From eb5112dd597336b566378b3a157e76fe3cbbbfee Mon Sep 17 00:00:00 2001
From: Thore Sommer <mail@thson.de>
Date: Mon, 16 Jan 2023 07:26:08 -0300
Subject: [PATCH 3/3] logging: remove option to log into separate file
The implementation had the issue that only the main loggers were added and that
the permissions were not set strict enough. Users should use the logging
provided by systemd instead.
Signed-off-by: Thore Sommer <mail@thson.de>
---
keylime.conf | 10 ----------
keylime/keylime_logging.py | 31 ------------------------------
scripts/templates/2.0/registrar.j2 | 9 ---------
scripts/templates/2.0/verifier.j2 | 9 ---------
4 files changed, 59 deletions(-)
diff --git a/keylime.conf b/keylime.conf
index d896f9f..043b6a8 100644
--- a/keylime.conf
+++ b/keylime.conf
@@ -342,11 +342,6 @@ tomtou_errors = False
# signature check before storing them in the database.
require_allow_list_signatures = False
-# Destination for log output, in addition to console. Values can be 'file',
-# with the file being named after the "service" - cloud_verifier - created under
-# /var/log/keylime), 'stream' or it can be left empty (which results in
-# logging to console only, recommended when running inside a container)
-log_destination = file
#=============================================================================
[tenant]
@@ -595,11 +590,6 @@ auto_migrate_db = True
# The file to use for SQLite persistence of provider hypervisor data.
prov_db_filename = provider_reg_data.sqlite
-# Destination for log output, in addition to console. Values can be 'file',
-# with the file being named after the "service" - registrar - created under
-# /var/log/keylime), 'stream' or it can be left empty (which results in
-# logging to console only, recommended when running inside a container)
-log_destination = file
#=============================================================================
[ca]
diff --git a/keylime/keylime_logging.py b/keylime/keylime_logging.py
index bc8a11d..f7c7a8f 100644
--- a/keylime/keylime_logging.py
+++ b/keylime/keylime_logging.py
@@ -1,17 +1,10 @@
import logging
-import os
from logging import Logger
from logging import config as logging_config
from typing import Any, Callable, Dict
from keylime import config
-LOG_TO_FILE = set()
-LOG_TO_STREAM = set()
-LOGDIR = os.getenv("KEYLIME_LOGDIR", "/var/log/keylime")
-# not clear that this works right. console logging may not work
-LOGSTREAM = os.path.join(LOGDIR, "keylime-stream.log")
-
logging_config.fileConfig(config.get_config("logging"))
@@ -50,31 +43,7 @@ def log_http_response(logger: Logger, loglevel: int, response_body: Dict[str, An
def init_logging(loggername: str) -> Logger:
-
- if loggername in ("verifier", "registrar"):
- logdest = config.get(loggername, "log_destination", fallback="")
- if logdest == "file":
- LOG_TO_FILE.add(loggername)
- if logdest == "stream":
- LOG_TO_STREAM.add(loggername)
-
logger = logging.getLogger(f"keylime.{loggername}")
logging.getLogger("requests").setLevel(logging.WARNING)
- mainlogger = logging.getLogger("keylime")
- basic_formatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s")
- if loggername in LOG_TO_FILE:
- logfilename = os.path.join(LOGDIR, f"{loggername}.log")
- if not os.path.exists(LOGDIR):
- os.makedirs(LOGDIR, 0o750)
- fh = logging.FileHandler(logfilename)
- fh.setLevel(logger.getEffectiveLevel())
- fh.setFormatter(basic_formatter)
- mainlogger.addHandler(fh)
-
- if loggername in LOG_TO_STREAM:
- fh = logging.FileHandler(filename=LOGSTREAM, mode="w")
- fh.setLevel(logger.getEffectiveLevel())
- fh.setFormatter(basic_formatter)
- mainlogger.addHandler(fh)
return logger
diff --git a/scripts/templates/2.0/registrar.j2 b/scripts/templates/2.0/registrar.j2
index 3d92303..8de7a50 100644
--- a/scripts/templates/2.0/registrar.j2
+++ b/scripts/templates/2.0/registrar.j2
@@ -71,12 +71,3 @@ auto_migrate_db = {{ registrar.auto_migrate_db }}
# The file to use for SQLite persistence of provider hypervisor data.
prov_db_filename: {{ registrar.prov_db_filename }}
-
-# Destination for log output, in addition to console. If left empty, the log
-# output will only be printed to console (recommended for containers to avoid
-# filling data storage). The accepted values are:
-# 'file': The log output will also be written to a file named after the
-# component in '/var/log/keylime/registrar.log'
-# 'stream': The log output will be written to a common file in
-# 'var/log/keylime/keylime-stream.log'
-log_destination = {{ registrar.log_destination }}
diff --git a/scripts/templates/2.0/verifier.j2 b/scripts/templates/2.0/verifier.j2
index d1584df..7a66cb1 100644
--- a/scripts/templates/2.0/verifier.j2
+++ b/scripts/templates/2.0/verifier.j2
@@ -196,12 +196,3 @@ zmq_port = {{ verifier.zmq_port }}
# Webhook url for revocation notifications.
webhook_url = {{ verifier.webhook_url }}
-
-# Destination for log output, in addition to console. If left empty, the log
-# output will only be printed to console (recommended for containers to avoid
-# filling data storage). The accepted values are:
-# 'file': The log output will also be written to a file named after the
-# component in '/var/log/keylime/verifier.log'
-# 'stream': The log output will be written to a common file in
-# 'var/log/keylime/keylime-stream.log'
-log_destination = {{ verifier.log_destination }}
--
2.38.1