ;-)
>
> peace :-)
>
> On Thursday 15 November 2007 11:02:58 am Rainer Gerhards wrote:
> > In any case, it's a real nice piece of work. I have just returned from
> > the US (this Monday) and there is still a pile of work I need to look
> > at. I think next Monday I'll go back to rsyslog and integrating that
> > patch is probably the #1 thing to do ;)
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
gss-api support for rsyslog [ In reply to ]
I have uploaded an interim version of the applied-patch-to-version to

http://download.rsyslog.com/rsyslog/rsyslog-1.19.11.tar.gz

in case that somebody would like to have an early look at the package.
It still lacks any doc.

Feedback is appreciated.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Monday, November 19, 2007 11:09 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] gss-api support for rsyslog
>
> Hi all,
>
> I have just done a rough review of the patch. From the code point of
> view it looks very well. So I have committed it to CVS, its now
> available.
>
> However, I am not yet 100% sure on how it is used. Maybe you can give
> me
> a jump start with a few notes on how to set it up and what to expect.
> That would enable me to better follow the code. And, yes, I know its
> all
> there in the code... ;)
>
> Thanks again for your great help. This indeed looks like a very
> important addition to rsyslog.
>
> Rainer
>
>
> On Thu, 2007-11-15 at 11:12 +0100, Peter Vrabec wrote:
> > thnx. Rainer,
> >
> > this is very important functionality for us. If you need any help or
> you have
> > some questions drop us email.
> >
> > btw. F8 is out for a week and there are no bug reports on rsyslog, I
> hope it
> > will continue this way ;-)
> >
> > peace :-)
> >
> > On Thursday 15 November 2007 11:02:58 am Rainer Gerhards wrote:
> > > In any case, it's a real nice piece of work. I have just returned
> from
> > > the US (this Monday) and there is still a pile of work I need to
> look
> > > at. I think next Monday I'll go back to rsyslog and integrating
> that
> > > patch is probably the #1 thing to do ;)
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
gss-api support for rsyslog [ In reply to ]
in case you need some help setting up krb stuff, here is some info:

http://web.mit.edu/kerberos/www/krb5-1.6/
http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html#install

how was our env. set up? just brief instructions:

SERVER SIDE (xen41.englab.brq.redhat.com) in WRABCO.ORG realm
- running KDC, rsyslog listen to gss connections
- 2 principals were added to database:
host/xen41.englab.brq.redhat.com at WRABCO.ORG
pvrabec at WRABCO.ORG
- host/xen41.englab.brq.redhat.com at WRABCO.ORG must be exported to keytab
file /etc/krb5.keytab
- rsyslog started with -g514 option (not -t option is used)

CLIENT SIDE
- get ticket from kdc (#kinit pvrabec)
- configure rsyslog (/etc/rsyslog.conf)
$gssmode encryption
*.info;mail.none;authpriv.none;cron.none @@xen41
- start rsyslog
- #logger foo


On Monday 19 November 2007 03:29:29 pm Rainer Gerhards wrote:
> I have uploaded an interim version of the applied-patch-to-version to
>
> http://download.rsyslog.com/rsyslog/rsyslog-1.19.11.tar.gz
>
> in case that somebody would like to have an early look at the package.
> It still lacks any doc.
>
> Feedback is appreciated.
>
> Rainer
gss-api support for rsyslog [ In reply to ]
Hi Peter,

this, as well as the doc, is most helpful. Now that we actually have doc
(I thought I'd have to pen it down ;)), I think I will release very
shortly, most probably tomorrow.

I have thought about setting up a full lab before carrying on. For now,
I have decided to NOT do that. I am sure that you folks have tested it
quite good and the code that I have seen looks excellent.

So I will pull it in as is and wait for some feedback from the field
(with the assumption "no feedback" equals "OK").

I will then begin to look at the loadable module de-initialization. This
is not really clean in the current release, but that's no problem
because modules never get unloaded. However, in the long term we need
this to be clean.

The mysterios segfault issue is still dangling. I was hesitant to do any
larger-scale new development without fixing it. But given the fact that
it is extremely hard to find, and obviously happens very seldom, I'll
continue developing. I am right now looking into upgrading the dev
machine to an x64 OS, where most of the problems happened. My hope is
that I will see a segfault during further development work and then
hopefully be able to tackle it. I still think that the segfault must be
well understood and fixed before I go into some serious multithreading
redesign. As such, unfortunately, this issue still holds some of the
work scheduled for the next *major* version.

I thought I give you an update here in my end (will also post this to
the blog for the others). Any feedback/suggestion is highly welcome.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Peter Vrabec
> Sent: Tuesday, November 20, 2007 4:09 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] gss-api support for rsyslog
>
> in case you need some help setting up krb stuff, here is some info:
>
> http://web.mit.edu/kerberos/www/krb5-1.6/
> http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html#install
>
> how was our env. set up? just brief instructions:
>
> SERVER SIDE (xen41.englab.brq.redhat.com) in WRABCO.ORG realm
> - running KDC, rsyslog listen to gss connections
> - 2 principals were added to database:
> host/xen41.englab.brq.redhat.com at WRABCO.ORG
> pvrabec at WRABCO.ORG
> - host/xen41.englab.brq.redhat.com at WRABCO.ORG must be exported to
> keytab
> file /etc/krb5.keytab
> - rsyslog started with -g514 option (not -t option is used)
>
> CLIENT SIDE
> - get ticket from kdc (#kinit pvrabec)
> - configure rsyslog (/etc/rsyslog.conf)
> $gssmode encryption
> *.info;mail.none;authpriv.none;cron.none @@xen41
> - start rsyslog
> - #logger foo
>
>
> On Monday 19 November 2007 03:29:29 pm Rainer Gerhards wrote:
> > I have uploaded an interim version of the applied-patch-to-version
to
> >
> > http://download.rsyslog.com/rsyslog/rsyslog-1.19.11.tar.gz
> >
> > in case that somebody would like to have an early look at the
> package.
> > It still lacks any doc.
> >
> > Feedback is appreciated.
> >
> > Rainer
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
gss-api support for rsyslog [ In reply to ]
On Tuesday 20 November 2007 04:53:24 pm Rainer Gerhards wrote:
> Hi Peter,
>
> this, as well as the doc, is most helpful. Now that we actually have doc
> (I thought I'd have to pen it down ;)), I think I will release very
> shortly, most probably tomorrow.
doc would be perfect :-) I'm sorry I didn't have time to do it.

> I have thought about setting up a full lab before carrying on. For now,
> I have decided to NOT do that. I am sure that you folks have tested it
> quite good and the code that I have seen looks excellent.
>
> So I will pull it in as is and wait for some feedback from the field
> (with the assumption "no feedback" equals "OK").
hold on, please. There is still some development and we need to make clear in
one thing. Here it is:
"-g" accepts only gss connections
"-t" accepts all connections (gss as a plain text)
but, we have a requirement to log both(gss and non-gss).
Solutions:
1. -g somePort -t someOtherPort
- this might be easy implemented

2. check if the mesaage is gss or not
- a bit hackish, since there is no protocol

I think patch is OK to release, but I'd like to avoid breaking compatibility
in the future.

> I will then begin to look at the loadable module de-initialization. This
> is not really clean in the current release, but that's no problem
> because modules never get unloaded. However, in the long term we need
> this to be clean.
>
> The mysterios segfault issue is still dangling. I was hesitant to do any
> larger-scale new development without fixing it. But given the fact that
> it is extremely hard to find, and obviously happens very seldom, I'll
> continue developing. I am right now looking into upgrading the dev
> machine to an x64 OS, where most of the problems happened. My hope is
> that I will see a segfault during further development work and then
> hopefully be able to tackle it. I still think that the segfault must be
> well understood and fixed before I go into some serious multithreading
> redesign. As such, unfortunately, this issue still holds some of the
> work scheduled for the next *major* version.

This bug is my nightmare. I really don't know what to do. I run 2 syslogs in
valgrind during a weekend. Sendind message via UDP on 64 architecture,
messages generated every 1/3sec. RESULT: no segfault. :-(

F8 is out for 2 weeks, we have only one bug report. I released an update to
1.19.10.

