[WIP] journal: support match negation

[mrc0mmand]

To get myself familiar further with the systemd codebase (and to fix an issue which has been nagging me for a while), I implemented (or at least tried to) a fix for #2720.

First of all, this is just a (working, so far) mockup, as I'd like to get a feedback if this is even the right approach.

To avoid collisions with bash operators and such (i.e. using ! or - for negation) I chose ~ as a prefix for a field user wants to NOT match.

For example:
journalctl -b ~MESSAGE="this is sparta"
shows all messages for this boot which are not "this is sparta".

$ build/journalctl --no-pager --file system.journal --since "2019-01-14 14:21:13" | tail -n 4
Jan 14 14:21:13 pyrelight systemd[1]: Stopped Getty on tty2.
Jan 14 14:21:13 pyrelight systemd[1]: Stopped Getty on tty5.
Jan 14 14:21:13 pyrelight systemd[1]: Stopped Getty on tty3.
Jan 14 14:21:13 pyrelight kernel: audit: type=1131 audit(1547472073.653:1033): pid=8784 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:spc_t:s0 msg='unit=getty@tty3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

$ build/journalctl --no-pager --file system.journal --since "2019-01-14 14:21:13" MESSAGE="Stopped Getty on tty3." | tail -n 4
-- Logs begin at Mon 2019-01-14 14:15:24 CET, end at Mon 2019-01-14 14:21:13 CET. --
Jan 14 14:21:13 pyrelight systemd[1]: Stopped Getty on tty3.

$ build/journalctl --no-pager --file system.journal --since "2019-01-14 14:21:13" ~MESSAGE="Stopped Getty on tty3." | tail -n 4
Jan 14 14:21:13 pyrelight kernel: audit: type=1131 audit(1547472073.653:1032): pid=8784 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:spc_t:s0 msg='unit=getty@tty5 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 14 14:21:13 pyrelight systemd[1]: Stopped Getty on tty2.
Jan 14 14:21:13 pyrelight systemd[1]: Stopped Getty on tty5.
Jan 14 14:21:13 pyrelight kernel: audit: type=1131 audit(1547472073.653:1033): pid=8784 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:spc_t:s0 msg='unit=getty@tty3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

TODO: tests

[dnicolodi]

The ~ prefix is also not optimal because it expands to the home directory of the user whose user name is the string that follows. Thus your proposed syntax works without quoting only as long as there are not clashes between user names and journal field names.

[mrc0mmand]

The ~ prefix is also not optimal because it expands to the home directory of the user whose user name is the string that follows. Thus your proposed syntax works without quoting only as long as there are not clashes between user names and journal field names.

Hah, that completely slipped my mind, thank you. I need to take a closer look at this, especially after letting this PR lay dormant for more than a half an year.

[keszybz]

@mrc0mmand update?

[poettering]

So, the journal file format actionally contains a bisection table (i.e. a strictly ordered array) to find all entry records for a specific data record. i.e. for each assignment as in FOO=BAR (i.e. each "data record") we actually have a list of entry records by their offset that contain them. We can use this to speed things up a bit, i.e. we don't actually have to go to an entry record to check if it lacks a specific data record. We instead can go to just go to the data record that shall not match, and then just check if the offset of the next potentially matching entry is in there. or in other words:

figure out the offset of the next potential entry, check it against any of the negation data record entry arrays, and skip them immediately if they appear there.