Collect /var/log without fluentd sidecar #4156
Conversation
knative-prow-robot
added
the
size/XXL
config/monitoring/logging/elasticsearch/100-fluentd-configmap.yaml
Outdated
Show resolved
Hide resolved
|
/approve /hold You can |
knative-prow-robot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: evankanderson, JRBANCEL The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow-robot
added
the
approved
|
Please review again.
What has changed:
|
JRBANCEL
force-pushed
the
collect-var-log-without-sidecar
branch
from
aa4b3c7 to
0988310
Compare
|
/retest |
|
/lgtm |
knative-prow-robot
added
lgtm
JRBANCEL
force-pushed
the
collect-var-log-without-sidecar
branch
from
4a9250f to
338183c
Compare
There was a problem hiding this comment.
Thanks for the test -- I'm wondering if the linking logic it should live in cmd or pkg.
Also, I'm wondering if a small design doc would help explain this -- doing this from another container is very clever, but I worry that future readers will be confused.
It's particularly nice that this doesn't require additional privilege for the queue-proxy, just a shared volume.
Yes, I was thinking about updating the doc and add more details about how and why it works. Right now, this is blocked because we want the default GKE fluentd configuration to capture those /var/log logs out of the box. I'll update their fluentd config and submit a PR. |
| @@ -99,6 +106,17 @@ func initEnv() { | |||
| servingService = os.Getenv("SERVING_SERVICE") // KService is optional | |||
| userTargetPort = util.MustParseIntEnvOrFatal("USER_PORT", logger) | |||
| userTargetAddress = fmt.Sprintf("127.0.0.1:%d", userTargetPort) | |||
| userContainerName = util.GetRequiredEnvOrFatal("USER_CONTAINER_NAME", logger) | |||
|
|
|||
| enableVarLogCollection, _ = strconv.ParseBool(os.Getenv("ENABLE_VAR_LOG_COLLECTION")) // Optional, default is false | |||
There was a problem hiding this comment.
Given the simplicity of this trick, what are the trade-offs that would lead us to not simply enable this by default?
There was a problem hiding this comment.
- Cost: why pay for logs you don't need by default?
- Privacy: I am not sure collecting everything in /var/log by default is safe, who knows what is logged there
- Backwards compatibility
There was a problem hiding this comment.
Can't the log collection and so forth be controlled by either the fluentd config or by deleting the daemonset?
There was a problem hiding this comment.
Yes, one can modify the fluentd config, but:
- It is global, there was a discussion about making varlog collection a flag per revision instead of globally. This makes the implementation of such feature easy.
- It is not always possible (GKE default fluentd config cannot be modified for example). More generally, it is not necessarily the same people operating Knative and fluentd (the infra).
…ags and proper stream field
Speeds up startup by preventing k8s to look for the latest image everytime it starts a pod.
JRBANCEL
force-pushed
the
collect-var-log-without-sidecar
branch
from
766e689 to
3f9b182
Compare
|
The following is the coverage report on pkg/.
|
Related to issue knative/serving#818 and change knative/serving#4156.
|
Can someone give this a new /lgtm before new conflicts show up? |
|
/lgtm |
|
/hold cancel |
knative-prow-robot
removed
the
do-not-merge/hold
|
/retest |
1 similar comment
|
/retest |
Fixes #818
Proposed Changes
Have fluend daemon set capture
user-container's/var/loglogs directly instead of injecting a fluentd sidecar.Changes:
user-container's/var/logvolume with the information needed bykubernetes_metadata_filter. See this for more details.Result
Given some container logging to stdout/stderr and various files inside /var/log:
The resulting logs are captured and enriched by fluentd daemon set.
I also added some fluentd magic so that the logs coming from /var/log have a
streamfield populated with the path of the log file so that it matches what docker does withstreambeing eitherstdoutorstderr.Next
Add E2E test as part of #647