> I thought I give you an update here in my end (will also post this to
> the blog for the others). Any feedback/suggestion is highly welcome.
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Peter Vrabec
> > Sent: Tuesday, November 20, 2007 4:09 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] gss-api support for rsyslog
> >
> > in case you need some help setting up krb stuff, here is some info:
> >
> > http://web.mit.edu/kerberos/www/krb5-1.6/
> > http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html#install
> >
> > how was our env. set up? just brief instructions:
> >
> > SERVER SIDE (xen41.englab.brq.redhat.com) in WRABCO.ORG realm
> > - running KDC, rsyslog listen to gss connections
> > - 2 principals were added to database:
> > host/xen41.englab.brq.redhat.com at WRABCO.ORG
> > pvrabec at WRABCO.ORG
> > - host/xen41.englab.brq.redhat.com at WRABCO.ORG must be exported to
> > keytab
> > file /etc/krb5.keytab
> > - rsyslog started with -g514 option (not -t option is used)
> >
> > CLIENT SIDE
> > - get ticket from kdc (#kinit pvrabec)
> > - configure rsyslog (/etc/rsyslog.conf)
> > $gssmode encryption
> > *.info;mail.none;authpriv.none;cron.none @@xen41
> > - start rsyslog
> > - #logger foo
> >
> > On Monday 19 November 2007 03:29:29 pm Rainer Gerhards wrote:
> > > I have uploaded an interim version of the applied-patch-to-version
>
> to
>
> > > http://download.rsyslog.com/rsyslog/rsyslog-1.19.11.tar.gz
> > >
> > > in case that somebody would like to have an early look at the
> >
> > package.
> >
> > > It still lacks any doc.
> > >
> > > Feedback is appreciated.
> > >
> > > Rainer
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
gss-api support for rsyslog [ In reply to ]
> > So I will pull it in as is and wait for some feedback from the field
> > (with the assumption "no feedback" equals "OK").
> hold on, please. There is still some development and we need to make
> clear in
> one thing. Here it is:
> "-g" accepts only gss connections
> "-t" accepts all connections (gss as a plain text)
> but, we have a requirement to log both(gss and non-gss).
> Solutions:
> 1. -g somePort -t someOtherPort
> - this might be easy implemented
>
> 2. check if the mesaage is gss or not
> - a bit hackish, since there is no protocol
>
> I think patch is OK to release, but I'd like to avoid breaking
> compatibility
> in the future.

OK, valid point. Will hold, a few days don't matter, upward
compatibility is more important.

> > I will then begin to look at the loadable module de-initialization.
> This
> > is not really clean in the current release, but that's no problem
> > because modules never get unloaded. However, in the long term we
need
> > this to be clean.
> >
> > The mysterios segfault issue is still dangling. I was hesitant to do
> any
> > larger-scale new development without fixing it. But given the fact
> that
> > it is extremely hard to find, and obviously happens very seldom,
I'll
> > continue developing. I am right now looking into upgrading the dev
> > machine to an x64 OS, where most of the problems happened. My hope
is
> > that I will see a segfault during further development work and then
> > hopefully be able to tackle it. I still think that the segfault must
> be
> > well understood and fixed before I go into some serious
> multithreading
> > redesign. As such, unfortunately, this issue still holds some of the
> > work scheduled for the next *major* version.
>
> This bug is my nightmare. I really don't know what to do. I run 2
> syslogs in
> valgrind during a weekend. Sendind message via UDP on 64 architecture,
> messages generated every 1/3sec. RESULT: no segfault. :-(
>
> F8 is out for 2 weeks, we have only one bug report. I released an
> update to
> 1.19.10.

My nightmare, too. I have hunted a number of bugs, but this one is
really the nastiest I have seen in over 20 years :(. You don't see it in
lab, and you don't see it in code review. And the worst thing is that I
have no clue left what may be the issue - besides that it is related to
threading. But the threading model is that simple...

