vrp: allow supervisord to open its log file #14066
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Change the default location of the log file and give supervisord permissions to write to it. Signed-off-by: Alex Konradi <[email protected]>
|
cc @phlax who has been working on similar things. |
htuch
reviewed
Nov 17, 2020
There was a problem hiding this comment.
Thanks @akonradi for the quick fix! Did you notice this makes a difference at HEAD? The reason I ask is that I replayed https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/google_vrp#working-with-the-docker-images instructions and it seemed to work on -latest but I saw the supervisord errors at fixed release versions.
|
Yeah I only tried this for the current master. How would I apply it to a release version? Just use that as the base docker image? |
htuch
reviewed
Nov 18, 2020
There was a problem hiding this comment.
Thanks. I've confirmed this fixes things locally. I think if you can deal with the permission issues as well, we can ship this and it should fix latest. I'll do some followups to deal with released version images and putting the VRP image runtime validation into CI to avoid snafus like this in future.
Signed-off-by: Alex Konradi <[email protected]>
akonradi
force-pushed
the
vrp-supervisor-log
branch
from
e94fb3c
to
5864e22
Compare
|
/retest |
|
Retrying Azure Pipelines: |
akonradi
changed the title
|
Coverage failure is unrelated, force merging. |
mpuncel
added a commit
to mpuncel/envoy
that referenced
this pull request
Nov 18, 2020
* master: (117 commits) vrp: allow supervisord to open its log file (envoyproxy#14066) [http1] fix H/1 response pipelining (envoyproxy#13983) wasm: make dependency clearer (envoyproxy#14062) docs: updating 100-continue docs (envoyproxy#14040) quiche: fix stream trailer decoding issue (envoyproxy#13871) tidy: use last_github_commit script instead of target branch (envoyproxy#14052) stats: use RE2 and a better pattern to accelerate a single stats tag-extraction RE (envoyproxy#8831) wasm: use static registration for runtimes (envoyproxy#14014) grpc-json-transcoder: Add support for configuring unescaping behavior (envoyproxy#14009) ci: fix CodeQL-build by removing deprecated set-env command (envoyproxy#14046) config: fix crash when type URL doesn't match proto. (envoyproxy#14031) Build: Propagate user-supplied tags to external headers library. (envoyproxy#14016) [test host utils] use make_shared to avoid memory leaks (envoyproxy#14042) jwt_authn: update to jwt_verify_lib with 1 minute clock skew (envoyproxy#13872) quiche: update QUICHE tar (envoyproxy#13949) sds: improve watched directory documentation. (envoyproxy#14029) log the internal error message from *SSL when the cert and private key doesn't match (envoyproxy#14023) wasm: fix CPE for Wasmtime. (envoyproxy#14024) docs: Bump sphinxext-rediraffe version (envoyproxy#13996) CDS: remove warming cluster if CDS response desired (envoyproxy#13997) ...
htuch
added a commit
to htuch/envoy
that referenced
this pull request
Nov 19, 2020
This is a regression test to cover the issue underlying envoyproxy#14066. Risk level: Low Testing: Validating manually verify.sh passes, CI. Signed-off-by: Harvey Tuch <[email protected]>
htuch
added a commit
that referenced
this pull request
Nov 20, 2020
This is a regression test to cover the issue underlying #14066. Risk level: Low Testing: Validating manually verify.sh passes, CI. Signed-off-by: Harvey Tuch <[email protected]>
andreyprezotto
pushed a commit
to andreyprezotto/envoy
that referenced
this pull request
Nov 24, 2020
Change the default location of the log file and give supervisord permissions to write to it. Signed-off-by: Alex Konradi <[email protected]>
andreyprezotto
pushed a commit
to andreyprezotto/envoy
that referenced
this pull request
Nov 24, 2020
…14099) This is a regression test to cover the issue underlying envoyproxy#14066. Risk level: Low Testing: Validating manually verify.sh passes, CI. Signed-off-by: Harvey Tuch <[email protected]>
qqustc
pushed a commit
to qqustc/envoy
that referenced
this pull request
Nov 24, 2020
Change the default location of the log file and give supervisord permissions to write to it. Signed-off-by: Alex Konradi <[email protected]> Signed-off-by: Qin Qin <[email protected]>
qqustc
pushed a commit
to qqustc/envoy
that referenced
this pull request
Nov 24, 2020
…14099) This is a regression test to cover the issue underlying envoyproxy#14066. Risk level: Low Testing: Validating manually verify.sh passes, CI. Signed-off-by: Harvey Tuch <[email protected]> Signed-off-by: Qin Qin <[email protected]>
cpakulski
pushed a commit
to cpakulski/envoy
that referenced
this pull request
Dec 4, 2020
Change the default location of the log file and give supervisord permissions to write to it. Signed-off-by: Alex Konradi <[email protected]> Signed-off-by: Christoph Pakulski <[email protected]>
cpakulski
pushed a commit
to cpakulski/envoy
that referenced
this pull request
Dec 4, 2020
Change the default location of the log file and give supervisord permissions to write to it. Signed-off-by: Alex Konradi <[email protected]> Signed-off-by: Christoph Pakulski <[email protected]>
jmarantz
pushed a commit
that referenced
this pull request
Dec 5, 2020
#14279) Commit Message: Allow supervisord to open its log file Additional Description: Change the default location of the log file and give supervisord permissions to write to it. Risk Level: low Testing: built image locally Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Alex Konradi <[email protected]> Signed-off-by: Christoph Pakulski <[email protected]>
jmarantz
pushed a commit
that referenced
this pull request
Dec 5, 2020
#14280) Commit Message: Allow supervisord to open its log file Additional Description: Change the default location of the log file and give supervisord permissions to write to it. Risk Level: low Testing: built image locally Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Alex Konradi <[email protected]> Signed-off-by: Christoph Pakulski <[email protected]>
|
Backported to releases 1.16 and 1.15. Removing |
istio-testing
pushed a commit
to istio/envoy
that referenced
this pull request
Jan 8, 2021
* docs: kick-off 1.15.1 release. (envoyproxy#12166) Signed-off-by: Piotr Sikora <[email protected]> * tls: update BoringSSL-FIPS to 20190808. (envoyproxy#12170) Signed-off-by: Piotr Sikora <[email protected]> * test: Exclude wasm_vm_test from CI by making it a "manual" test. (#207) The wee v8 build times out in CI under --config=asan because the machine the job is scheduled on is too small. Signed-off-by: Antonio Vicente <[email protected]> * [v1.15] http: header map security fixes for duplicate headers (#197) (#200) Previously header matching did not match on all headers for non-inline headers. This patch changes the default behavior to always logically match on all headers. Multiple individual headers will be logically concatenated with ',' similar to what is done with inline headers. This makes the behavior effectively consistent. This behavior can be temporary reverted by setting the runtime value "envoy.reloadable_features.header_match_on_all_headers" to "false". Targeted fixes have been additionally performed on the following extensions which make them consider all duplicate headers by default as a comma concatenated list: 1) Any extension using CEL matching on headers. 2) The header to metadata filter. 3) The JWT filter. 4) The Lua filter. Like primary header matching used in routing, RBAC, etc. this behavior can be disabled by setting the runtime value "envoy.reloadable_features.header_match_on_all_headers" to false. Finally, the setCopy() header map API previously only set the first header in the case of duplicate non-inline headers. setCopy() now behaves similiarly to the other set*() APIs and replaces all found headers with a single value. This may have had security implications in the extauth filter which uses this API. This behavior can be disabled by setting the runtime value "envoy.reloadable_features.http_set_copy_replace_all_headers" to false. Fixes https://github.com/envoyproxy/envoy-setec/issues/188 Signed-off-by: Matt Klein <[email protected]> * backport to v1.15: Fix Kafka Repository Location (#223) Update mirror used to fetch kafka dependency to a valid, working mirror. Based on envoyproxy#13025 Resolves envoyproxy#13011 Signed-off-by: Antonio Vicente <[email protected]> * release: cutting 1.15.1 (#217) Signed-off-by: Antonio Vicente <[email protected]> * docs: Fix release notes for v1.15.1 release. (envoyproxy#13318) Signed-off-by: Antonio Vicente <[email protected]> * Backport flaky test and tsan fixes to releases/v1.15 branch (envoyproxy#13337) * hds: fix integration test flakes (envoyproxy#12214) Part of envoyproxy#12184 Signed-off-by: Matt Klein <[email protected]> Signed-off-by: Antonio Vicente <[email protected]> * Switch to a tsan-instrumented libc++ for tsan tests (envoyproxy#12134) This fixes envoyproxy#9784 and re-enables vhds_integration_test Risk Level: Low, but will most likely increase memory usage Signed-off-by: Dmitri Dolguikh <[email protected]> Signed-off-by: Antonio Vicente <[email protected]> * test: shard hds_integration_test (envoyproxy#12482) This should avoid TSAN