|
|
|
|
Some time around the 15.04 release, a policy change was made to quit making some logging persistent by default.
A number of users did not realize there was a policy change until they went to debug something that happened on a previous boot, only to find the logs were missing. Some of these user responses are captured in the bug report below [1], which prompted this policy discussion.
The change was made because of the introduction of systemd and the introduction of the `systemd journal` in addition to the existing `rsyslog`.
The concern about making the systemd journal persistent by default is that some logs could end up duplicated between the systemd journald and rsyslog, along with disk space and performance concerns of the additional logging.
On the other hand, having systemd journal logs persist seems to be a safer option: It a malicious app could cause or entice a reboot, it could erase logs of it's earlier activity. Also, deleting key logs at shutdown breaks a decades-log precedent of system logs persisting through reboots.
The compromise option seems to be make the systemd journal persistent by default, but minimize the amount of logging that is sent to both rsyslog and systemd to mitigate resource considerations of duplicate logging.
So the policy question here is: should the systemd journal be persistent by default?
Mark
--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
|
|
|
I fully understand the need to minimize redundancy and performance degradation that this incurs, which you don't want on every desktop or embedded system. But for production or test servers, this could prove invaluable (I work in a high volume system validation lab where system crashes are the norm).
My suggestion (at least for existing releases) is to document the process for enabling persistent logging from the commandline, as this will allow sysadmins to easily implement it for post reboot reviews on a selective basis. Having it documented in a central location that is easily searched in google helps new sysadmins that would otherwise have to wade through tons of documentation and google searches of irrelevant information (sorry, not volunteering for this - too busy).
For 18.04, maybe a separate package or a package install prompt during installation (similar to unattended-updates) could be implemented.
Just my suggestion.
Tobin Davis, Lab Engineer Intel Corp --
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
|
|
|
Hi Mark,
On Tue, Nov 07, 2017 at 08:11:27PM +0000, Mark Stosberg wrote:
> Some time around the 15.04 release, a policy change was made to quit
> making some logging persistent by default.
To help me understand the problem, exactly what logging was persistent
previously, and isn't persistent now? Can you please give us an example?
Thanks,
Robie
--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
|
|
|
Hi Ryan,
On Mon, Nov 13, 2017 at 09:33:14AM -0600, Ryan Harper wrote:
> On Mon, Nov 13, 2017 at 2:27 AM, Robie Basak < [hidden email]> wrote:
>
> > On Tue, Nov 07, 2017 at 08:11:27PM +0000, Mark Stosberg wrote:
> > > Some time around the 15.04 release, a policy change was made to quit
> > > making some logging persistent by default.
> >
> > To help me understand the problem, exactly what logging was persistent
> > previously, and isn't persistent now? Can you please give us an example?
> >
>
> Any data in systemd-journal that is not flush to /var/log/* is gone
> forever on power fail due
> to the journal being hosted on ephemeral tmpfs (/run/log/journal);
I understand that part, but that doesn't really answer my question. Mark
said that some logging that was persistent is no longer persistent - in
other words, that there has been a regression.
So what exactly is only going to the systemd journal now (and thus not
being persisted) that was being saved somewhere persistently before?
--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
|
|
|
On Tue, Nov 07, 2017 at 08:11:27PM +0000, Mark Stosberg wrote:
> Some time around the 15.04 release, a policy change was made to quit
> making some logging persistent by default.
To help me understand the problem, exactly what logging was persistent
previously, and isn't persistent now? Can you please give us an example?
Robie,
"For a standard Ubuntu Maverick (10.10) system, the output will be sent to file /var/log/daemon.log, whilst on newer Ubuntu systems such as Ubuntu Natty (11.04), the output will be directed to file /var/log/syslog."
In turn, I understand that "syslog" logging has been persistent-by-default per years.
It seems that with the switch to systemd as the init system, the logging that originates from the init system became not-persistent by default.
The linked issue had examples of users who expected to find details about service logging or boot logging from a previous boot which was not found, when it would have existed under Upstart.
Mark --
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
|
|
|
On Mon, Nov 13, 2017 at 03:50:20PM +0000, Robie Basak wrote:
>
> So what exactly is only going to the systemd journal now (and thus not
> being persisted) that was being saved somewhere persistently before?
Hi Robie --
I think the closest corollary to "what has regressed" that you asked,
is /var/log/upstart from trusty -> xenial. These files often contained
early error messages from service startup that did not yet get to the
point of logging to syslog.
Similar messages show up in the journal.
--
David Britton < [hidden email]>
--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
|
|
|
On Mon, 2017-11-13 at 16:12 +0000, Mark Stosberg wrote:
> *"For a standard Ubuntu Maverick (10.10) system, the output will be
> sent to file /var/log/daemon.log, whilst on newer Ubuntu systems
> such as Ubuntu Natty (11.04), the output will be directed to file
> /var/log/syslog."*
>
> In turn, I understand that "syslog" logging has been persistent-by-
> default per years.
>
> It seems that with the switch to systemd as the init system, the
> logging that originates from the init system became not-persistent by
> default.
$ grep -c 'systemd\[1\]:' /var/log/syslog
39
It's still there...
--
Jan Claeys
--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
|
|
|
Jan,
As noted in the linked bug report, there are some logs which are uniquely stored in the systemd journal, the journal is not persistent-by-default, and data loss is occurring as a default behavior. On Mon, 2017-11-13 at 16:12 +0000, Mark Stosberg wrote:
> *"For a standard Ubuntu Maverick (10.10) system, the output will be
> sent to file /var/log/daemon.log, whilst on newer Ubuntu systems
> such as Ubuntu Natty (11.04), the output will be directed to file
> /var/log/syslog."*
>
> In turn, I understand that "syslog" logging has been persistent-by-
> default per years.
>
> It seems that with the switch to systemd as the init system, the
> logging that originates from the init system became not-persistent by
> default.
$ grep -c 'systemd\[1\]:' /var/log/syslog
39
It's still there...
--
Jan Claeys
--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
|
|
|
On Fri, 2017-11-17 at 17:10 +0000, Mark Stosberg wrote:
> As noted in the linked bug report, there are some logs which are
> uniquely stored in the systemd journal, the journal is not
> persistent-by-default, and data loss is occurring as a default
> behavior.
AFAICT rsyslogd wasn't special-cased in the upstart days, meaning it
would get killed with other upstart services in semi-random order, so
it never was able to log the very last messages. It would get killed
after most services that were defined by a SysV init script though.
I'm not sure how much of a regression there really is; it would depend
on how early rsyslogd gets killed now...
If journald uses some specific configuration/dependency to always be
stopped as late as possible, then maybe that can be applied to the
rsyslogd unit too, so that they get killed virtually together (or even
rsyslogd last, if that's possible). That could solve your issue in
current releases even?
--
Jan Claeys
--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
|
|
Locked
signature.asc (836 bytes)