Rainer
gss-api support for rsyslog [ In reply to ]
On 2007-11-20, Peter Vrabec <pvrabec at redhat.com> wrote:
>
> This bug is my nightmare. I really don't know what to do. I run 2 syslogs in
> valgrind during a weekend. Sendind message via UDP on 64 architecture,
> messages generated every 1/3sec. RESULT: no segfault. :-(

I'd just like to again point out that we're seeing this regularly
on *32-bit* RHEL5. It's a quite heavily loaded server (1-2 GB udp-syslogs a
day), and it's been failing at these times:

Mon Sep 3 01:25:05 2007
Mon Sep 3 15:54:19 2007
Tue Sep 4 23:16:05 2007
Thu Sep 6 20:38:05 2007
Fri Sep 7 03:27:19 2007
Sat Sep 8 06:42:34 2007
Mon Sep 10 21:57:35 2007
Thu Sep 13 11:06:49 2007
Fri Sep 14 08:59:50 2007
Fri Sep 14 14:41:04 2007
Sat Sep 15 14:17:05 2007
Sun Sep 16 09:10:49 2007
Sun Sep 16 15:43:34 2007
Mon Sep 17 22:00:04 2007
Thu Sep 20 17:43:19 2007
Fri Sep 21 17:27:49 2007
Sun Sep 23 05:32:49 2007
Sun Sep 23 15:18:49 2007
Mon Sep 24 11:37:49 2007
Mon Sep 24 12:31:04 2007
Mon Sep 24 23:29:19 2007
# upgraded to rsyslog-1.19.8-1, running with MALLOC_CHECK_=2
Thu Sep 27 14:18:48 2007
Fri Sep 28 21:10:17 2007
Fri Oct 5 06:54:02 2007
Fri Oct 26 14:26:08 2007
Sun Nov 4 08:55:22 2007
Wed Nov 7 17:15:52 2007
Sat Nov 10 03:09:38 2007
Sat Nov 10 20:07:07 2007

So, with 1.19.8-1 it's gotten quite a bit better for us.
Unfortunately I haven't been able to get any core dumps,
even with DAEMON_COREFILE_LIMIT='unlimited' in
/etc/sysconfig/rsyslog and doing a "cd /var/log/syslog"
before starting rsyslogd in the init-script. Is there
anything else we need to do to get coredumps ?


-jf
gss-api support for rsyslog [ In reply to ]
Hi Jan,

thnx. for info. Could you try latest release, please.
You can get src.rpm from fedora mirrors:
ftp://mirror.colorado.edu/pub/fedora/linux/updates/8/SRPMS/rsyslog-1.19.10-1.fc8.src.rpm

Could you send your /proc/cpuinfo?

Do you use network logging?

We try our best to reproduce the problem.

On Wednesday 21 November 2007 09:53:20 am Jan-Frode Myklebust wrote:
> On 2007-11-20, Peter Vrabec <pvrabec at redhat.com> wrote:
> > This bug is my nightmare. I really don't know what to do. I run 2
> > syslogs in valgrind during a weekend. Sendind message via UDP on 64
> > architecture, messages generated every 1/3sec. RESULT: no segfault. :-(
>
> I'd just like to again point out that we're seeing this regularly
> on *32-bit* RHEL5. It's a quite heavily loaded server (1-2 GB udp-syslogs a
> day), and it's been failing at these times:


>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
gss-api support for rsyslog [ In reply to ]
2007/11/14, theinric at redhat.com <theinric at redhat.com>:
> Hi,
>
> here is a patch that enables rsyslog to use gss-api for authentication
> and encryption.

Hi,

ist seems not all of the patch has made it into CVS. The part in
Makefile.am is missing, so the compilation fails. Please apply the
(inlined) patch ;-)

Index: Makefile.am
===================================================================
RCS file: /cvsroot/rsyslog/rsyslog/Makefile.am,v
retrieving revision 1.36
diff -u -3 -p -r1.36 Makefile.am
--- Makefile.am 30 Nov 2007 13:43:12 -0000 1.36
+++ Makefile.am 30 Nov 2007 23:10:27 -0000
@@ -63,7 +63,7 @@ rsyslogd_SOURCES = \
gss-misc.h

rsyslogd_CPPFLAGS = -D_PATH_MODDIR=\"$(pkglibdir)/\" $(pthreads_cflags)
-rsyslogd_LDADD = $(zlib_libs) $(pthreads_libs) -ldl
+rsyslogd_LDADD = $(zlib_libs) $(pthreads_libs) $(gss_libs) -ldl
rsyslogd_LDFLAGS = -export-dynamic

man_MANS = rfc3195d.8 rklogd.8 rsyslogd.8 rsyslog.conf.5



Cheers,
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?