From 8c423106341a69de4d6967008c389ef3f3ec39bd Mon Sep 17 00:00:00 2001 From: Matthew Kocher Date: Sat, 13 Jun 2026 13:44:41 -0700 Subject: [PATCH] use bpm to run blackbox The Resolute Raccoon stemcell removes `runit` which provies chpst which was used in the blackbox start script to not run as root. Moving to BPM fixes this, as well as provides an enhanced security posture. --- jobs/syslog_forwarder/monit | 6 +-- jobs/syslog_forwarder/spec | 2 +- .../templates/blackbox_ctl.erb | 48 ------------------- jobs/syslog_forwarder/templates/bpm.yml.erb | 20 ++++++++ .../templates/syslog.apparmor.erb | 3 ++ scripts/test | 1 + tests/acceptance_test.go | 11 +++++ tests/boshhelpers_test.go | 8 ++++ tests/manifests/blackbox-unpriv.yml | 4 ++ tests/manifests/broken-rules.yml | 4 ++ tests/manifests/debug-filtering.yml | 4 ++ tests/manifests/disabled-no-config.yml | 4 ++ tests/manifests/disabled.yml | 4 ++ tests/manifests/environment-identifier.yml | 4 ++ tests/manifests/good-rules.yml | 4 ++ tests/manifests/relp-tls.yml | 4 ++ tests/manifests/tcp-blackbox.yml | 4 ++ tests/manifests/tls-forwarding-mtls.yml | 4 ++ tests/manifests/tls-forwarding.yml | 4 ++ tests/manifests/udp-blackbox.yml | 4 ++ tests/manifests/vcap-filtering.yml | 4 ++ 21 files changed, 99 insertions(+), 52 deletions(-) delete mode 100644 jobs/syslog_forwarder/templates/blackbox_ctl.erb create mode 100644 jobs/syslog_forwarder/templates/bpm.yml.erb diff --git a/jobs/syslog_forwarder/monit b/jobs/syslog_forwarder/monit index c0ef6578c..612fc79a8 100644 --- a/jobs/syslog_forwarder/monit +++ b/jobs/syslog_forwarder/monit @@ -1,9 +1,9 @@ <% unless p('syslog.migration.disabled') %> <% if p('syslog.forward_files') %> check process blackbox - with pidfile /var/vcap/sys/run/syslog_forwarder/blackbox/blackbox.pid - start program "/var/vcap/jobs/syslog_forwarder/bin/blackbox_ctl start" - stop program "/var/vcap/jobs/syslog_forwarder/bin/blackbox_ctl stop" + with pidfile /var/vcap/sys/run/bpm/syslog_forwarder/blackbox.pid + start program "/var/vcap/jobs/bpm/bin/bpm start syslog_forwarder -p blackbox" + stop program "/var/vcap/jobs/bpm/bin/bpm stop syslog_forwarder -p blackbox" group vcap <% end %> <% end %> diff --git a/jobs/syslog_forwarder/spec b/jobs/syslog_forwarder/spec index b8d9f5c7d..402f04fac 100644 --- a/jobs/syslog_forwarder/spec +++ b/jobs/syslog_forwarder/spec @@ -2,7 +2,7 @@ name: syslog_forwarder templates: - blackbox_ctl.erb: bin/blackbox_ctl + bpm.yml.erb: config/bpm.yml blackbox_config.yml.erb: config/blackbox_config.yml ca_cert.pem.erb: config/ca_cert.pem client.crt.erb: config/client.crt diff --git a/jobs/syslog_forwarder/templates/blackbox_ctl.erb b/jobs/syslog_forwarder/templates/blackbox_ctl.erb deleted file mode 100644 index be95ad29c..000000000 --- a/jobs/syslog_forwarder/templates/blackbox_ctl.erb +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/bash -# vim: set ft=sh - -set -e - -RUN_DIR=/var/vcap/sys/run/syslog_forwarder/blackbox -LOG_DIR=/var/vcap/sys/log/syslog_forwarder/blackbox -PIDFILE=$RUN_DIR/blackbox.pid -CONFIG_FILE=/var/vcap/jobs/syslog_forwarder/config/blackbox_config.yml - -case $1 in - - start) - mkdir -p $RUN_DIR - chown -R vcap:vcap $RUN_DIR - - mkdir -p $LOG_DIR - chown -R root:root $LOG_DIR - - echo $$ > $PIDFILE - - <% unless p('syslog.respect_file_permissions') %> - setcap