Red Hat Summit로깅
OpenShift Container Platform에서 로깅 구성 및 사용
초록
1장. 릴리스 노트
1.1. Logging 5.8
로깅은 코어 OpenShift Container Platform과 별도의 릴리스 사이클을 사용하여 설치 가능한 구성 요소로 제공됩니다. Red Hat OpenShift Container Platform 라이프 사이클 정책은 릴리스 호환성에 대해 간단히 설명합니다.
stable 채널은 최신 로깅 릴리스에 대한 업데이트만 제공합니다. 이전 릴리스에 대한 업데이트를 계속 받으려면 서브스크립션 채널을 stable-x.y 로 변경해야 합니다. 여기서 x.y 는 설치한 로깅 및 마이너 버전을 나타냅니다. 예를 들면 stable-5.7 입니다.
1.1.1. 로깅 5.8.16
이 릴리스에는 RHBA-2024:10989 및 RHBA-2024:143685 이 포함되어 있습니다.
1.1.1.1. 버그 수정
- 이번 업데이트 이전에는 Loki가 로그 메시지의 로그 수준을 자동으로 추측하려고 했습니다. 이로 인해 수집기가 이미 이 작업을 수행했기 때문에 혼동이 발생했으며 Loki와 수집기는 종종 다른 결과로 나타납니다. 이번 업데이트를 통해 Loki의 자동 로그 수준 검색이 비활성화됩니다. LOG-6322.
1.1.1.2. CVE
- CVE-2019-12900
- CVE-2021-3903
- CVE-2023-38709
- CVE-2024-2236
- CVE-2024-2511
- CVE-2024-3596
- CVE-2024-4603
- CVE-2024-4741
- CVE-2024-5535
- CVE-2024-6232
- CVE-2024-9287
- CVE-2024-10041
- CVE-2024-10963
- CVE-2024-11168
- CVE-2024-24795
- CVE-2024-36387
- CVE-2024-41009
- CVE-2024-42244
- CVE-2024-47175
- CVE-2024-47875
- CVE-2024-50226
- CVE-2024-50602
1.1.2. 로깅 5.8.15
이 릴리스에는 RHBA-2024:10052 및 RHBA-2024:10053 이 포함되어 있습니다.
1.1.2.1. 버그 수정
1.1.2.2. CVE
- CVE-2021-47385
- CVE-2023-28746
- CVE-2023-48161
- CVE-2023-52658
- CVE-2024-6119
- CVE-2024-6232
- CVE-2024-21208
- CVE-2024-21210
- CVE-2024-21217
- CVE-2024-21235
- CVE-2024-27403
- CVE-2024-35989
- CVE-2024-36889
- CVE-2024-36978
- CVE-2024-38556
- CVE-2024-39483
- CVE-2024-39502
- CVE-2024-40959
- CVE-2024-42079
- CVE-2024-42272
- CVE-2024-42284
- CVE-2024-3596
- CVE-2024-5535
1.1.3. 로깅 5.8.14
이 릴리스에는 OpenShift Logging 버그 수정 릴리스 5.8.14 및 OpenShift Logging 버그 수정 릴리스 5.8.14 가 포함되어 있습니다.
1.1.3.1. 버그 수정
-
이번 업데이트 이전에는
ClusterLogForwarder사용자 정의 리소스에서.containerLimit.maxRecordsPerSecond매개변수를0으로 설정하여 Vector를 시작하는 동안 예외가 발생할 수 있었습니다. 이번 업데이트를 통해 구성이 적용되기 전에 유효성이 검사되고 유효하지 않은 값(0 이 아님)이 거부됩니다. (LOG-4671) -
이번 업데이트 이전에는 Loki Operator가 모든 경고 규칙에 기본
네임스페이스레이블을 자동으로 추가하지 않아 사용자 정의 프로젝트의 Alertmanager 인스턴스가 이러한 경고 라우팅을 건너뛰었습니다. 이번 업데이트를 통해 모든 경고 및 기록 규칙에namespace라벨이 있으며 Alertmanager는 이제 이러한 경고를 올바르게 라우팅합니다. (LOG-6182) - 이번 업데이트 이전에는 LokiStack 룰러 구성 요소 뷰가 올바르게 초기화되지 않아 ruler 구성 요소가 비활성화되었을 때 유효하지 않은 필드 오류가 발생했습니다. 이번 업데이트를 통해 빈 값으로 초기화되는 구성 요소 뷰에 의해 문제가 해결됩니다. (LOG-6184)
1.1.3.2. CVE
Red Hat 보안 등급에 대한 자세한 내용은 심각도 등급을 참조하십시오.