timeout flakes. Signed-off-by: Matt Klein <[email protected]> Signed-off-by: Antonio Vicente <[email protected]> * test: shard http2_integration_test (envoyproxy#11939) This should mitigate TSAN timeout. Signed-off-by: Lizan Zhou <[email protected]> Signed-off-by: Antonio Vicente <[email protected]> * test: fix http2_integration_test flake (envoyproxy#12450) Fixes envoyproxy#12442 Signed-off-by: Matt Klein <[email protected]> Signed-off-by: Antonio Vicente <[email protected]> * Kick CI Signed-off-by: Antonio Vicente <[email protected]> Co-authored-by: Matt Klein <[email protected]> Co-authored-by: Dmitri Dolguikh <[email protected]> Co-authored-by: Lizan Zhou <[email protected]> * docs: kick off v1.15.3-dev (envoyproxy#13695) Signed-off-by: Christoph Pakulski <[email protected]> * 1.15: CI fixes backport (envoyproxy#13697) Backport following commits to 1.15: 748b2ab (mac ci: try ignoring update failure (envoyproxy#13658), 2020-10-20) f95f539 (ci: various improvements (envoyproxy#13660), 2020-10-20) 73d78f8 (ci: use multiple stage (envoyproxy#13557), 2020-10-15) b7a4756 (ci: use azp for api and go-control-plane sync (envoyproxy#13550), 2020-10-14) 876a6bb (ci use azp to sync filter example (envoyproxy#13501), 2020-10-12) a0f31ee (ci: use azp to generate docs (envoyproxy#13481), 2020-10-12) Signed-off-by: Lizan Zhou <[email protected]> Co-authored-by: asraa <[email protected]> * 1.15: fix CI script (envoyproxy#13724) Signed-off-by: Lizan Zhou <[email protected]> * Prevent SEGFAULT when disabling listener (envoyproxy#13515) (envoyproxy#13903) This prevents the stop_listening overload action from causing segmentation faults that can occur if the action is enabled after the listener has already shut down. Signed-off-by: Alex Konradi <[email protected]> Signed-off-by: Christoph Pakulski <[email protected]> * proxy protocol: set downstreamRemoteAddress on StreamInfo (envoyproxy#14131) (envoyproxy#14169) This fixes a regression which resulted in the downstreamRemoteAddress on the StreamInfo for a connection not having the address supplied by the proxy protocol filter, but instead having the address of the directly connected peer. This issue does not affect HTTP filters. Fixes envoyproxy#14087 Signed-off-by: Greg Greenway <[email protected]> Signed-off-by: Christoph Pakulski <[email protected]> * ci: temproray disable vhds_integration_test in TSAN (envoyproxy#12067) (envoyproxy#14217) Signed-off-by: Lizan Zhou <[email protected]> * tcmalloc changed and the data coming out of tcmalloc::MallocExtension::GetNumericProperty("generic.current_allocated_bytes") (envoyproxy#14165) Commit Message: tcmalloc changed and the data coming out of tcmalloc::MallocExtension::GetNumericProperty("generic.current_allocated_bytes") no longer appears to be deterministic, even in unthreaded tests. So disable exact mem checks till we sort that out Additional Description: Risk Level: low Testing: just thread_local_store_test Docs Changes: n/a Release Notes: n/a no longer appears to be deterministic, even in unthreaded tests. So disable exact mem checks till we sort that out Signed-off-by: Joshua Marantz <[email protected]> Signed-off-by: Christoph Pakulski <[email protected]> Co-authored-by: Joshua Marantz <[email protected]> * backport to v1.15: connection: Remember transport socket read resumption requests and replay them when re-enabling read. (envoyproxy#13772) (envoyproxy#14173) * connection: Remember transport socket read resumption requests and replay them when re-enabling read. (envoyproxy#13772) Fixes SslSocket read resumption after readDisable when processing the SSL record that contains the last bytes of the HTTP message Signed-off-by: Antonio Vicente <[email protected]> * backport to 1.15: udp: properly handle truncated/dropped datagrams (envoyproxy#14122) (envoyproxy#14166) Signed-off-by: Matt Klein <[email protected]> Signed-off-by: Christoph Pakulski <[email protected]> Co-authored-by: Matt Klein <[email protected]> Co-authored-by: Christoph Pakulski <[email protected]> * backport to 1.15: vrp: allow supervisord to open its log file (envoyproxy#14066) (envoyproxy#14280) Commit Message: Allow supervisord to open its log file Additional Description: Change the default location of the log file and give supervisord permissions to write to it. Risk Level: low Testing: built image locally Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Alex Konradi <[email protected]> Signed-off-by: Christoph Pakulski <[email protected]> * rel 1.15: close release 1.15.3 (envoyproxy#14303) Signed-off-by: Christoph Pakulski <[email protected]> * Kick off rel 1.15.4. (envoyproxy#14323) Signed-off-by: Christoph Pakulski <[email protected]> * backport to 1.15: http: fix datadog and squash handling of responses without body (envoyproxy#13328) (envoyproxy#14458) Commit Message: Fixing bugs in datadog and sqaush where unexpected bodyless responses would crash Envoy Risk Level: low Testing: new unit tests, updated certs Docs Changes: n/a Release Notes: inline Signed-off-by: Christoph Pakulski <[email protected]> Co-authored-by: alyssawilk <[email protected]> * backport 1.15: http: fixing a bug with IPv6 hosts (envoyproxy#14273) Fixing a bug where HTTP parser offsets for IPv6 hosts did not include [] and Envoy assumed it did. This results in mis-parsing addresses for IPv6 CONNECT requests and IPv6 hosts in fully URLs over HTTP/1.1 Risk Level: low Testing: new unit, integration tests Docs Changes: n/a Release Notes: inline Signed-off-by: Shikugawa <[email protected]> Co-authored-by: alyssawilk <[email protected]> * backport to 1.15: tls: fix detection of the upstream connection close event. (envoyproxy#13858) (envoyproxy#14568) Fixes envoyproxy#13856. Signed-off-by: Piotr Sikora <[email protected]> Signed-off-by: Christoph Pakulski <[email protected]> Co-authored-by: Piotr Sikora <[email protected]> Co-authored-by: antonio <[email protected]> Co-authored-by: Matt Klein <[email protected]> Co-authored-by: Dmitri Dolguikh <[email protected]> Co-authored-by: Lizan Zhou <[email protected]> Co-authored-by: Christoph Pakulski <[email protected]> Co-authored-by: asraa <[email protected]> Co-authored-by: Joshua Marantz <[email protected]> Co-authored-by: Rei Shimizu <[email protected]> Co-authored-by: alyssawilk <[email protected]>
istio-testing
pushed a commit
to istio/envoy
that referenced
this pull request
Feb 5, 2021
* backport to 1.16: http: fixing a bug with IPv6 hosts (envoyproxy#14238) Fixing a bug where HTTP parser offsets for IPv6 hosts did not include [] and Envoy assumed it did. This results in mis-parsing addresses for IPv6 CONNECT requests and IPv6 hosts in fully URLs over HTTP/1.1 Risk Level: low Testing: new unit, integration tests Docs Changes: n/a Release Notes: inline Signed-off-by: Shikugawa <[email protected]> Co-authored-by: alyssawilk <[email protected]> * backport to 1.16: vrp: allow supervisord to open its log file (envoyproxy#14066) (envoyproxy#14279) Commit Message: Allow supervisord to open its log file Additional Description: Change the default location of the log file and give supervisord permissions to write to it. Risk Level: low Testing: built image locally Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Alex Konradi <[email protected]> Signed-off-by: Christoph Pakulski <[email protected]> * Closing release 1.16.2. (envoyproxy#14308) Signed-off-by: Christoph Pakulski <[email protected]> * Kick-off rel 1.16.3. (envoyproxy#14321) Signed-off-by: Christoph Pakulski <[email protected]> * lua: reset downstream_ssl_connection in StreamInfoWrapper when object is marked dead by Lua GC (envoyproxy#14092) (envoyproxy#14449) Co-authored-by: Marcin Falkowski <[email protected]> * backport to 1.16: tls: fix detection of the upstream connection close event. (envoyproxy#13858) (envoyproxy#14452) Fixes envoyproxy#13856. This change also contains the following backports: - build: Fix some unused variable warnings (envoyproxy#13987) - test: Check in all TLS test certs (envoyproxy#13702) Signed-off-by: Piotr Sikora <[email protected]> Signed-off-by: Christoph Pakulski <[email protected]> * backport to 1.16: aggregate cluster: fix TLS init issue (envoyproxy#14456) Additional Description: Based on envoyproxy#14388 Risk Level: Low Testing: Build and run the repro from envoyproxy#14119 without crashing, `bazel test test/extensions/clusters/aggregate:cluster_test` Docs Changes: N/A Release Notes: envoyproxy#14119 Signed-off-by: Taylor Barrella <[email protected]> Co-authored-by: Rei Shimizu <[email protected]> Co-authored-by: Christoph Pakulski <[email protected]> Co-authored-by: Marcin Falkowski <[email protected]>
rexengineering
pushed a commit
to rexengineering/istio-envoy
that referenced
this pull request
Oct 15, 2021
This is a regression test to cover the issue underlying envoyproxy/envoy#14066. Risk level: Low Testing: Validating manually verify.sh passes, CI. Signed-off-by: Harvey Tuch <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Commit Message: Allow supervisord to open its log file
Additional Description:
Change the default location of the log file and give supervisord
permissions to write to it.
Risk Level: low
Testing: built image locally
Docs Changes: n/a
Release Notes: n/a
Platform Specific Features: n/a