search

amazonlinux / amazon-linux-2023

Amazon Linux 2023
https://aws.amazon.com/linux/amazon-linux-2023/
Other
501 stars 38 forks source link

[Package Request] - rsyslog-gnutls #617

Closed sbogar-shs closed 4 months ago

sbogar-shs commented 5 months ago

What package is missing from Amazon Linux 2023? Please describe and include package name. rsyslog-gnutls

Is this an update to existing package or new package request? new package

Is this package available in Amazon Linux 2? If it is available via external sources such as EPEL, please specify. It is available in Amazon Linux 2

Any additional information you'd like to include. (use-cases, etc) we need the gtls NetStreamDriver to work on AL2023 or we will be forced to use a different distribution for our remote syslog servers.

daniejstriata commented 5 months ago

I was able to build rsyslog using Centos Stream SPEC in COPR by adding librelp and librdkafka dependencies but ran into conflict with selinux-policy when installing rsyslog. Not sure why rsyslog-gnutls was not included in the distro. Would rsyslog-relp not suffice?

I would not feel comfortable pushing this more unless done by Amazon themselves. It's one thing packaging a single binary package with little to not dependencies but I won't go changing core packages, that is not a good idea.

Error: 
 Problem: problem with installed package selinux-policy-37.22-1.amzn2023.0.1.noarch
  - package rsyslog-8.2310.0-4.amzn2023.aarch64 conflicts with selinux-policy < 38.1.29-1 provided by selinux-policy-37.22-1.amzn2023.0.1.noarch
  - package rsyslog-8.2310.0-4.amzn2023.aarch64 conflicts with selinux-policy < 38.1.29-1 provided by selinux-policy-36.18-1.amzn2023.0.1.noarch
  - package rsyslog-8.2310.0-4.amzn2023.aarch64 conflicts with selinux-policy < 38.1.29-1 provided by selinux-policy-36.16-1.amzn2023.0.3.noarch
  - package rsyslog-8.2310.0-4.amzn2023.aarch64 conflicts with selinux-policy < 38.1.29-1 provided by selinux-policy-36.16-1.amzn2023.0.2.noarch
stewartsmith commented 5 months ago

There is rsyslog-openssl present, does that not suit your use case?

We intentionally are focusing in on having OpenSSL be the cryptographic library of choice, and limiting enabling other libraries anywhere there's the ability to use OpenSSL instead.

daniejstriata commented 5 months ago

I see in the rsyslog RELP documentation:

Note that “gnutls” is the current default for historic reasons. We actually recommend to use “openssl”. It provides better error messages and accepts a wider range of certificate types.

If you have problems with the default setting, we recommend to switch to “openssl”.

https://www.rsyslog.com/doc/configuration/modules/imrelp.html#:~:text=Note%20that%20%E2%80%9Cgnutls%E2%80%9D%20is%20the,to%20switch%20to%20%E2%80%9Copenssl%E2%80%9D.

sbogar-shs commented 5 months ago

I am trying to collect logs from a system that does not have REPL available as an option when sending logs. They can only come over via TCP.

daniejstriata commented 5 months ago

The rsyslog-openssl package should suffice in that use case as Stewart mentioned previously.

sbogar-shs commented 5 months ago

ubuntu it is!

daniejstriata commented 5 months ago

Seems that rsyslog-openssl should be a drop-in replacement for rsyslog-gnutls but issues were found in communications without certificates configured in a much older release. Seems to have been fixed: https://github.com/rsyslog/rsyslog/issues/3413

stewartsmith commented 5 months ago

Since the rsyslog-openssl package is a suitable substitute, I'm going to mark this as wontfix, but also tag it as Documentation so that we keep this issue open until the AL2023 documentation is updated stating this.

stewartsmith commented 4 months ago

This is now mentioned in the documentation: https://docs.aws.amazon.com/linux/al2023/ug/deprecated-al2.html#deprecated-rsyslog-gnutls

Resolving.