[pkg-nagios-changes] [Git][nagios-team/icinga2][upstream] New upstream version 2.13.5
Bas Couwenberg (@sebastic)
gitlab at salsa.debian.org
Thu Aug 11 17:15:18 BST 2022
Bas Couwenberg pushed to branch upstream at Debian Nagios Maintainer Group / icinga2
Commits:
7e9e7370 by Bas Couwenberg at 2022-08-11T17:09:58+02:00
New upstream version 2.13.5
- - - - -
23 changed files:
- .github/workflows/deb.yml
- .github/workflows/raspbian.yml
- .github/workflows/rpm.yml
- AUTHORS
- CHANGELOG.md
- CMakeLists.txt
- ICINGA2_VERSION
- doc/02-installation.md
- doc/win-dev.ps1
- itl/command-plugins.conf
- lib/base/CMakeLists.txt
- + lib/base/atomic-file.cpp
- + lib/base/atomic-file.hpp
- lib/base/configobject.cpp
- lib/base/exception.cpp
- lib/base/exception.hpp
- lib/base/logger.cpp
- lib/base/utility.hpp
- lib/icingadb/icingadb-objects.cpp
- lib/icingadb/icingadb.hpp
- tools/selinux/icinga2.sh
- tools/selinux/icinga2.te
- tools/win32/configure.ps1
Changes:
=====================================
.github/workflows/deb.yml
=====================================
@@ -21,21 +21,12 @@ jobs:
- name: debian
codename: buster
has32bit: true
- - name: debian
- codename: stretch
- has32bit: true
- name: ubuntu
codename: jammy
has32bit: false
- - name: ubuntu
- codename: impish
- has32bit: false
- name: ubuntu
codename: focal
has32bit: false
- - name: ubuntu
- codename: bionic
- has32bit: true
runs-on: ubuntu-latest
=====================================
.github/workflows/raspbian.yml
=====================================
@@ -18,7 +18,7 @@ jobs:
- buster
- bullseye
- runs-on: ubuntu-latest
+ runs-on: ubuntu-22.04 # revert back to ubuntu-latest once that is 22.04 or later
steps:
- name: Cancel previous jobs for the same PR
@@ -34,10 +34,6 @@ jobs:
- name: qemu-user-static
run: |
set -exo pipefail
- . /etc/os-release
- if [ "$VERSION_ID" = 20.04 ]; then
- sudo perl -pi -e s/focal/impish/g /etc/apt/sources.list
- fi
sudo apt-get update
DEBIAN_FRONTEND=noninteractive sudo apt-get install -y qemu-user-static
=====================================
.github/workflows/rpm.yml
=====================================
@@ -33,15 +33,18 @@ jobs:
- name: fedora
release: 35
subscription: false
- - name: fedora
- release: 34
- subscription: false
+ - name: sles
+ release: '15.4'
+ subscription: true
- name: sles
release: '15.3'
subscription: true
- name: sles
release: '12.5'
subscription: true
+ - name: opensuse
+ release: '15.4'
+ subscription: false
- name: opensuse
release: '15.3'
subscription: false
=====================================
AUTHORS
=====================================
@@ -58,6 +58,7 @@ Claudio Kuenzler <ck at claudiokuenzler.com>
Conrad Clement <cclement at printeron.com>
cstegm <cstegm at users.noreply.github.com>
ctrlaltca <ctrlaltca at gmail.com>
+Daniel Bodky <daniel.bodky at netways.de>
Daniel Helgenberger <daniel.helgenberger at m-box.de>
Daniel Kesselberg <mail at danielkesselberg.de>
Daniil Yaroslavtsev <dyaroslavtsev at confyrm.com>
=====================================
CHANGELOG.md
=====================================
@@ -7,6 +7,22 @@ documentation before upgrading to a new release.
Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed).
+## 2.13.5 (2022-08-11)
+
+Version 2.13.5 is a maintenance release that fixes some bugs,
+improves logging and updates the documentation as well as a bundled library.
+
+### Bugfixes
+
+* Ensure not to write an incomplete (i.e. corrupt) state file. #9467
+* ITL: Render vars.apt\_upgrade=true as --upgrade, not --upgrade=true. #9458
+* Icinga DB: Don't surprise (and crash) the Go daemon with config types it doesn't know. #9480
+* Icinga DB: Add missing Redis SELinux policy. #9473
+* Windows: Don't spam the event log with non-error startup messages. #9457
+* Windows: Update bundled version of OpenSSL. #9460
+* Docs: Update RHEL 8 installation instructions. #9482
+* Docs: Add RHEL 9 installation instructions. #9482
+
## 2.13.4 (2022-06-30)
This release brings the final changes needed for the Icinga DB 1.0 release.
=====================================
CMakeLists.txt
=====================================
@@ -163,7 +163,7 @@ else()
set(LOGROTATE_CREATE "\n\tcreate 644 ${ICINGA2_USER} ${ICINGA2_GROUP}")
endif()
-find_package(Boost ${BOOST_MIN_VERSION} COMPONENTS coroutine context date_time filesystem thread system program_options regex REQUIRED)
+find_package(Boost ${BOOST_MIN_VERSION} COMPONENTS coroutine context date_time filesystem iostreams thread system program_options regex REQUIRED)
# Boost.Coroutine2 (the successor of Boost.Coroutine)
# (1) doesn't even exist in old Boost versions and
=====================================
ICINGA2_VERSION
=====================================
@@ -1,2 +1,2 @@
-Version: 2.13.4
+Version: 2.13.5
Revision: 1
=====================================
doc/02-installation.md
=====================================
@@ -122,18 +122,18 @@ rpm --import https://packages.icinga.com/icinga.key
wget https://packages.icinga.com/subscription/rhel/ICINGA-release.repo -O /etc/yum.repos.d/ICINGA-release.repo
```
-If you are using RHEL you need to additionally enable the `optional` and `codeready-builder`
+If you are using RHEL you need to additionally enable the `codeready-builder`
repository before installing the [EPEL rpm package](https://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F).
-#### RHEL 8
+#### RHEL 8 or Later
```bash
-ARCH=$( /bin/arch )
+ARCH=$(/bin/arch)
+OSVER=$(. /etc/os-release; echo "${VERSION_ID%%.*}")
-subscription-manager repos --enable rhel-8-server-optional-rpms
-subscription-manager repos --enable "codeready-builder-for-rhel-8-${ARCH}-rpms"
+subscription-manager repos --enable "codeready-builder-for-rhel-${OSVER}-${ARCH}-rpms"
-dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
+dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-${OSVER}.noarch.rpm
```
#### RHEL 7
@@ -267,7 +267,7 @@ systemctl start icinga2
<!-- {% endif %} -->
<!-- {% if rhel %} -->
-#### RHEL 8
+#### RHEL 8 or Later
```bash
dnf install icinga2
@@ -380,7 +380,7 @@ yum install nagios-plugins-all
<!-- {% endif %} -->
The packages for RHEL depend on other packages which are distributed as part of the EPEL repository.
-#### RHEL 8
+#### RHEL 8 or Later
```bash
dnf install nagios-plugins-all
=====================================
doc/win-dev.ps1
=====================================
@@ -14,7 +14,7 @@ function ThrowOnNativeFailure {
$VsVersion = 2019
$MsvcVersion = '14.2'
$BoostVersion = @(1, 79, 0)
-$OpensslVersion = '1_1_1p'
+$OpensslVersion = '1_1_1q'
switch ($Env:BITS) {
32 { }
=====================================
itl/command-plugins.conf
=====================================
@@ -1919,20 +1919,43 @@ object CheckCommand "apt" {
command = [ PluginDir + "/check_apt" ]
arguments = {
- "--extra-opts" = {
- value = "$apt_extra_opts$"
- description = "Read options from an ini file."
- }
+ // apt-get takes only options starting with "-" (like "-sqq") before
+ // the upgrade command, so passing e.g. "foobar" as "--upgrade=foobar"
+ // makes no sense. This allows to easily decide between "-x=-y"
+ // (strings starting with "-") and "-x" (everything else).
