Logging 2.5 (new) - logging output with Kafka -> error in configuration

[bramamad]

What kind of request is this (question/bug/enhancement/feature request):

Steps to reproduce (least amount of steps as possible):

• Install new logging feature (2.5)
• Create secret with client-cert & client-key
• Define logging ClusterOutput for Kafka -> use secret with client cert
• Define logging ClusterFlow -> standard definition; output to Kafka resource

Result:

• Deployment fluentd produces error messages each 2 seconds: <Fluent::Config::Section {"@label":"@650bba84ed1169f10174502209f3f37e","tag":"","matches":["<Fluent::Config::Section {\"labels\":{},\"namespaces\":[],\"hosts\":[],\"container_names\":[],\"negate\":false}>","<Fluent::Config::Section {\"labels\":{},\"namespaces\":[\"kube-system\"],\"hosts\":[],\"container_names\":[],\"negate\":true}>"]}> <Fluent::Config::Section {"@label":"@650bba84ed1169f10174502209f3f37e","tag":"","matches":["<Fluent::Config::Section {\"labels\":{},\"namespaces\":[],\"hosts\":[],\"container_names\":[],\"negate\":false}>","<Fluent::Config::Section {\"labels\":{},\"namespaces\":[\"kube-system\"],\"hosts\":[],\"container_names\":[],\"negate\":true}>"]}> 2020-11-25 09:06:03 +0000 [error]: fluent/log.rb:369:error: unexpected error error_class=Errno::ENOENT error="No such file or directory @ rb_sysopen - -----BEGIN CERTIFICATE-----" 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-kafka-0.14.0/lib/fluent/plugin/kafka_plugin_util.rb:41:in read' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-kafka-0.14.0/lib/fluent/plugin/kafka_plugin_util.rb:41:inread_ssl_file' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-kafka-0.14.0/lib/fluent/plugin/out_kafka2.rb:109:in refresh_client' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluent-plugin-kafka-0.14.0/lib/fluent/plugin/out_kafka2.rb:182:instart' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/root_agent.rb:200:in block in start' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/root_agent.rb:179:inblock (2 levels) in lifecycle' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/agent.rb:121:in block (2 levels) in lifecycle' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/agent.rb:120:ineach' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/agent.rb:120:in block in lifecycle' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/agent.rb:113:ineach' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/agent.rb:113:in lifecycle' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/root_agent.rb:178:inblock in lifecycle' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/root_agent.rb:175:in each' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/root_agent.rb:175:inlifecycle' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/root_agent.rb:199:in start' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/engine.rb:248:instart' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/engine.rb:147:in run' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/supervisor.rb:603:inblock in run_worker' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/supervisor.rb:840:in main_process' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/supervisor.rb:594:inrun_worker' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/command/fluentd.rb:361:in <top (required)>' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/2.7.0/rubygems/core_ext/kernel_require.rb:72:inrequire' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/2.7.0/rubygems/core_ext/kernel_require.rb:72:in require' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/bin/fluentd:8:in<top (required)>' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/bin/fluentd:23:in load' 2020-11-25 09:06:03 +0000 [error]: fluent/supervisor.rb:839:main_process: /usr/bin/fluentd:23:in
  '

Other details that may be helpful:

• It seems that the fluentd.conf file is mis-configured. The configuration looks like this:

ssl_client_cert -----BEGIN CERTIFICATE----- MIIGuDCCBaCgAwIBAgIUGhRjYZfN/5vrp6g81IWZiBFEnaowDQYJKoZIhvcNAQEL .............. 9IK9neCAOVxetolNOHhJ9Nk4ikimbMVK05ccBminuA58YKy7GdW3JkW2gl8= -----END CERTIFICATE-----

ssl_client_cert_key -----BEGIN PRIVATE KEY----- MIIEvgIBADAN...................... BdHSVLoJvXTOmHNLQfqQuNuZpLzlzSS44oRg26lr8AOWVaCfRPZ1Qw1UiqyIB6OP nh4qO1W8QOa10RnTBGyldJOu -----END PRIVATE KEY-----

• But it should use a file reference as in logging til 2.4 like this:

ssl_client_cert /fluentd/etc/config/ssl/cluster_c-9d8lb_client-cert.pem ssl_client_cert_key /fluentd/etc/config/ssl/cluster_c-9d8lb_client-key.pem container (1).log

• The rancher logging configurator seems to do a mistake.

Environment information

• Rancher version (rancher/rancher/rancher/server image tag or shown bottom left in the UI): v2.5.2
• Installation option (single install/HA): single install

[bramamad]

Will someone have a look at this error ? Or what can I do for solving this problem ?

[bsauvajon]

Hello, I'm having the same problem, did you find a solution ?

[bramamad]

Hi, no I never got a solution for this fluentd problem. - Now I changed it and we use filebeat with kafka output as log collector. That works and is a lot more easier. Unfortunately, it is a site specific solution.

[bsauvajon]

Hello, I finally found the solution in banzaicloud documentation, edit the output yaml configuration and replace the keys "valueFrom" by "mountFrom". It will automaticcaly mount the secrets in files, and use these files in the fluentd configuration. It would be great if rancher could generate the configuration with the right keys !

[stale[bot]]

This repository uses a bot to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the bot can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the bot will automatically close the issue in 14 days. Thank you for your contributions.

[bdekany]

Similar issue with Splunk https://github.com/rancher/rancher/issues/31810

[paynejacob]

This is a bug in the upstream chart https://github.com/banzaicloud/logging-operator/issues/833 I do not know of any workarounds at this time.

[snasovich]

Setting as “Need Info” as full-in for Blocked status as we’re blocked by upstream issue.

[belgaied2]

There is an underlying Rancher UI bug here, since, the form for ClusterOutput, let's say for elasticsearch, will offer the user to choose a secret (for example as a ca_file)

and would generate in the YAML valueFrom instead of the expected mountFrom:

[deniseschannon]

@belgaied2 Does that mean if we did the yaml correctly, then this use case would work?

[belgaied2]

@deniseschannon That's what I tested, the ClusterOutput would work correctly (at least in my tests with Elasticsearch). As the Logging Operator is supposed to take mountFrom instead of valueFrom, the bug referenced by @paynejacob is actually one that can cause misconfiguration because valueFrom is accepted for SSL certificates where it should not!

As mentioned above by @bsauvajon _

Hello, I finally found the solution in banzaicloud documentation, edit the output yaml configuration and replace the keys "valueFrom" by "mountFrom". It will automaticcaly mount the secrets in files, and use these files in the fluentd configuration. It would be great if rancher could generate the configuration with the right keys !

So, basically, though Rancher is capable through the UI abstraction to avoid the possible misconfiguration by generating the right mountFrom, it does cause the misconfiguration by generating valueFrom.

So, yes, short answer is : generating the yaml correctly would most certainly solve the issue/use case.

[belgaied2]

BTW @deniseschannon the problem at hand is better described in this issue : rancher/dashboard#5157

[deniseschannon]

Thanks for your detail @belgaied2!

Since these look like UI related issues, I've transferred them into the dashboard repo, but in general, any and all UI issues should be filed in rancher/dashboard