[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
This bug was fixed in the package rsyslog - 8.2312.0-3ubuntu9.2
---
rsyslog (8.2312.0-3ubuntu9.2) noble; urgency=medium
* Update rsyslog apparmor profile to cope with log sockets in
chroot directories (LP: #2138647):
- d/usr.sbin.rsyslogd: add attach_disconnected flag to profile
- d/t/{control,haproxy-logging}: new test to confirm the fix
-- Andreas Hasenack Tue, 10 Mar 2026
12:59:13 -0300
** Changed in: rsyslog (Ubuntu Noble)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2138647
Title:
haproxy stops logging after reload with permission denied error
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
This bug was fixed in the package rsyslog - 8.2504.0-1ubuntu2.1
---
rsyslog (8.2504.0-1ubuntu2.1) questing; urgency=medium
* Update rsyslog apparmor profile to cope with log sockets in
chroot directories (LP: #2138647):
- d/usr.sbin.rsyslogd: add attach_disconnected flag to profile
- d/t/{control,haproxy-logging}: new test to confirm the fix
* d/t/control: skip mysql test on armhf, since mysql is not available on
that arch
-- Andreas Hasenack Tue, 10 Mar 2026
17:28:09 -0300
** Changed in: rsyslog (Ubuntu Questing)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2138647
Title:
haproxy stops logging after reload with permission denied error
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
1406s autopkgtest [14:08:01]: test tests-in-lxd: [--- 1411s 2026-04-08T14:08:06Z INFO Waiting for automatic snapd restart... 1414s 2026-04-08T14:08:09Z INFO Waiting for automatic snapd restart... 1445s lxd (5.21/stable) 5.21.4-1374f39 from Canonical** installed 1455s Using http://egress.ps7.internal:3128/ as container proxy 1456s Launching autopkgtest-prepare-4XW 1547s Error: Failed instance creation: Get "https://cloud-images.ubuntu.com/daily/server/noble/20260323/noble-server-cloudimg-amd64-lxd.tar.xz": context deadline exceeded 1547s Error: Failed checking instance exists "local:autopkgtest-prepare-4XW": Failed to fetch instance "autopkgtest-prepare-4XW" in project "default": Instance not found 1547s ERROR:autopkgtest-build-lxd:Command '['/usr/share/autopkgtest/lib/build-lxd.sh', '--lxd', 'ubuntu-daily:noble']' returned non-zero exit status 1. 1547s autopkgtest [14:10:22]: test tests-in-lxd: ---] This is tiring... Retrying. One. More. Time. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
It failed like this: 1406s autopkgtest [14:08:01]: test tests-in-lxd: [--- 1411s 2026-04-08T14:08:06Z INFO Waiting for automatic snapd restart... 1414s 2026-04-08T14:08:09Z INFO Waiting for automatic snapd restart... 1445s lxd (5.21/stable) 5.21.4-1374f39 from Canonical** installed 1455s Using http://egress.ps7.internal:3128/ as container proxy 1456s Launching autopkgtest-prepare-4XW 1547s Error: Failed instance creation: Get "https://cloud-images.ubuntu.com/daily/server/noble/20260323/noble-server-cloudimg-amd64-lxd.tar.xz": context deadline exceeded 1547s Error: Failed checking instance exists "local:autopkgtest-prepare-4XW": Failed to fetch instance "autopkgtest-prepare-4XW" in project "default": Instance not found 1547s ERROR:autopkgtest-build-lxd:Command '['/usr/share/autopkgtest/lib/build-lxd.sh', '--lxd', 'ubuntu-daily:noble']' returned non-zero exit status 1. 1547s autopkgtest [14:10:22]: test tests-in-lxd: ---] 1547s autopkgtest [14:10:22]: test tests-in-lxd: - - - - - - - - - - results - - - - - - - - - - 1547s tests-in-lxd FAIL non-zero exit status 1 Failed to download https://cloud- images.ubuntu.com/daily/server/noble/20260323/noble-server-cloudimg- amd64-lxd.tar.xz Flakiness or networking issues. We can see the PS7 proxy seems to be set, but unsure if it covers https. I'll try it with migration- reference/0 now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
> systemd/255.4-1ubuntu8.15 (amd64) > I retried this autopkgtest. The logs showed it was an infra problem (the VM > "disappeared"). This run (and another one after that triggered by others) failed with "tmpfail". Retried one more time. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
> systemd/255.4-1ubuntu8.15 (amd64) I retried this autopkgtest. The logs showed it was an infra problem (the VM "disappeared"). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
# Noble verification The new autopkgtest passed[1]: 1177s autopkgtest [02:12:33]: test haproxy-logging: [--- 1177s Enforcing the /etc/apparmor.d/usr.sbin.rsyslogd apparmor profile 1178s Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode. 1178s ## Requesting http://localhost:8080/autopkgtest1416 1181s 1181s ## Checking logs for GET /autopkgtest1416 1181s 2026-04-02T02:12:37.491339+00:00 autopkgtest haproxy[1430]: 127.0.0.1:40550 [02/Apr/2026:02:12:34.483] test-front test-back/test-1 0/0/-1/-1/3007 503 216 - - SC-- 1/1/0/0/3 0/0 "GET /autopkgtest1416 HTTP/1.1" 1181s ## All tests passed! 1182s autopkgtest [02:12:38]: test haproxy-logging: ---] 1. https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/amd64/r/rsyslog/20260402_021256_3a2e5@/log.gz#:~:text=2.39%2D0ubuntu8.7)%20...%0A1177s-,autopkgtest,-%5B02%3A12%3A33 ** Tags removed: verification-needed-noble ** Tags added: verification-done-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
# Questing verification The new autopkgtest passed[1]: 1023s autopkgtest [02:19:36]: test haproxy-logging: [--- 1023s Enforcing the /etc/apparmor.d/usr.sbin.rsyslogd apparmor profile 1023s Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode. 1023s ## Requesting http://localhost:8080/autopkgtest1462 1026s 1026s ## Checking logs for GET /autopkgtest1462 1026s 2026-04-02T02:19:39.317323+00:00 autopkgtest haproxy[1475]: 127.0.0.1:36500 [02/Apr/2026:02:19:36.310] test-front test-back/test-1 0/0/-1/-1/3006 503 216 - - SC-- 1/1/0/0/3 0/0 "GET /autopkgtest1462 HTTP/1.1" 1026s ## All tests passed! 1027s autopkgtest [02:19:40]: test haproxy-logging: ---] 1. https://autopkgtest.ubuntu.com/results/autopkgtest-questing/questing/amd64/r/rsyslog/20260402_021956_eb28b@/log.gz#:~:text=2.42%2D0ubuntu3.1)%20...%0A1023s-,autopkgtest,-%5B02%3A19%3A36 ** Tags removed: verification-needed-questing ** Tags added: verification-done-questing -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
Hello David, or anyone else affected, Accepted rsyslog into questing-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/rsyslog/8.2504.0-1ubuntu2.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- questing to verification-done-questing. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-questing. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: rsyslog (Ubuntu Questing) Status: In Progress => Fix Committed ** Tags added: verification-needed-questing ** Changed in: rsyslog (Ubuntu Noble) Status: In Progress => Fix Committed ** Tags added: verification-needed-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
Uploaded to questing unapproved: Uploading rsyslog_8.2504.0-1ubuntu2.1.dsc Uploading rsyslog_8.2504.0-1ubuntu2.1.debian.tar.xz Uploading rsyslog_8.2504.0-1ubuntu2.1_source.buildinfo Uploading rsyslog_8.2504.0-1ubuntu2.1_source.changes -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
Uploaded to noble unapproved: Uploading rsyslog_8.2312.0-3ubuntu9.2.dsc Uploading rsyslog_8.2312.0-3ubuntu9.2.debian.tar.xz Uploading rsyslog_8.2312.0-3ubuntu9.2_source.buildinfo Uploading rsyslog_8.2312.0-3ubuntu9.2_source.changes -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
** Description changed: [ Impact ] - * An explanation of the effects of the bug on users and justification -for backporting the fix to the stable release. + If haproxy is running when rsyslog is restarted, haproxy will stop + logging requests due to an apparmor denial message: - * In addition, it is helpful, but not required, to include an -explanation of how the upload fixes this bug. + [Tue Mar 3 14:00:54 2026] audit: type=1400 audit(1772546453.881:137): + apparmor="DENIED" operation="sendmsg" class="file" info="Failed name + lookup - disconnected path" error=-13 profile="rsyslogd" + name="var/lib/haproxy/dev/log" pid=5137 comm="haproxy" + requested_mask="r" denied_mask="r" fsuid=0 ouid=0 + + This happens because haproxy is using dev/log from inside a chroot, to + which rsyslog listens to (via /etc/rsyslog.d/49-haproxy.conf installed + by the haproxy package). This needs the apparmor flag + attach_disconnected. + + What makes this more critical is that anytime a config snippet is + installed in /etc/rsyslog.d/*, that will trigger an rsyslog restart (via + dpkg-triggers). This makes the bug potentially more frequent, and it + also affects haproxy