Fix: Write FRR device log to /var/log/frr instead of /tmp/logging#3479
Merged
Conversation
The initial template configured `log file /tmp/logging`, but a host that loads the FRR AppArmor profiles (shipped in Ubuntu's `apparmor` package, not the `frr` package) confines the `bgpd` and `staticd` binaries by their `/usr/lib/frr/...` path -- the confinement reaches into the container -- and those profiles permit `/var/log/frr/*` while denying `/tmp`. On FRR 10.4 the resulting log-file open failure is fatal and aborts `netlab initial`; on 10.6 it is downgraded to a warning, so the destination silently never worked there either. Log to `/var/log/frr/frr.log`, FRR's canonical directory, which the `abstractions/frr` profile already permits -- so this needs no AppArmor change. The stock FRR image ships no `/var/log/frr`, so the template creates it (owned by `frr`) before the daemons open the file; the directory is created by the unconfined initial shell, not the confined daemon. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On Ubuntu 26.04 AppArmor is enabled by default with
bgpdandstaticdprofiles restricting access to/tmp.AppArmor policy is global and pathname-based, so the confinement reaches into the container and as result
netlab initialfails onfrr:10.4.1, and onfrr:10.6.1logging configuration fails with a warning.Fix
Log to
/var/log/frr/frr.log, FRR's "canonical" log directory, whichabstractions/frralready permits — so no AppArmor change is required.The stock FRR image ships no
/var/log/frr, so the template creates it(owned by
frr) before the daemons open the file. The directory is createdby the unconfined initial shell, not the confined daemon.
Files changed:
netsim/ansible/templates/initial/frr.j2— new log path +mkdir/chown,with a Jinja comment recording the AppArmor rationale.
docs/caveats.md— the current-state note now cites/var/log/frr/frr.log.The log path was never a shared contract: a repo-wide sweep found no reader of
the old destination (only the template wrote it). The historical
docs/release/25.09.mdnote is left untouched, as it correctly records what25.09 shipped. No release note is added here; release notes in this project are
curated at release time.
Testing
tests/integration/bgp.session/10-timers.yml, devicefrr, providerclab,probe pinned to
frr:10.4.1(the previously-fatal version):netlab upnow completesinitial,bgp,bgp.sessionon both nodes (the probepreviously failed
initial).netlab validate→[SUCCESS] Tests passed: 4(session_v4, session_v6,timers_v4, timers_v6).
bgpdandstaticddaemons now write to/var/log/frr/frr.log(BGP and STATIC log lines present); no/tmp/loggingis created — confirming logging is functional, not merely non-fatal.