cap_dac_read_search+ep /var/vcap/packages/blackbox/bin/blackbox - <% end %> - <% if p('syslog.blackbox.limit_cpu') %> - export GOMAXPROCS=1 - <% end %> - - exec chpst -u syslog:vcap /var/vcap/packages/blackbox/bin/blackbox \ - -config=$CONFIG_FILE \ - 1>>$LOG_DIR/blackbox.stdout.log \ - 2>>$LOG_DIR/blackbox.stderr.log - - ;; - - stop) - if [ -f $PIDFILE ]; then - kill -9 `cat $PIDFILE` || true - rm -f $PIDFILE - fi - ;; - - *) - echo "Usage: $0 {start|stop}" - - ;; - -esac diff --git a/jobs/syslog_forwarder/templates/bpm.yml.erb b/jobs/syslog_forwarder/templates/bpm.yml.erb new file mode 100644 index 000000000..32827d178 --- /dev/null +++ b/jobs/syslog_forwarder/templates/bpm.yml.erb @@ -0,0 +1,20 @@ +<% unless p('syslog.migration.disabled') || !p('syslog.forward_files') -%> +processes: +- name: blackbox + executable: /var/vcap/packages/blackbox/bin/blackbox + args: + - -config=/var/vcap/jobs/syslog_forwarder/config/blackbox_config.yml +<% unless p('syslog.respect_file_permissions') -%> + capabilities: + - DAC_READ_SEARCH +<% end -%> +<% if p('syslog.blackbox.limit_cpu') -%> + env: + GOMAXPROCS: "1" +<% end -%> + unsafe: + unrestricted_volumes: + - path: <%= p("syslog.blackbox.source_dir") %> + writable: false + mount_only: true +<% end -%> diff --git a/jobs/syslog_storer/templates/syslog.apparmor.erb b/jobs/syslog_storer/templates/syslog.apparmor.erb index e3d4af246..723f1d2c0 100644 --- a/jobs/syslog_storer/templates/syslog.apparmor.erb +++ b/jobs/syslog_storer/templates/syslog.apparmor.erb @@ -1,3 +1,6 @@ # syslog_storer rules + /var/vcap/data/jobs/syslog_storer/*/config/* r, + /var/vcap/jobs/syslog_storer/config/* r, + /var/vcap/data/syslog_storer/** rw, /var/vcap/store/syslog_storer/ rw, /var/vcap/store/syslog_storer/** rw, \ No newline at end of file diff --git a/scripts/test b/scripts/test index d818a7a0d..348320f5b 100755 --- a/scripts/test +++ b/scripts/test @@ -9,6 +9,7 @@ pushd "$(dirname "$0")/.." bosh upload-release popd +bosh upload-release https://bosh.io/d/github.com/cloudfoundry/bpm-release bosh upload-stemcell "https://bosh.io/d/stemcells/bosh-google-kvm-${STEMCELL_OS}-go_agent" pushd "$(dirname "$0")/../tests" diff --git a/tests/acceptance_test.go b/tests/acceptance_test.go index d3b19abf5..68345e823 100644 --- a/tests/acceptance_test.go +++ b/tests/acceptance_test.go @@ -127,6 +127,17 @@ var _ = Describe("Forwarding loglines to a TCP syslog drain", func() { }) }) + Context("when a file is created in a different job's log directory", func() { + BeforeEach(func() { + session := ForwarderSshCmd("sudo mkdir -p /var/vcap/sys/log/other-job && sudo chmod 777 /var/vcap/sys/log/other-job && sudo touch /var/vcap/sys/log/other-job/app.log") + Eventually(session).Should(gexec.Exit(0)) + }) + + It("forwards new lines written to the file through syslog", func() { + Eventually(WriteToOtherJobTestFile("test-other-job-forwarding")).Should(gbytes.Say("test-other-job-forwarding")) + }) + }) + It("has a valid config", func() { session := ForwarderSshCmd("sudo rsyslogd -N1") Eventually(session).Should(gexec.Exit(0)) diff --git a/tests/boshhelpers_test.go b/tests/boshhelpers_test.go index 482181092..b04fff3e6 100644 --- a/tests/boshhelpers_test.go +++ b/tests/boshhelpers_test.go @@ -128,6 +128,14 @@ func WriteToTestFile(message