Migrate from docker to cri logs (#92)

Signed-off-by: QuentinBisson <[email protected]>

Signed-off-by: QuentinBisson <[email protected]>

CHANGELOG.md

@@ -7,6 +7,11 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s
 
 ## [Unreleased]
 
+### Changed
+
+- Support CRI instead of Docker log format.
+- Change storage path to not use a tmpfs filesystem to not overload nodes.
+
 ## [1.4.0] - 2022-08-04
 
 ### Changed

helm/fluent-logshipping-app/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion: 1.7.9
+appVersion: 1.9.8
 description: The Log Shipping App forwards cluster logs to storage backends
 engine: gotpl
 home: https://github.com/giantswarm/fluent-logshipping-app

helm/fluent-logshipping-app/templates/configmap.yaml

@@ -17,8 +17,8 @@ data:
 
     @SET input_buffer_max_size=1MB
 
-    @SET input_database_path=/var/run/fluent-bit
-    @SET storage_path=/var/run/fluent-bit/storage
+    @SET input_database_path=/var/tmp/fluent-bit
+    @SET storage_path=/var/tmp/fluent-bit/storage
 
     [SERVICE]
         Flush             {{ .Values.fluentbit.flushFrequencyInSeconds }}
@@ -57,10 +57,9 @@ data:
         Name              tail
         Tag               kubernetes.*
         Alias             kubernetes
-        Parser            docker
+        Parser            cri
         Path              /var/log/containers/*.log
         DB                ${input_database_path}/kubernetes.db
-        Docker_Mode       on
 
         # Buffering options
         Mem_Buf_Limit     ${input_memory_buffer_limit}
@@ -154,11 +153,13 @@ data:
 
   parsers.conf: |
     [PARSER]
-        Name         docker
-        Format       json
-        Time_Key     time
-        Time_Format  %Y-%m-%dT%H:%M:%S.%L
-        Time_Keep    On
+        # http://rubular.com/r/tjUt3Awgg4
+        Name cri
+        Format regex
+        Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<message>.*)$
+        Time_Key    time
+        Time_Format %Y-%m-%dT%H:%M:%S.%L%z
+        Time_Keep   On
 
     [PARSER]
         Name   apache
@@ -447,7 +448,7 @@ data:
         s3_key_format                {{ printf "/ssh%s" .Values.outputs.aws.S3.s3_object_key_format }}
         {{- end }}
         s3_key_format_tag_delimiters .-_
-        store_dir                    ${storage_path}/S3
+        store_dir                    ${storage_path}/S3/ssh/sshd
         send_content_md5             true
     [OUTPUT]
         Name                         s3
@@ -469,7 +470,7 @@ data:
         s3_key_format                {{ printf "/ssh%s" .Values.outputs.aws.S3.s3_object_key_format }}
         {{- end }}
         s3_key_format_tag_delimiters .-_
-        store_dir                    ${storage_path}/S3
+        store_dir                    ${storage_path}/S3/ssh/execve
         send_content_md5             true
   {{- end }}
 
@@ -494,7 +495,7 @@ data:
         s3_key_format                {{ printf "/syslog%s" .Values.outputs.aws.S3.s3_object_key_format }}
         {{- end }}
         s3_key_format_tag_delimiters .-_
-        store_dir                    ${storage_path}/S3
+        store_dir                    ${storage_path}/S3/syslog
         send_content_md5             true
   {{- end }}
 
@@ -519,7 +520,7 @@ data:
         s3_key_format                {{ printf "/containers%s" .Values.outputs.aws.S3.s3_object_key_format }}
         {{- end }}
         s3_key_format_tag_delimiters .-_
-        store_dir                    ${storage_path}/S3
+        store_dir                    ${storage_path}/S3/containers
         send_content_md5             true
   {{- end }}
 
@@ -544,7 +545,7 @@ data:
         s3_key_format                {{ printf "/k8s-audit%s" .Values.outputs.aws.S3.s3_object_key_format }}
         {{- end }}
         s3_key_format_tag_delimiters .-_
-        store_dir                    ${storage_path}/S3
+        store_dir                    ${storage_path}/S3/k8s-audit
         send_content_md5             true
  {{- end }}
  {{- end }}

helm/fluent-logshipping-app/templates/daemonset.yaml

@@ -96,11 +96,8 @@ spec:
         - name: var-log
           mountPath: /var/log
           readOnly: true
-        - name: var-run-fluent-bit
-          mountPath: /var/run/fluent-bit
-        - name: var-lib-docker-containers
-          mountPath: /var/lib/docker/containers
-          readOnly: true
+        - name: var-tmp-fluent-bit
+          mountPath: /var/tmp/fluent-bit
         - name: fluent-bit-config
           mountPath: /fluent-bit/etc/
         ## Needed for syslog to work as the syslog plugins needs this id
@@ -115,13 +112,10 @@ spec:
       - name: var-log
         hostPath:
           path: /var/log
-      - name: var-run-fluent-bit
+      - name: var-tmp-fluent-bit
         hostPath:
-          path: /var/run/fluent-bit
+          path: /var/tmp/fluent-bit
           type: DirectoryOrCreate
-      - name: var-lib-docker-containers
-        hostPath:
-          path: /var/lib/docker/containers
       - name: fluent-bit-config
         configMap:
           name: {{ include "resource.default.name" . }}-configmap

helm/fluent-logshipping-app/values.yaml

@@ -26,7 +26,7 @@ fluentbit:
     name: giantswarm/fluent-bit
     # -- Overrides the image tag whose default is the chart's appVersion
     # This image fixes some systemd issues fixed in 1.8.x and adds the aws-for-fluent-bit cloudwatch plugin to be able to template cloudwatch log stream names.
-    tag: "1.7.9-systemd247-aws-plugins"
+    tag: "1.9.8-aws-plugins"
 
   logLevel: info
   flushFrequencyInSeconds: 5