upgrades themselves. + [ Test Plan ] - * detailed instructions how to reproduce the bug + This update includes a new autopkgtest called haproxy-logging which will + trigger the bug and verify that it is fixed. - * these should allow someone who is not familiar with the affected -package to reproduce the bug and verify that the updated package -fixes the problem. + Therefore, the test plan for this SRU is to verify that the new haproxy- + logging autopackagetest succeeded: - * if other testing is appropriate to perform before landing this -update, this should also be described here. + 1318s autopkgtest [18:42:29]: test haproxy-logging: [--- + 1318s Enforcing the /etc/apparmor.d/usr.sbin.rsyslogd apparmor profile + 1319s Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode. + 1319s ## Requesting http://localhost:8080/autopkgtest1392 + 1322s + 1322s ## Checking logs for GET /autopkgtest1392 + 1322s 2026-03-10T18:44:15.878187+00:00 autopkgtest haproxy[1405]: 127.0.0.1:49456 [10/Mar/2026:18:44:12.871] test-front test-back/test-1 0/0/-1/-1/3006 503 216 - - SC-- 1/1/0/0/3 0/0 "GET /autopkgtest1392 HTTP/1.1" + 1322s ## All tests passed! + 1322s autopkgtest [18:42:33]: test haproxy-logging: ---] + 1323s autopkgtest [18:42:34]: test haproxy-logging: - - - - - - - - - - results - - - - - - - - - - + 1323s haproxy-logging PASS + + Here is an example where the test was run with an unpatched rsyslog: + + 137s autopkgtest [14:19:48]: test haproxy-logging: [--- + 138s Enforcing the /etc/apparmor.d/usr.sbin.rsyslogd apparmor profile + 138s Setting /etc/apparmor.d/usr.sbin.rsyslogd to enforce mode. + 138s ## Requesting http://localhost:8080/autopkgtest8961 + 141s + 141s ## Checking logs for GET /autopkgtest8961 + 141s ## Something failed + 141s + 141s ## Getting last 100 of haproxy unit logs + ... + 141s ## Last 100 of /var/log/haproxy.log + 141s 2026-03-10T17:19:52.917606+00:00 n-rsyslog-dep8 haproxy[8974]: [ALERT] (8974) : sendmsg()/writev() failed in logger #1: Permission denied (errno=13) + [ Where problems could occur ] - * Think about what the upload changes in the software. Imagine the -change is wrong or breaks something else: how would this show up? + * Think about what the upload changes in the software. Imagine the + change is wrong or breaks something else: how would this show up? - * It is assumed that any SRU candidate patch is well-tested before -upload and has a low overall risk of regression, but it's important -to make the effort to think about what ''could'' happen in the event -of a regression. + * It is assumed that any SRU candidate patch is well-tested before + upload and has a low overall risk of regression, but it's important + to make the effort to think about what ''could'' happen in the event + of a regression. - * This must never be "None" or "Low", or entirely an argument as to why -your upload is low risk. + * This must never be "None" or "Low", or entirely an argument as to why + your upload is low risk. - * This both shows the SRU team that the risks have been considered, -and provides guidance to testers in regression-testing the SRU. + * This both shows the SRU team that the risks have been considered, + and provides guidance to testers in regression-testing the SRU. [ Other Info ] - * Anything else you think is useful to include + * Anything else you think is useful to include - * Make sure to explain any deviation from the norm, to save the SRU -reviewer from having to infer your reasoning, possibly incorrectly. -This should also help reduce review iterations, particularly when the -reason for the deviation is not obviou
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
** Description changed: + [ Impact ] + + * An explanation of the effects of the bug on users and justification +for backporting the fix to the stable release. + + * In addition, it is helpful, but not required, to include an +explanation of how the upload fixes this bug. + + [ Test Plan ] + + * detailed instructions how to reproduce the bug + + * these should allow someone who is not familiar with the affected +package to reproduce the bug and verify that the updated package +fixes the problem. + + * if other testing is appropriate to perform before landing this +update, this should also be described here. + + [ Where problems could occur ] + + * Think about what the upload changes in the software. Imagine the +change is wrong or breaks something else: how would this show up? + + * It is assumed that any SRU candidate patch is well-tested before +upload and has a low overall risk of regression, but it's important +to make the effort to think about what ''could'' happen in the event +of a regression. + + * This must never be "None" or "Low", or entirely an argument as to why +your upload is low risk. + + * This both shows the SRU team that the risks have been considered, +and provides guidance to testers in regression-testing the SRU. + + [ Other Info ] + + * Anything else you think is useful to include + + * Make sure to explain any deviation from the norm, to save the SRU +reviewer from having to infer your reasoning, possibly incorrectly. +This should also help reduce review iterations, particularly when the +reason for the deviation is not obvious. + + * Anticipate questions from users, SRU, +1 maintenance, security teams +and the Technical Board and address these questions in advance + + + [ Original Description ] + After reloading haproxy with systemctl reload or after package upgrades, haproxy stops logging requests. The system logs show the following error messages: ``` kernel: audit: type=1400 audit(1768805529.843:1866): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd" name="var/lib/haproxy/dev/log" pid=713657 comm="haproxy" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ALERT](713657) : sendmsg()/writev() failed in logger #1: Permission denied (errno=13) ``` Restarting haproxy with systemctl restart fixes the issue. This started happening with noble. jammy works fine. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/rsyslog/+git/rsyslog/+merge/502204 ** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/rsyslog/+git/rsyslog/+merge/502205 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
This bug was fixed in the package rsyslog - 8.2512.0-1ubuntu4
---
rsyslog (8.2512.0-1ubuntu4) resolute; urgency=medium
* Update rsyslog apparmor profile to cope with log sockets in
chroot directories (LP: #2138647):
- d/usr.sbin.rsyslogd: add attach_disconnected flag to profile
- d/t/{control,haproxy-logging}: new test to confirm the fix
* d/p/fix-curl-ftbfs.patch: fix FTBFS with newer curl headers (LP: #2143157)
-- Andreas Hasenack Tue, 10 Mar 2026
12:16:41 -0300
** Changed in: rsyslog (Ubuntu Resolute)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2138647
Title:
haproxy stops logging after reload with permission denied error
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
** Changed in: haproxy (Ubuntu Resolute) Status: In Progress => Invalid ** Changed in: haproxy (Ubuntu Questing) Status: New => Invalid ** Changed in: haproxy (Ubuntu Noble) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
** Also affects: haproxy (Ubuntu Resolute) Importance: High Assignee: Andreas Hasenack (ahasenack) Status: In Progress ** Also affects: rsyslog (Ubuntu Resolute) Importance: Undecided Assignee: Andreas Hasenack (ahasenack) Status: In Progress ** Also affects: haproxy (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: rsyslog (Ubuntu Noble) Importance: Undecided Status: New ** Changed in: rsyslog (Ubuntu Noble) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: rsyslog (Ubuntu Noble) Status: New => In Progress ** Also affects: haproxy (Ubuntu Questing) Importance: Undecided Status: New ** Also affects: rsyslog (Ubuntu Questing) Importance: Undecided Status: New ** Changed in: rsyslog (Ubuntu Questing) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: rsyslog (Ubuntu Questing) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/rsyslog/+git/rsyslog/+merge/501302 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
That is great news! Thank you very much for your efforts. Looking forward to the fix. :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
I don't think there will be anything to fix in the haproxy package itself, but I'll leave that task open until I have a proper fix, which I think will be in rsyslog only. ** Also affects: rsyslog (Ubuntu) Importance: Undecided Status: New ** Changed in: rsyslog (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: rsyslog (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