string) func() *gexec.Session { } } +func WriteToOtherJobTestFile(message string) func() *gexec.Session { + return func() *gexec.Session { + session := ForwarderSshCmd(fmt.Sprintf("echo %s | sudo tee -a /var/vcap/sys/log/other-job/app.log", message)) + Eventually(session).Should(gexec.Exit(0)) + return ForwarderLog() + } +} + func WriteToPrivateTestFile(message string) func() *gexec.Session { return func() *gexec.Session { session := ForwarderSshCmd(fmt.Sprintf("sudo bash -c '"+ diff --git a/tests/manifests/blackbox-unpriv.yml b/tests/manifests/blackbox-unpriv.yml index 0855ba07f..3f12902b0 100644 --- a/tests/manifests/blackbox-unpriv.yml +++ b/tests/manifests/blackbox-unpriv.yml @@ -3,6 +3,8 @@ name: ((deployment)) releases: - name: syslog version: latest + - name: bpm + version: latest stemcells: - alias: default os: ((stemcell-os)) @@ -17,6 +19,8 @@ instance_groups: azs: - z1 jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog properties: diff --git a/tests/manifests/broken-rules.yml b/tests/manifests/broken-rules.yml index ac85fdd2c..bfc488faa 100644 --- a/tests/manifests/broken-rules.yml +++ b/tests/manifests/broken-rules.yml @@ -3,6 +3,8 @@ name: ((deployment)) releases: - name: syslog version: latest + - name: bpm + version: latest stemcells: - alias: default os: ((stemcell-os)) @@ -17,6 +19,8 @@ instance_groups: azs: - z1 jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog properties: diff --git a/tests/manifests/debug-filtering.yml b/tests/manifests/debug-filtering.yml index a3c8b2c07..297dee81e 100644 --- a/tests/manifests/debug-filtering.yml +++ b/tests/manifests/debug-filtering.yml @@ -3,6 +3,8 @@ name: ((deployment)) releases: - name: syslog version: latest + - name: bpm + version: latest stemcells: - alias: default os: ((stemcell-os)) @@ -17,6 +19,8 @@ instance_groups: azs: - z1 jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog properties: diff --git a/tests/manifests/disabled-no-config.yml b/tests/manifests/disabled-no-config.yml index 9997ea9a7..ac9526c3f 100644 --- a/tests/manifests/disabled-no-config.yml +++ b/tests/manifests/disabled-no-config.yml @@ -3,6 +3,8 @@ name: ((deployment)) releases: - name: syslog version: latest + - name: bpm + version: latest stemcells: - alias: default os: ((stemcell-os)) @@ -17,6 +19,8 @@ instance_groups: azs: - z1 jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog properties: diff --git a/tests/manifests/disabled.yml b/tests/manifests/disabled.yml index 60c66cb22..0230fec91 100644 --- a/tests/manifests/disabled.yml +++ b/tests/manifests/disabled.yml @@ -3,6 +3,8 @@ name: ((deployment)) releases: - name: syslog version: latest + - name: bpm + version: latest stemcells: - alias: default os: ((stemcell-os)) @@ -17,6 +19,8 @@ instance_groups: azs: - z1 jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog properties: diff --git a/tests/manifests/environment-identifier.yml b/tests/manifests/environment-identifier.yml index 01d4ab910..8f8579205 100644 --- a/tests/manifests/environment-identifier.yml +++ b/tests/manifests/environment-identifier.yml @@ -3,6 +3,8 @@ name: ((deployment)) releases: - name: syslog version: latest + - name: bpm + version: latest stemcells: - alias: default os: ((stemcell-os)) @@ -17,6 +19,8 @@ instance_groups: azs: - z1 jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog properties: diff --git a/tests/manifests/good-rules.yml b/tests/manifests/good-rules.yml index df36dc55b..20c8a881d 100644 --- a/tests/manifests/good-rules.yml +++ b/tests/manifests/good-rules.yml @@ -3,6 +3,8 @@ name: ((deployment)) releases: - name: syslog version: latest + - name: bpm + version: latest stemcells: - alias: default os: ((stemcell-os)) @@ -17,6 +19,8 @@ instance_groups: azs: - z1 jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog properties: diff --git a/tests/manifests/relp-tls.yml b/tests/manifests/relp-tls.yml index 01a34b960..9912c8888 100644 --- a/tests/manifests/relp-tls.yml +++ b/tests/manifests/relp-tls.yml @@ -3,6 +3,8 @@ name: ((deployment)) releases: - name: syslog version: latest + - name: bpm + version: latest stemcells: - alias: default os: ((stemcell-os)) @@ -17,6 +19,8 @@ instance_groups: azs: - z1 jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog properties: diff --git a/tests/manifests/tcp-blackbox.yml b/tests/manifests/tcp-blackbox.yml index 0dc3b61a7..dbce6208a 100644 --- a/tests/manifests/tcp-blackbox.yml +++ b/tests/manifests/tcp-blackbox.yml @@ -3,6 +3,8 @@ name: ((deployment)) releases: - name: syslog version: latest + - name: bpm + version: latest stemcells: - alias: default os: ((stemcell-os)) @@ -17,6 +19,8 @@ instance_groups: azs: - z1 jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog properties: diff --git a/tests/manifests/tls-forwarding-mtls.yml b/tests/manifests/tls-forwarding-mtls.yml index 4ea3e74e6..d72fd7482 100644 --- a/tests/manifests/tls-forwarding-mtls.yml +++ b/tests/manifests/tls-forwarding-mtls.yml @@ -3,6 +3,8 @@ name: ((deployment)) releases: - name: syslog version: latest + - name: bpm + version: latest stemcells: - alias: default os: ((stemcell-os)) @@ -17,6 +19,8 @@ instance_groups: azs: - z1 jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog properties: diff --git a/tests/manifests/tls-forwarding.yml b/tests/manifests/tls-forwarding.yml index 7a429ede0..b4cf8fc23 100644 --- a/tests/manifests/tls-forwarding.yml +++ b/tests/manifests/tls-forwarding.yml @@ -3,6 +3,8 @@ name: ((deployment)) releases: - name: syslog version: latest + - name: bpm + version: latest stemcells: - alias: default os: ((stemcell-os)) @@ -17,6 +19,8 @@ instance_groups: azs: - z1 jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog properties: diff --git a/tests/manifests/udp-blackbox.yml b/tests/manifests/udp-blackbox.yml index 0cebf772d..769d49710 100644 --- a/tests/manifests/udp-blackbox.yml +++ b/tests/manifests/udp-blackbox.yml @@ -3,6 +3,8 @@ name: ((deployment)) releases: - name: syslog version: latest + - name: bpm + version: latest stemcells: - alias: default os: ((stemcell-os)) @@ -17,6 +19,8 @@ instance_groups: azs: - z1 jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog - name: storer diff --git a/tests/manifests/vcap-filtering.yml b/tests/manifests/vcap-filtering.yml index 1876a1ce6..25c7c2685 100644 --- a/tests/manifests/vcap-filtering.yml +++ b/tests/manifests/vcap-filtering.yml @@ -3,6 +3,8 @@ name: ((deployment)) releases: - name: syslog version: latest + - name: bpm + version: latest stemcells: - alias: default os: ((stemcell-os)) @@ -17,6 +19,8 @@ instance_groups: azs: - z1 jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog properties: