From 5d8719ca4a4cd51122e07daa81a54ae023821825 Mon Sep 17 00:00:00 2001 From: Hugo Hromic Date: Sat, 12 Aug 2023 19:17:31 +0100 Subject: [PATCH 1/4] enhancement(core): Add CLI arg and env variable to control openssl probing This commit implements a new CLI argument `--openssl-no-probe` with a corresponding environment variable `VECTOR_OPENSSL_NO_PROBE` to disable calling the `openssl_probe::init_ssl_cert_env_vars()` function when starting Vector. The openssl-probe functionality manipulates the `SSL_CERT_FILE` and `SSL_CERT_DIR` environment variables in the Vector process. This behavior can be problematic for users of the `exec` source, which by default inherits the environment of the Vector process. Signed-off-by: Hugo Hromic --- src/app.rs | 13 ++++++++++--- src/cli.rs | 4 ++++ 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/app.rs b/src/app.rs index b745d831e07c3..baee7a8afc23b 100644 --- a/src/app.rs +++ b/src/app.rs @@ -180,7 +180,7 @@ impl Application { } pub fn prepare_from_opts(opts: Opts) -> Result<(Runtime, Self), ExitCode> { - init_global(); + init_global(!opts.root.openssl_no_probe); let color = opts.root.color.use_color(); @@ -191,6 +191,11 @@ impl Application { opts.root.internal_log_rate_limit, ); + // Can only log this after initializing the logging subsystem + if opts.root.openssl_no_probe { + debug!(message = "Disabled probing and configuration of root certificate locations on the system for OpenSSL."); + } + let openssl_legacy_provider = opts .root .openssl_legacy_provider @@ -420,8 +425,10 @@ impl FinishedApplication { } } -pub fn init_global() { - openssl_probe::init_ssl_cert_env_vars(); +pub fn init_global(openssl_probe: bool) { + if openssl_probe { + openssl_probe::init_ssl_cert_env_vars(); + } #[cfg(not(feature = "enterprise-tests"))] metrics::init_global().expect("metrics initialization failed"); diff --git a/src/cli.rs b/src/cli.rs index 1493e8db117e8..cd7cad7ade949 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -198,6 +198,10 @@ pub struct RootOpts { /// Load the OpenSSL legacy provider. #[arg(long, env = "VECTOR_OPENSSL_LEGACY_PROVIDER", default_value = "true")] pub openssl_legacy_provider: bool, + + /// Disable probing and configuration of root certificate locations on the system for OpenSSL. + #[arg(long, env = "VECTOR_OPENSSL_NO_PROBE", default_value = "false")] + pub openssl_no_probe: bool, } impl RootOpts { From f2c80284b2b316b1c1fe3cae7c817bb35311b3cc Mon Sep 17 00:00:00 2001 From: Hugo Hromic Date: Tue, 15 Aug 2023 15:54:42 +0100 Subject: [PATCH 2/4] Document new option and env variable * Also add missing documentation for `openssl-legacy-provider` option and env var --- website/cue/reference/cli.cue | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/website/cue/reference/cli.cue b/website/cue/reference/cli.cue index b356f454de2ea..6756406d24c6d 100644 --- a/website/cue/reference/cli.cue +++ b/website/cue/reference/cli.cue @@ -113,6 +113,14 @@ cli: { description: env_vars.VECTOR_NO_GRACEFUL_SHUTDOWN_LIMIT.description env_var: "VECTOR_NO_GRACEFUL_SHUTDOWN_LIMIT" } + "openssl-legacy-provider": { + description: env_vars.VECTOR_OPENSSL_LEGACY_PROVIDER.description + env_var: "VECTOR_OPENSSL_LEGACY_PROVIDER" + } + "openssl-no-probe": { + description: env_vars.VECTOR_OPENSSL_NO_PROBE.description + env_var: "VECTOR_OPENSSL_NO_PROBE" + } } _core_config_options: { @@ -149,6 +157,12 @@ cli: { env_var: "VECTOR_GRACEFUL_SHUTDOWN_LIMIT_SECS" type: "integer" } + "graceful-shutdown-limit-secs": { + description: env_vars.VECTOR_GRACEFUL_SHUTDOWN_LIMIT_SECS.description + default: env_vars.VECTOR_GRACEFUL_SHUTDOWN_LIMIT_SECS.type.uint.default + env_var: "VECTOR_GRACEFUL_SHUTDOWN_LIMIT_SECS" + type: "integer" + } } // Reusable options @@ -624,6 +638,14 @@ cli: { description: "Never time out while waiting for graceful shutdown after SIGINT or SIGTERM received. This is useful when you would like for Vector to attempt to send data until terminated by a SIGKILL. Overrides/cannot be set with `--graceful-shutdown-limit-secs`." type: bool: default: false } + VECTOR_OPENSSL_LEGACY_PROVIDER: { + description: "Load the OpenSSL legacy provider." + type: bool: default: true + } + VECTOR_OPENSSL_NO_PROBE: { + description: "Disable probing and configuration of root certificate locations on the system for OpenSSL. The probe functionality manipulates the `SSL_CERT_FILE` and `SSL_CERT_DIR` environment variables in the Vector process. This behavior can be problematic for users of the `exec` source, which by default inherits the environment of the Vector process." + type: bool: default: false + } } // Helpers From 86ae96341e2a117c565513fa2a7eb345910d784d Mon Sep 17 00:00:00 2001 From: Hugo Hromic Date: Tue, 15 Aug 2023 17:49:46 +0100 Subject: [PATCH 3/4] Remove copy/pasted block by mistake --- website/cue/reference/cli.cue | 6 ------ 1 file changed, 6 deletions(-) diff --git a/website/cue/reference/cli.cue b/website/cue/reference/cli.cue index 6756406d24c6d..b5478e054fbce 100644 --- a/website/cue/reference/cli.cue +++ b/website/cue/reference/cli.cue @@ -157,12 +157,6 @@ cli: { env_var: "VECTOR_GRACEFUL_SHUTDOWN_LIMIT_SECS" type: "integer" } - "graceful-shutdown-limit-secs": { - description: env_vars.VECTOR_GRACEFUL_SHUTDOWN_LIMIT_SECS.description - default: env_vars.VECTOR_GRACEFUL_SHUTDOWN_LIMIT_SECS.type.uint.default - env_var: "VECTOR_GRACEFUL_SHUTDOWN_LIMIT_SECS" - type: "integer" - } } // Reusable options From 8edb011209a1d37e298b960b40f2da74fc77966e Mon Sep 17 00:00:00 2001 From: Hugo Hromic Date: Tue, 15 Aug 2023 17:53:05 +0100 Subject: [PATCH 4/4] Align in-code comment with reference documentation --- src/cli.rs | 4 ++++ website/cue/reference/cli.cue | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/cli.rs b/src/cli.rs index cd7cad7ade949..32a9ac4f277fd 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -200,6 +200,10 @@ pub struct RootOpts { pub openssl_legacy_provider: bool, /// Disable probing and configuration of root certificate locations on the system for OpenSSL. + /// + /// The probe functionality manipulates the `SSL_CERT_FILE` and `SSL_CERT_DIR` environment variables + /// in the Vector process. This behavior can be problematic for users of the `exec` source, which by + /// default inherits the environment of the Vector process. #[arg(long, env = "VECTOR_OPENSSL_NO_PROBE", default_value = "false")] pub openssl_no_probe: bool, } diff --git a/website/cue/reference/cli.cue b/website/cue/reference/cli.cue index b5478e054fbce..ec32672cf73df 100644 --- a/website/cue/reference/cli.cue +++ b/website/cue/reference/cli.cue @@ -637,7 +637,11 @@ cli: { type: bool: default: true } VECTOR_OPENSSL_NO_PROBE: { - description: "Disable probing and configuration of root certificate locations on the system for OpenSSL. The probe functionality manipulates the `SSL_CERT_FILE` and `SSL_CERT_DIR` environment variables in the Vector process. This behavior can be problematic for users of the `exec` source, which by default inherits the environment of the Vector process." + description: """ + Disable probing and configuration of root certificate locations on the system for OpenSSL. + + The probe functionality manipulates the `SSL_CERT_FILE` and `SSL_CERT_DIR` environment variables in the Vector process. This behavior can be problematic for users of the `exec` source, which by default inherits the environment of the Vector process. + """ type: bool: default: false } }