[PVE-User] Upgrade to PVE8, logcheck, error on journalctl...

[PVE-User] Upgrade to PVE8, logcheck, error on journalctl...

[Marco Gaiarin]

I extensively use 'logcheck' on my servers.

I've just upgrade a server to PVE8 (a little test standalone server) and
logcheck start complain:

 Logcheck failed: Your log entries may not have been checked.
 
 Details:
 Could not run journalctl or save output
 
 To identify the cause you may wish to:
 - Check temporary directory: /tmp/logcheck.N0YsPV
 
 - verify that the logcheck user can read all
 logfiles specified in;
   /etc/logcheck/logcheck.logfiles
   /etc/logcheck/logcheck.logfiled.d/*.logfiles

i've tried:

 root@lisei:/etc/logcheck# su -s /bin/bash - logcheck
 logcheck@lisei:~$ journalctl 
 No journal files were opened due to insufficient permissions.

but:

 root@lisei:/etc/logcheck# id logcheck
 uid=112(logcheck) gid=118(logcheck) groups=118(logcheck),4(adm)

so logcheck user seems have correct permission.


I've upgraded some plain debian VMs and containers to Bookworm, and i've not
hit troubles on logcheck. So seems something PVE specific...


Someone can help me? Thanks.

-- 



_______________________________________________
pve-user mailing list
pve-user@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Re: [PVE-User] Upgrade to PVE8, logcheck, error on journalctl...

[Alwin Antreich via pve-user]

[-- Attachment #1: Type: message/rfc822, Size: 4918 bytes --]

From: Alwin Antreich <alwin@antreich.com>
Cc: pve-user@lists.proxmox.com
Subject: Re: [PVE-User] Upgrade to PVE8, logcheck, error on journalctl...
Date: Thu, 15 Aug 2024 09:28:44 +0200
Message-ID: <E8672964-2E25-454C-944E-B8E151F70DE2@antreich.com>

On August 12, 2024 5:52:09 PM GMT+02:00, Marco Gaiarin <gaio@lilliput.linux.it> wrote:
>
>I extensively use 'logcheck' on my servers.
>
>I've just upgrade a server to PVE8 (a little test standalone server) and
>logcheck start complain:
>
> Logcheck failed: Your log entries may not have been checked.
> 
> Details:
> Could not run journalctl or save output
> 
> To identify the cause you may wish to:
> - Check temporary directory: /tmp/logcheck.N0YsPV
> 
> - verify that the logcheck user can read all
> logfiles specified in;
>   /etc/logcheck/logcheck.logfiles
>   /etc/logcheck/logcheck.logfiled.d/*.logfiles
>
>i've tried:
>
> root@lisei:/etc/logcheck# su -s /bin/bash - logcheck
> logcheck@lisei:~$ journalctl 
> No journal files were opened due to insufficient permissions.
>
>but:
>
> root@lisei:/etc/logcheck# id logcheck
> uid=112(logcheck) gid=118(logcheck) groups=118(logcheck),4(adm)
>
>so logcheck user seems have correct permission

Did you already look at apparmor, might it be blocked by it? You should see that in the dmesg.

Cheers,
Alwin

Hi Marco,


[-- Attachment #2: Type: text/plain, Size: 157 bytes --]

_______________________________________________
pve-user mailing list
pve-user@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Re: [PVE-User] Upgrade to PVE8, logcheck, error on journalctl...

[Marco Gaiarin]

Mandi! Alwin Antreich via pve-user
  In chel di` si favelave...

> Did you already look at apparmor, might it be blocked by it? You should see that in the dmesg.

No, nothing in logs...

-- 



_______________________________________________
pve-user mailing list
pve-user@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Re: [PVE-User] Upgrade to PVE8, logcheck, error on journalctl...

[Alwin Antreich via pve-user]

[-- Attachment #1: Type: message/rfc822, Size: 4804 bytes --]

From: "Alwin Antreich" <alwin@antreich.com>
To: gaio@lilliput.linux.it
Cc: pve-user@lists.proxmox.com
Subject: Re: [PVE-User] Upgrade to PVE8, logcheck, error on journalctl...
Date: Mon, 19 Aug 2024 05:35:20 +0000
Message-ID: <71a3501c3734603857ff73e84dd1ab3683cbc0a2@antreich.com>

Hi Marco,



August 18, 2024 at 9:58 PM, "Marco Gaiarin" <gaio@lilliput.linux.it> wrote:



> 
> Mandi! Alwin Antreich via pve-user
>  In chel di` si favelave...
> 
> > 
> > Did you already look at apparmor, might it be blocked by it? You should see that in the dmesg.
> > 
> No, nothing in logs...
> 
Then, the user logcheck is running as really can't access the journal from the system, as it has no permission. Like the error message says.  
For the permission you need to use systemd-journal, it has changed since Debian 8 (Jessie). Members of this group can use the command journalctl and read log files of systemd (in /var/log/journal).

Maybe you also have a look at journalcheck instead? It seems to be a replacement for logcheck.

Cheers,
Alwin

[-- Attachment #2: Type: text/plain, Size: 157 bytes --]

_______________________________________________
pve-user mailing list
pve-user@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Re: [PVE-User] Upgrade to PVE8, logcheck, error on journalctl...

[Marco Gaiarin]

Mandi! Alwin Antreich
  In chel di` si favelave...

> Then, the user logcheck is running as really can't access the journal from the
> system, as it has no permission. Like the error message says. 
> For the permission you need to use systemd-journal, it has changed since Debian
> 8 (Jessie). Members of this group can use the command journalctl and read log
> files of systemd (in /var/log/journal).

The problem is exactly that. 'logcheck' is a member of group 'adm', and in
'plain' Debian 12 can access journal, in PVE 8 no.

So, seems a specific 'PVE bug'; the apparmor hint was a good hint (because
AFAIK Debian does not enable apparmor by default), but seems not that...


> Maybe you also have a look at journalcheck instead? It seems to be a
> replacement for logcheck.

You meant this?:
	https://github.com/lynix/journalcheck

seems not just packaged... and logcheck support journal!

-- 


_______________________________________________
pve-user mailing list
pve-user@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user