Re: [pve-devel] [PATCH pve-manager stable-8 v1 1/1] pve8to9: check if unit 'systemd-journald-audit.socket' is active

["Max R. Carrara" <m.carrara@proxmox.com>]

On Fri Aug 8, 2025 at 10:15 AM CEST, Fabian Grünbichler wrote:
> On August 4, 2025 6:25 pm, Max R. Carrara wrote:
> > ... and display a `log_notice()` to the user if it is in order to
> > inform them about audit messages being logged during the upgrade,
> > as well as suggesting that they stop and disable the unit before
> > the upgrade.
> > 
> > In Debian Bookworm and earlier, audit messages were not logged by
> > default [0], whereas the unit was active by default. This was changed
> > in between Bookworm and Trixie; the patch that changed the default was
> > dropped [1], whereas the unit is now disabled.
> > 
> > This means that the unit will remain active during the upgrade, which
> > will in turn cause a lot of audit message log spam.
>
> so this will warn about something that happens on every system(!), but
> is only relevant for the duration of the upgrade and just makes the logs
> more noisy?
>
> I am not sure that tradeoff is worth it, it is already noted in the
> upgrade guide, so people who read that will do it proactively anyway,
> and people who notice it during the upgrade can check there as well and
> see that it's a non-issue..

Hmm yeah, I see your point...

>
> or maybe we could move it to `--full`?

No, I think it's fine to drop it then. It's in the upgrade guide and a
relatively benign thing anyway. :P

>
> adding too many warnings (and lines in general) makes it much easier to
> miss actually relevant things..
>
> in particular, after the upgrade is done it makes no sense to check this
> anymore, since the next step will be a reboot that gets rid of the
> excessive logging anyway..

^ especially because of that.

Also, I haven't seen any forum posts actually complain about the audit
log spam, so I guess it really is a non-issue.

>
> > 
> > [0]: https://salsa.debian.org/systemd-team/systemd/-/commit/07daa6196f9c92be8a0f552b1416576e80d054dc
> > [1]: https://salsa.debian.org/systemd-team/systemd/-/commit/7c6ea97a1d7e438e6621c3b97ce472754fd3db43
> > 
> > Signed-off-by: Max R. Carrara <m.carrara@proxmox.com>
> > ---
> >  PVE/CLI/pve8to9.pm | 51 ++++++++++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 51 insertions(+)
> > 
> > diff --git a/PVE/CLI/pve8to9.pm b/PVE/CLI/pve8to9.pm
> > index 426fa8a6..bd300d89 100644
> > --- a/PVE/CLI/pve8to9.pm
> > +++ b/PVE/CLI/pve8to9.pm
> > @@ -2129,6 +2129,56 @@ sub check_legacy_sysctl_conf {
> >      log_pass("Legacy file '$fn' exists but does not contain any settings.");
> >  }
> >  
> > +sub check_journald_audit_socket {
> > +    my $unit = 'systemd-journald-audit.socket';
> > +
> > +    log_info("Checking whether systemd unit '$unit' is active...");
> > +
> > +    my ($res_is_enabled, $res_is_active) = (undef, undef);
> > +
> > +    eval {
> > +        run_command(
> > +            ['systemctl', 'is-enabled', "$unit"],
> > +            outfunc => sub {
> > +                ($res_is_enabled) = @_;
> > +                chomp $res_is_enabled;
> > +            },
> > +            noerr => 1,
> > +        );
> > +    };
> > +
> > +    eval {
> > +        run_command(
> > +            ['systemctl', 'is-active', "$unit"],
> > +            outfunc => sub {
> > +                ($res_is_active) = @_;
> > +                chomp $res_is_active;
> > +            },
> > +            noerr => 1,
> > +        );
> > +    };
> > +
> > +    if (!defined($res_is_enabled) || !defined($res_is_active) || $res_is_enabled eq 'not-found') {
> > +        log_skip("Unit '$unit' not found");
> > +        return undef;
> > +    }
> > +
> > +    my $msg =
> > +        "Unit '$unit' is '$res_is_enabled' and '$res_is_active' - to prevent an excessive amount of"
> > +        . " audit messages being logged during the upgrade, it is recommended to stop and disable"
> > +        . " '$unit' beforehand."
> > +        . "\nThis can be achieved by running the following command:"
> > +        . "\n\n\tsystemctl disable --now $unit\n";
> > +
> > +    if ($res_is_enabled eq 'enabled' || $res_is_active eq 'active') {
> > +        log_notice($msg);
> > +        return undef;
> > +    }
> > +
> > +    log_pass("Unit '$unit' is '$res_is_enabled' and '$res_is_active'");
> > +    return undef;
> > +}
> > +
> >  sub check_misc {
> >      print_header("MISCELLANEOUS CHECKS");
> >      my $ssh_config = eval { PVE::Tools::file_get_contents('/root/.ssh/config') };
> > @@ -2225,6 +2275,7 @@ sub check_misc {
> >      check_rrd_migration();
> >      check_legacy_ipam_files();
> >      check_legacy_sysctl_conf();
> > +    check_journald_audit_socket();
> >  }
> >  
> >  my sub colored_if {
> > -- 
> > 2.39.5
> > 
> > 
> > 
> > _______________________________________________
> > pve-devel mailing list
> > pve-devel@lists.proxmox.com
> > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> > 
> > 
> > 
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel