Issues Accessing Certificate Files with AppArmor on Noble Stemcell #211
Description
Hello,
We've run into a bit of trouble after switching to the Noble stemcell for BOSH. It seems the syslog-forwarder cannot access its certificate files because of AppArmor restrictions, leading to errors.
What's Happening:
As soon as we deployed with the Noble stemcell, rsyslogd reported errors like these in the syslog-forwarder pre-start script:
rsyslogd: error: defaultnetstreamdrivercafile file '/var/vcap/jobs/syslog_forwarder/config/ca_cert.pem' could not be accessed: Permission denied
rsyslogd: error: certificate file '/var/vcap/jobs/syslog_forwarder/config/ca_cert.pem' couldn't be accessed: Permission denied
These errors repeat for several other key and certificate files as well.
Logs
How We Fixed It:
To get things working, we adjusted the AppArmor profile for rsyslog in /etc/apparmor.d/usr.sbin.rsyslogd. Here’s how we tweaked it:
/usr/sbin/rsyslogd {
# Existing setup
# Added these lines for syslog-forwarder
/var/vcap/jobs/syslog_forwarder/config/* r,
/var/vcap/data/syslog_forwarder/** rw,
/var/vcap/sys/log/syslog_forwarder/** rw,
}
These changes allowed rsyslog to read and write to the necessary files, and the syslog-forwarder pre-start script ran smoothly after that.
Could we consider adding these AppArmor permissions tweaks directly in the syslog-release for better compatibility with Noble stemcell? It would really help streamline deployments and avoid manual fixes.
Thanks for looking into this!