"--upgrade" = {
- value = "$apt_upgrade$"
- separator = "="
+ set_if = {{
+ var v = macro("$apt_upgrade$")
+ return match("-*", string(v).trim()) ? false : v
+ }}
description = "[Default] Perform an upgrade. If an optional OPTS argument is provided, apt-get will be run with these command line options instead of the default."
}
"--dist-upgrade" = {
- value = "$apt_dist_upgrade$"
+ set_if = {{
+ var v = macro("$apt_dist_upgrade$")
+ return match("-*", string(v).trim()) ? false : v
+ }}
+ description = "Perform a dist-upgrade instead of normal upgrade. Like with -U OPTS can be provided to override the default options."
+ }
+ "--upgrade=OPTS" = {
+ set_if = {{ match("-*", string(macro("$apt_upgrade$")).trim()) }}
+ key = "--upgrade"
separator = "="
+ value = "$apt_upgrade$"
+ description = "[Default] Perform an upgrade. If an optional OPTS argument is provided, apt-get will be run with these command line options instead of the default."
+ }
+ "--dist-upgrade=OPTS" = {
+ set_if = {{ match("-*", string(macro("$apt_dist_upgrade$")).trim()) }}
+ key = "--dist-upgrade"
+ separator = "="
+ value = "$apt_dist_upgrade$"
description = "Perform a dist-upgrade instead of normal upgrade. Like with -U OPTS can be provided to override the default options."
}
+
+ "--extra-opts" = {
+ value = "$apt_extra_opts$"
+ description = "Read options from an ini file."
+ }
"--include" = {
value = "$apt_include$"
description = "Include only packages matching REGEXP. Can be specified multiple times the values will be combined together."
=====================================
lib/base/CMakeLists.txt
=====================================
@@ -16,6 +16,7 @@ set(base_SOURCES
application.cpp application.hpp application-ti.hpp application-version.cpp application-environment.cpp
array.cpp array.hpp array-script.cpp
atomic.hpp
+ atomic-file.cpp atomic-file.hpp
base64.cpp base64.hpp
boolean.cpp boolean.hpp boolean-script.cpp
bulker.hpp
=====================================
lib/base/atomic-file.cpp
=====================================
@@ -0,0 +1,116 @@
+/* Icinga 2 | (c) 2022 Icinga GmbH | GPLv2+ */
+
+#include "base/atomic-file.hpp"
+#include "base/exception.hpp"
+#include "base/utility.hpp"
+#include <utility>
+
+#ifdef _WIN32
+# include <io.h>
+# include <windows.h>
+#else /* _WIN32 */
+# include <errno.h>
+# include <unistd.h>
+#endif /* _WIN32 */
+
+using namespace icinga;
+
+AtomicFile::AtomicFile(String path, int mode) : m_Path(std::move(path))
+{
+ m_TempFilename = m_Path + ".tmp.XXXXXX";
+
+#ifdef _WIN32
+ m_Fd = Utility::MksTemp(&m_TempFilename[0]);
+#else /* _WIN32 */
+ m_Fd = mkstemp(&m_TempFilename[0]);
+#endif /* _WIN32 */
+
+ if (m_Fd < 0) {
+ auto error (errno);
+
+ BOOST_THROW_EXCEPTION(posix_error()
+ << boost::errinfo_api_function("mkstemp")
+ << boost::errinfo_errno(error)
+ << boost::errinfo_file_name(m_TempFilename));
+ }
+
+ try {
+ exceptions(failbit | badbit);
+
+ open(boost::iostreams::file_descriptor(
+ m_Fd,
+ // Rationale: https://github.com/boostorg/iostreams/issues/152
+ boost::iostreams::never_close_handle
+ ));
+
+ if (chmod(m_TempFilename.CStr(), mode) < 0) {
+ auto error (errno);
+
+ BOOST_THROW_EXCEPTION(posix_error()
+ << boost::errinfo_api_function("chmod")
+ << boost::errinfo_errno(error)
+ << boost::errinfo_file_name(m_TempFilename));
+ }
+ } catch (...) {
+ if (is_open()) {
+ close();
+ }
+
+ (void)::close(m_Fd);
+ (void)unlink(m_TempFilename.CStr());
+ throw;
+ }
+}
+
+AtomicFile::~AtomicFile()
+{
+ if (is_open()) {
+ try {
+ close();
+ } catch (...) {
+ // Destructor must not throw
+ }
+ }
+
+ if (m_Fd >= 0) {
+ (void)::close(m_Fd);
+ }
+
+ if (!m_TempFilename.IsEmpty()) {
+ (void)unlink(m_TempFilename.CStr());
+ }
+}
+
+void AtomicFile::Commit()
+{
+ flush();
+
+ auto h ((*this)->handle());
+
+#ifdef _WIN32
+ if (!FlushFileBuffers(h)) {
+ auto err (GetLastError());
+
+ BOOST_THROW_EXCEPTION(win32_error()
+ << boost::errinfo_api_function("FlushFileBuffers")
+ << errinfo_win32_error(err)
+ << boost::errinfo_file_name(m_TempFilename));
+ }
+#else /* _WIN32 */
+ if (fsync(h)) {
+ auto err (errno);
+
+ BOOST_THROW_EXCEPTION(posix_error()
+ << boost::errinfo_api_function("fsync")
+ << boost::errinfo_errno(err)
+ << boost::errinfo_file_name(m_TempFilename));
+ }
+#endif /* _WIN32 */
+
+ close();
+ (void)::close(m_Fd);
+ m_Fd = -1;
+
+ Utility::RenameFile(m_TempFilename, m_Path);
+ m_TempFilename = "";
+}
=====================================
lib/base/atomic-file.hpp
=====================================
@@ -0,0 +1,34 @@
+/* Icinga 2 | (c) 2022 Icinga GmbH | GPLv2+ */
+
+#ifndef ATOMIC_FILE_H
+#define ATOMIC_FILE_H
+
+#include "base/string.hpp"
+#include <boost/iostreams/device/file_descriptor.hpp>
+#include <boost/iostreams/stream.hpp>
+
+namespace icinga
+{
+
+/**
+ * Atomically replaces a file's content.
+ *
+ * @ingroup base
+ */
+class AtomicFile : public boost::iostreams::stream<boost::iostreams::file_descriptor>
+{
+public:
+ AtomicFile(String path, int mode);
+ ~AtomicFile();
+
+ void Commit();
+
+private:
+ String m_Path;
+ String m_TempFilename;
+ int m_Fd;
+};
+
+}
+
+#endif /* ATOMIC_FILE_H */
=====================================
lib/base/configobject.cpp
=====================================
@@ -1,5 +1,6 @@
/* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */
+#include "base/atomic-file.hpp"
#include "base/configobject.hpp"
#include "base/configobject-ti.cpp"
#include "base/configtype.hpp"
@@ -468,13 +469,7 @@ void ConfigObject::DumpObjects(const String& filename, int attributeTypes)
Log(LogWarning, "ConfigObject") << DiagnosticInformation(ex);
}
- std::fstream fp;
- String tempFilename = Utility::CreateTempFile(filename + ".tmp.XXXXXX", 0600, fp);
- fp.exceptions(std::ofstream::failbit | std::ofstream::badbit);
-
- if (!fp)
- BOOST_THROW_EXCEPTION(std::runtime_error("Could not open '" + tempFilename + "' file"));
-
+ AtomicFile fp (filename, 0600);
StdioStream::Ptr sfp = new StdioStream(&fp, false);
for (const Type::Ptr& type : Type::GetAllTypes()) {
@@ -502,10 +497,7 @@ void ConfigObject::DumpObjects(const String& filename, int attributeTypes)
}
sfp->Close();
-
- fp.close();
-
- Utility::RenameFile(tempFilename, filename);
+ fp.Commit();
}
void ConfigObject::RestoreObject(const String& message, int attributeTypes)
=====================================
lib/base/exception.cpp
=====================================
@@ -180,6 +180,13 @@ String icinga::DiagnosticInformation(const std::exception& ex, bool verbose, boo
String message = ex.what();
+#ifdef _WIN32
+ const auto *win32_err = dynamic_cast<const win32_error *>(&ex);
+ if (win32_err) {
+ message = to_string(*win32_err);
+ }
+#endif /* _WIN32 */
+
const auto *vex = dynamic_cast<const ValidationError *>(&ex);
if (message.IsEmpty())
@@ -424,6 +431,39 @@ std::string icinga::to_string(const StackTraceErrorInfo&)
}
#ifdef _WIN32
+const char *win32_error::what() const noexcept
+{
+ return "win32_error";
+}
+
+std::string icinga::to_string(const win32_error &e) {
+ std::ostringstream msgbuf;
+
+ const char * const *func = boost::get_error_info<boost::errinfo_api_function>(e);
+
+ if (func) {
+ msgbuf << "Function call '" << *func << "'";
+ } else {
+ msgbuf << "Function call";
+ }
+
+ const std::string *fname = boost::get_error_info<boost::errinfo_file_name>(e);
+
+ if (fname) {
+ msgbuf << " for file '" << *fname << "'";
+ }
+
+ msgbuf << " failed";
+
+ const int *errnum = boost::get_error_info<errinfo_win32_error>(e);
+
+ if (errnum) {
+ msgbuf << " with error code " << Utility::FormatErrorNumber(*errnum);
+ }
+
+ return msgbuf.str();
+}
+
std::string icinga::to_string(const errinfo_win32_error& e)
{
return "[errinfo_win32_error] = " + Utility::FormatErrorNumber(e.value()) + "\n";
=====================================
lib/base/exception.hpp
=====================================
@@ -127,7 +127,12 @@ private:
};
#ifdef _WIN32
-class win32_error : virtual public std::exception, virtual public boost::exception { };
+class win32_error : virtual public std::exception, virtual public boost::exception {
+public:
+ const char *what() const noexcept override;
+};
+
+std::string to_string(const win32_error& e);
struct errinfo_win32_error_;
typedef boost::error_info<struct errinfo_win32_error_, int> errinfo_win32_error;
=====================================
lib/base/logger.cpp
=====================================
@@ -256,7 +256,7 @@ Log::~Log()
}
#ifdef _WIN32
- if (Logger::IsEarlyLoggingEnabled() && entry.Severity >= Logger::GetConsoleLogSeverity()) {
+ if (Logger::IsEarlyLoggingEnabled() && entry.Severity >= LogCritical) {
WindowsEventLogLogger::WriteToWindowsEventLog(entry);
}
#endif /* _WIN32 */
=====================================
lib/base/utility.hpp
=====================================
@@ -134,6 +134,10 @@ public:
static String CreateTempFile(const String& path, int mode, std::fstream& fp);
+#ifdef _WIN32
+ static int MksTemp(char *tmpl);
+#endif /* _WIN32 */
+
#ifdef _WIN32
static String GetIcingaInstallPath();
static String GetIcingaDataPath();
@@ -185,10 +189,6 @@ public:
private:
Utility();
-#ifdef _WIN32
- static int MksTemp (char *tmpl);
-#endif /* _WIN32 */
-
#ifdef I2_DEBUG
static double m_DebugTime;
#endif /* I2_DEBUG */
=====================================
lib/icingadb/icingadb-objects.cpp
=====================================
@@ -44,6 +44,8 @@ using namespace icinga;
using Prio = RedisConnection::QueryPriority;
+std::unordered_set<Type*> IcingaDB::m_IndexedTypes;
+
INITIALIZE_ONCE(&IcingaDB::ConfigStaticInitialize);
std::vector<Type::Ptr> IcingaDB::GetTypes()
@@ -74,6 +76,10 @@ std::vector<Type::Ptr> IcingaDB::GetTypes()
void IcingaDB::ConfigStaticInitialize()
{
+ for (auto& type : GetTypes()) {
+ m_IndexedTypes.emplace(type.get());
+ }
+
/* triggered in ProcessCheckResult(), requires UpdateNextCheck() to be called before */
Checkable::OnStateChange.connect([](const Checkable::Ptr& checkable, const CheckResult::Ptr& cr, StateType type, const MessageOrigin::Ptr&) {
IcingaDB::StateChangeHandler(checkable, cr, type);
@@ -2511,6 +2517,10 @@ void IcingaDB::SendCommandArgumentsChanged(const ConfigObject::Ptr& command, con
}
void IcingaDB::SendCustomVarsChanged(const ConfigObject::Ptr& object, const Dictionary::Ptr& oldValues, const Dictionary::Ptr& newValues) {
+ if (m_IndexedTypes.find(object->GetReflectionType().get()) == m_IndexedTypes.end()) {
+ return;
+ }
+
if (!m_Rcon || !m_Rcon->IsConnected() || oldValues == newValues) {
return;
}
@@ -2715,6 +2725,10 @@ void IcingaDB::VersionChangedHandler(const ConfigObject::Ptr& object)
{
Type::Ptr type = object->GetReflectionType();
+ if (m_IndexedTypes.find(type.get()) == m_IndexedTypes.end()) {
+ return;
+ }
+
if (object->IsActive()) {
// Create or update the object config
for (const IcingaDB::Ptr& rw : ConfigType::GetObjectsByType<IcingaDB>()) {
=====================================
lib/icingadb/icingadb.hpp
=====================================
@@ -21,6 +21,7 @@
#include <mutex>
#include <set>
#include <unordered_map>
+#include <unordered_set>
#include <utility>
namespace icinga
@@ -232,6 +233,8 @@ private:
// initialization, the value is read-only and can be accessed without further synchronization.
static String m_EnvironmentId;
static std::mutex m_EnvironmentIdInitMutex;
+
+ static std::unordered_set<Type*> m_IndexedTypes;
};
}
=====================================
tools/selinux/icinga2.sh
=====================================
@@ -67,6 +67,7 @@ sepolicy manpage -p . -d icinga2_t
# Label the port 5665
/sbin/semanage port -a -t icinga2_port_t -p tcp 5665
+/sbin/semanage port -a -t redis_port_t -p tcp 6380
# Generate a rpm package for the newly generated policy
pwd=$(pwd)
=====================================
tools/selinux/icinga2.te
=====================================
@@ -43,6 +43,7 @@ require {
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
type httpd_t; type system_mail_t;
+ type redis_t; type redis_var_run_t; type redis_port_t;
type devlog_t;
role staff_r;
attribute unreserved_port_type;
@@ -200,6 +201,14 @@ postgresql_tcp_connect(icinga2_t)
# graphite is using port 2003 which is lmtp_port_t
corenet_tcp_connect_lmtp_port(icinga2_t)
+# Allow icinga2 to connect to redis using unix domain sockets
+stream_connect_pattern(icinga2_t, redis_var_run_t, redis_var_run_t, redis_t)
+
+# Just like `redis_tcp_connect(icinga2_t)`, though this interface does not exist on centos7
+corenet_tcp_recvfrom_labeled(icinga2_t, redis_t)
+corenet_tcp_sendrecv_redis_port(icinga2_t)
+corenet_tcp_connect_redis_port(icinga2_t)
+
# This is for other feature that do not use a confined port
# or if you run one one with a non standard port.
tunable_policy(`icinga2_can_connect_all',`
=====================================
tools/win32/configure.ps1
=====================================
@@ -30,7 +30,7 @@ if (-not (Test-Path env:CMAKE_GENERATOR_PLATFORM)) {
}
}
if (-not (Test-Path env:OPENSSL_ROOT_DIR)) {
- $env:OPENSSL_ROOT_DIR = "c:\local\OpenSSL_1_1_1p-Win${env:BITS}"
+ $env:OPENSSL_ROOT_DIR = "c:\local\OpenSSL_1_1_1q-Win${env:BITS}"
}
if (-not (Test-Path env:BOOST_ROOT)) {
$env:BOOST_ROOT = "c:\local\boost_1_79_0-Win${env:BITS}"
View it on GitLab: https://salsa.debian.org/nagios-team/icinga2/-/commit/7e9e7370ac3a35291cdeeab58abb675c251f2083
--
View it on GitLab: https://salsa.debian.org/nagios-team/icinga2/-/commit/7e9e7370ac3a35291cdeeab58abb675c251f2083
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20220811/eea9d84c/attachment-0001.htm>
More information about the pkg-nagios-changes
mailing list