XML

Word

Printable

Type: Epic
Resolution: Done
Priority: Critical
Fix Version/s: openshift-4.14
Affects Version/s: None
Component/s: None
Labels:
None

Epic Name:
Log Linking
Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected
Epic Status:
To Do
Feature Link:
OCPSTRAT-100 - Log linking via CRIO
Parent Link:
OCPSTRAT-100Log linking via CRIO
Hierarchy Progress:
100
Hierarchy Progress Bar:

100% 100%
Target Version:

openshift-4.14

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Intelligence Requested:
Market:

Epic Goal

Support making containers logs in a pod available inside an emptyDir so they could be read/forwarded by a logging sidecar.

Why is this important?

Customers want to be able to access container logs easily inside the pods so they could read them and log them to their sinks using logging side car containers.

Scenarios

As an OpenShift cluster admin, I want my user to be able to forward logs using a logging side care without having to modify their application entrypoint.

Design

The admin labels namespaces that allow pods to request to hard link their logs through annotations (This is like a downward API for accessing logs).
A pod adds an annotation like "io.crio.link-logs": "true" or "name-of-emptyDir".
An admission controller checks if the pod's namespace allows that; if not, it removes the annotation, else allows it through.
Another admission controller ensures that there is an empty Dir volume in a pod with the desired name for logging.

(This part could also be modified to instead require users to specify the volume. I see their current code references requiring pod uid downward reference.)

5. CRI-O processes the annotation and hard links the logs to either pre-configured or specified emptyDir volume. (We are debating whether to have additional knob in CRI-O to put this into allowed_annotations or not.) CRI-O sets the right SELinux label for the log file.

6. When CRI-O gets a log rotation request from the kubelet, it makes sure that the hard link is updated as well. This lets us get rid of the service that is

using inotify watch to do this work.

CRI-O sets the right SELinux label for the log file.

Alternative CRI-O steps:

5. CRI-O processes the annotation on pod run and bind mounts the pod log directory to either pre-configured or specified emptyDir volume.
CRI-O sets the right SELinux label for the log file.

6. When CRI-O gets a log rotation request from the kubelet, it only needs to set the right SELinux label for the log file.

Note: The admission controller work is out of scope for this epic. This epic is mainly concerned with CRI-O linking the logs once it sees the annotation.

Acceptance Criteria

CI - MUST be running successfully with tests automated
Release Technical Enablement - Provide necessary release enablement details and documents.

Dependencies (internal and external)

Previous Work (Optional):

Open questions::

Should we require crio allowed_annotations for this?

Done Checklist

CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Downstream documentation merged: <link to meaningful PR>

Assignee:: Peter Hunt

Reporter:: Gaurav Singh

QA Contact:: Min Li

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2023/04/24 7:23 PM

Updated:: 2023/10/02 5:21 PM

Resolved:: 2023/08/28 4:22 AM

Details

Description

Epic Goal

Why is this important?

Scenarios

Design

Acceptance Criteria

Dependencies (internal and external)

Previous Work (Optional):

Open questions::

Done Checklist

Attachments

Activity

People

Dates

Hide