Ok, I have a reproducer. What triggers this behavior is the rsyslog restart, not haproxy. When haproxy is upgraded or reinstalled (the package), it does restart, but it also touches the rsyslog snipped config at /etc/rsyslog.d/49-haproxy.conf. This triggers a restart of rsyslog itself via dpkg triggers, and that causes the problem. To reproduce, just restart rsyslog. After this, haproxy logging will be broken until haproxy itself is restarted: [Tue Mar 3 14:00:54 2026] audit: type=1400 audit(1772546453.881:137): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd" name="var/lib/haproxy/dev/log" pid=5137 comm="haproxy" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ** Changed in: haproxy (Ubuntu) Status: Confirmed => In Progress ** Changed in: haproxy (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
** Changed in: haproxy (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
** Tags removed: server-triage-discuss ** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
** Tags added: server-triage-discuss -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
It is running in a VM. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
@David, is your scenario running haproxy in a container, or vm/baremetal? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
Marking it as confirmed, because even though I only reproduced it once, it was there. But I'm still not sure what exactly is causing it. ** Changed in: haproxy (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
And here is /etc/apparmor.d/usr.sbin.rsyslogd as requested:
```
# Last Modified: Sun Sep 25 08:58:35 2011
#include
# Debugging the syslogger can be difficult if it can't write to the file
# that the kernel is logging denials to. In these cases, you can do the
# following:
# watch -n 1 'dmesg | tail -5'
profile rsyslogd /usr/sbin/rsyslogd {
#include
#include
capability sys_tty_config,
capability dac_override,
capability dac_read_search,
capability setuid,
capability setgid,
capability sys_nice,
capability syslog,
unix (receive) type=dgram,
unix (receive) type=stream,
# rsyslog configuration
/etc/rsyslog.conf r,
/etc/rsyslog.d/ r,
/etc/rsyslog.d/** r,
/{,var/}run/rsyslogd.pid{,.tmp} rwk,
# LP: #2056768
/{,var/}run/systemd/sessions/ r,
/{,var/}run/systemd/sessions/* r,
# LP: #2073628
@{run}/log/journal/ r,
/etc/machine-id r,
/var/spool/rsyslog/ r,
/var/spool/rsyslog/** rwk,
/usr/sbin/rsyslogd mr,
/usr/lib{,32,64}/{,@{multiarch}/}rsyslog/*.so mr,
/dev/tty* rw,
/dev/xconsole rw,
@{PROC}/kmsg r,
# allow access to console (LP: #2009230)
/dev/console rw,
/dev/log rwl,
/{,var/}run/utmp rk,
/var/lib/*/dev/logrwl,
/var/spool/postfix/dev/logrwl,
/{,var/}run/systemd/notifyw,
# 'r' is needed when using imfile
/var/log/** rw,
# LP: #2061726
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
# apparmor snippets for rsyslog from other packages
include if exists
# Site-specific additions and overrides. See local/README for details.
#include
}
```
This comes directly from the rsyslog package with is currently
8.2312.0-3ubuntu9.1 on my system.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2138647
Title:
haproxy stops logging after reload with permission denied error
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
Below is my sanitized haproxy config. The global and defaults sections
are unchanged from what the package provides out of the box except for
the 2 harden.reject-privileged-ports lines.
```
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See:
https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
# Hardening:
harden.reject-privileged-ports.tcp on
harden.reject-privileged-ports.quic on
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 5
timeout server 5
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen listener-http
bind some_ip:80
http-request deny unless { hdr(host) -i -f /etc/haproxy/all_domains }
use-server server1 if { hdr(host) -i domain1 }
server server1 server1_ip:80 no-check send-proxy-v2
...
listen listener-https
bindsome_ip:443
modetcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content reject unless { req.ssl_hello_type 1 } {
req.ssl_sni -i -f /etc/haproxy/all_domains }
use-server server1 if { req.ssl_sni -i domain1 }
server server1 server1_ip:443 no-check send-proxy-v2
...
```
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2138647
Title:
haproxy stops logging after reload with permission denied error
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
I reproduced this once in a VM: [Mon Jan 26 17:54:31 2026] audit: type=1400 audit(1769450071.099:128): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd" name="var/lib/haproxy/dev/log" pid=3679 comm="haproxy" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 But then not anymore. When haproxy is first installed, it does trigger an rsyslog apparmor profile reload, as it should, because it installs an rsyslog config snippet: [Mon Jan 26 18:04:39 2026] audit: type=1400 audit(1769450678.879:126): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="rsyslogd" pid=3752 comm="apparmor_parser" Setting up haproxy (2.8.16-0ubuntu0.24.04.1) ... Created symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /usr/lib/systemd/system/haproxy.service. Processing triggers for rsyslog (8.2312.0-3ubuntu9.1) ... <-- So that's working as expected. Then I go ahead and modify haproxy.cfg with a front and backend, for testing. And restart haproxy and test a connection: $ echo -ne "HEAD / HTTP/1.0\n\n" | nc localhost 8080 HTTP/1.1 200 OK date: Mon, 26 Jan 2026 18:07:32 GMT server: Apache/2.4.58 (Ubuntu) last-modified: Mon, 26 Jan 2026 18:04:22 GMT etag: "29af-6494e562dd0fa" accept-ranges: bytes content-length: 10671 vary: Accept-Encoding keep-alive: timeout=5, max=100 content-type: text/html connection: close And it worked, no apparmor message :/ There is something going on, because I did see the DENIED message once, but not again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
haproxy ships a rsyslog configuration snippet:
$ cat /etc/rsyslog.d/49-haproxy.conf
# Create an additional socket in haproxy's chroot in order to allow logging via
# /dev/log to chroot'ed HAProxy processes
$AddUnixListenSocket /var/lib/haproxy/dev/log
# Send HAProxy messages to a dedicated logfile
:programname, startswith, "haproxy" {
/var/log/haproxy.log
stop
}
So rsyslog will open that socket, and indeed it does:
root@n-haproxy:~# fuser /var/lib/haproxy/dev/log
/var/lib/haproxy/dev/log: 2647
root@n-haproxy:~# ps fxaw|grep 2647
2707 pts/5S+ 0:00 \_ grep --color=auto 2647
2647 ?Ssl0:00 /usr/sbin/rsyslogd -n -iNONE
I straced haproxy while generating some traffic, and it looks like it chrooted
and then opened /dev/log, so it should be the one inside the chroot indeed:
3846 read(4, "global\n\tlog /dev/log\tlocal0\n\tlog"..., 4096) = 1504
3848 chroot("/var/lib/haproxy"
3848 <... chroot resumed>) = 0
3848 sendmsg(21, {msg_name={sa_family=AF_UNIX, sun_path="/dev/log"},
msg_namelen=110, msg_iov=[{iov_base="<134>", iov_len=5}, {iov_base="Jan 26
17:45:48 ", iov_len=16}, {iov_base="haproxy", iov_len=7}, {iov_base="[",
iov_len=1}, {iov_base="3848", iov_len=4}, {iov_base="]", iov_len=1},
{iov_base=": ", iov_len=2}, {iov_base="127.0.0.1:42154 [26/Jan/2026:17:"...,
iov_len=126}, {iov_base="\n", iov_len=1}], msg_iovlen=9, msg_controllen=0,
msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 163
Confirming chroot:
root3614 0.0 0.1 96876 13056 ?Ss 17:39 0:00
/usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S
/run/haproxy-master.sock
haproxy 3616 0.0 0.9 360900 73388 ?Sl 17:39 0:00 \_
/usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S
/run/haproxy-master.sock
root@n-haproxy:~# l /proc/3616/root
lrwxrwxrwx 1 root root 0 Jan 26 17:40 /proc/3616/root -> /var/lib/haproxy
The rsyslog apparmor profile also has an allow rule for chroots, like this:
/var/lib/*/dev/logrwl,
That matches /var/lib/haproxy/dev/log. So read is allowed.
Maybe the problem here is with the "disconnected path".
@David, could you please share your /etc/haproxy/haproxy.cfg file, and
/etc/apparmor.d/usr.sbin.rsyslogd?
Feek free to sanitize the haproxy config.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2138647
Title:
haproxy stops logging after reload with permission denied error
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
Please, move this bug status back to new once you provide further information on how to reproduce the issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2138647] Re: haproxy stops logging after reload with permission denied error
Thanks for reporting this one, David. Would you mind providing a short reproducer from a fresh Ubuntu installation (or container/vm)? I could not reproduce this locally with the following steps: 1) Install apache2 and haproxy 2) Configure haproxy to serve the default apache2 page 3) Request the default apache2 page through haproxy. Verify it is logging and that there are no apparmor errors. 4) Reload haproxy (systemd) 5) Repeat (3) expecting no new log entries and an apparmor error. Instead, I got the same results as the one in 3. ** Changed in: haproxy (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138647 Title: haproxy stops logging after reload with permission denied error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/2138647/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