1.1.4. 로깅 5.8.13
이 릴리스에는 OpenShift Logging 버그 수정 릴리스 5.8.13 및 OpenShift Logging 버그 수정 릴리스 5.8.13 이 포함되어 있습니다.
1.1.4.1. 버그 수정
-
이번 업데이트 이전에는 Fluentd를 수집기 유형으로 사용할 때
clusterlogforwarder.spec.outputs.http.timeout매개변수가 Fluentd 구성에 적용되지 않아 HTTP 시간 초과가 잘못 구성됩니다. 이번 업데이트를 통해clusterlogforwarder.spec.outputs.http.timeout매개변수가 올바르게 적용되어 Fluentd가 지정된 타임아웃을 준수하고 사용자 구성에 따라 HTTP 연결을 처리합니다. (LOG-5210) - 이번 업데이트 이전에는 Elasticsearch Operator에서 사용자에게 향후 제거에 대해 알리는 경고를 발행하지 않아 기존 설치가 통지 없이 지원되지 않습니다. 이번 업데이트를 통해 Elasticsearch Operator는 OpenShift Container Platform 버전 4.16 이상에서 지속적인 경고를 트리거하여 2025년 11월 카탈로그에서 해당 카탈로그의 제거를 사용자에게 알립니다. (LOG-5966)
- 이번 업데이트 이전에는 OpenShift Container Platform 버전 4.16 이상에서 Red Hat OpenShift Logging Operator를 사용할 수 없어 Telco 고객이 향후 Logging 6.0 릴리스에 대한 인증을 완료하지 못했습니다. 이번 업데이트를 통해 OpenShift Container Platform 버전 4.16 및 4.17에서 Red Hat OpenShift Logging Operator를 사용할 수 있으므로 이 문제를 해결합니다. (LOG-6103)
- 이번 업데이트 이전에는 OpenShift Container Platform 버전 4.17 및 4.18에서 Elasticsearch Operator를 사용할 수 없었습니다. ServiceMesh, Kiali 및 Distributed Tracing이 설치되지 않았습니다. 이번 업데이트를 통해 OpenShift Container Platform 버전 4.17 및 4.18에 대해 Elasticsearch Operator 속성이 확장되어 문제를 해결하고 ServiceMesh, Kiali 및 Distributed Tracing Operator가 스택을 설치할 수 있도록 허용합니다. (LOG-6134)
1.1.4.2. CVE
- CVE-2023-52463
- CVE-2023-52801
- CVE-2024-6104
- CVE-2024-6119
- CVE-2024-26629
- CVE-2024-26630
- CVE-2024-26720
- CVE-2024-26886
- CVE-2024-26946
- CVE-2024-34397
- CVE-2024-35791
- CVE-2024-35797
- CVE-2024-35875
- CVE-2024-36000
- CVE-2024-36019
- CVE-2024-36883
- CVE-2024-36979
- CVE-2024-38559
- CVE-2024-38619
- CVE-2024-39331
- CVE-2024-40927
- CVE-2024-40936
- CVE-2024-41040
- CVE-2024-41044
- CVE-2024-41055
- CVE-2024-41073
- CVE-2024-41096
- CVE-2024-42082
- CVE-2024-42096
- CVE-2024-42102
- CVE-2024-42131
- CVE-2024-45490
- CVE-2024-45491
- CVE-2024-45492
- CVE-2024-2398
- CVE-2024-4032
- CVE-2024-6232
- CVE-2024-6345
- CVE-2024-6923
- CVE-2024-30203
- CVE-2024-30205
- CVE-2024-39331
- CVE-2024-45490
- CVE-2024-45491
- CVE-2024-45492
Red Hat 보안 등급에 대한 자세한 내용은 심각도 등급을 참조하십시오.
1.1.5. 로깅 5.8.12
이 릴리스에는 OpenShift Logging 버그 수정 릴리스 5.8.12 및 OpenShift Logging 버그 수정 릴리스 5.8.12 가 포함되어 있습니다.
1.1.5.1. 버그 수정
-
이번 업데이트 이전에는 수집기에서
drop_newest설정과 함께 내부 버퍼링을 사용하여 높은 메모리 사용량을 줄였습니다. 이로 인해 로그 손실이 크게 발생했습니다. 이번 업데이트를 통해 수집기는 기본 동작으로 돌아갑니다. 여기서sink<>.buffer는 사용자 지정되지 않습니다. (LOG-6026)
1.1.5.2. CVE
- CVE-2023-52771
- CVE-2023-52880
- CVE-2024-2398
- CVE-2024-6345
- CVE-2024-6923
- CVE-2024-26581
- CVE-2024-26668
- CVE-2024-26810
- CVE-2024-26855
- CVE-2024-26908
- CVE-2024-26925
- CVE-2024-27016
- CVE-2024-27019
- CVE-2024-27020
- CVE-2024-27415
- CVE-2024-35839
- CVE-2024-35896
- CVE-2024-35897
- CVE-2024-35898
- CVE-2024-35962
- CVE-2024-36003
- CVE-2024-36025
- CVE-2024-37370
- CVE-2024-37371
- CVE-2024-37891
- CVE-2024-38428
- CVE-2024-38476
- CVE-2024-38538
- CVE-2024-38540
- CVE-2024-38544
- CVE-2024-38579
- CVE-2024-38608
- CVE-2024-39476
- CVE-2024-40905
- CVE-2024-40911
- CVE-2024-40912
- CVE-2024-40914
- CVE-2024-40929
- CVE-2024-40939
- CVE-2024-40941
- CVE-2024-40957
- CVE-2024-40978
- CVE-2024-40983
- CVE-2024-41041
- CVE-2024-41076
- CVE-2024-41090
- CVE-2024-41091
- CVE-2024-42110
- CVE-2024-42152
1.1.6. 로깅 5.8.11
이 릴리스에는 OpenShift Logging 버그 수정 릴리스 5.8.11 및 OpenShift Logging 버그 수정 릴리스 5.8.11 이 포함되어 있습니다.
1.1.6.1. 버그 수정
-
이번 업데이트 이전에는 브로커 URL 스키마를 확인하지 않고 TLS 섹션이 추가되어 URL이
tls로 시작되지 않은 경우 SSL 연결 오류가 발생했습니다. 이번 업데이트를 통해 브로커 URL이tls로 시작하는 경우에만 TLS 섹션이 추가되어 SSL 연결 오류가 발생하지 않습니다. (LOG-5139) - 이번 업데이트 이전에는 검증 실패로 인해 로그 이벤트를 삭제한 경우 Loki Operator에서 경고를 트리거하지 않았습니다. 이번 업데이트를 통해 Loki Operator에는 검증 실패로 인해 Loki가 로그 이벤트를 삭제하는 경우 경고를 트리거하는 새 경고 정의가 포함되어 있습니다. (LOG-5896)
- 이번 업데이트 이전에는 4.16 GA 카탈로그에 Elasticsearch Operator 5.8이 포함되지 않았습니다. Service Mesh, Kiali, Tracing과 같은 제품을 설치하지 않았습니다. 이번 업데이트를 통해 Elasticsearch Operator 5.8은 이제 4.16에서 사용할 수 있으며 이러한 제품에 대한 Elasticsearch 스토리지만 지원합니다. (LOG-5911)
- 이번 업데이트 이전에는 LokiStack 리소스 상태의 중복 조건으로 인해 Loki Operator에서 유효하지 않은 지표가 발생했습니다. 이번 업데이트를 통해 Operator는 상태에서 중복 조건을 제거합니다. (LOG-5857)
- 이번 업데이트 이전에는 LokiStack Route 리소스에서 Loki Operator가 사용자 주석을 초과하여 사용자 지정이 삭제됩니다. 이번 업데이트를 통해 Loki Operator에서 더 이상 Route 주석을 덮어쓰지 않고 문제를 해결합니다. (LOG-5946)
1.1.6.2. CVE
- CVE-2021-47548
- CVE-2021-47596
- CVE-2022-48627
- CVE-2023-52638
- CVE-2024-4032
- CVE-2024-6409
- CVE-2024-21131
- CVE-2024-21138
- CVE-2024-21140
- CVE-2024-21144
- CVE-2024-21145
- CVE-2024-21147
- CVE-2024-24806
- CVE-2024-26783
- CVE-2024-26858
- CVE-2024-27397
- CVE-2024-27435
- CVE-2024-35235
- CVE-2024-35958
- CVE-2024-36270
- CVE-2024-36886
- CVE-2024-36904
- CVE-2024-36957
- CVE-2024-38473
- CVE-2024-38474
- CVE-2024-38475
- CVE-2024-38477
- CVE-2024-38543
- CVE-2024-38586
- CVE-2024-38593
- CVE-2024-38663
- CVE-2024-39573
1.1.7. 로깅 5.8.10
이 릴리스에는 OpenShift Logging 버그 수정 릴리스 5.8.10 및 OpenShift Logging 버그 수정 릴리스 5.8.10 이 포함되어 있습니다.
1.1.7.1. 확인된 문제
- 이번 업데이트 이전에는 보존을 활성화할 때 Loki Operator에서 잘못된 구성을 생성했습니다. 그 결과 Loki가 제대로 시작되지 않았습니다. 이번 업데이트를 통해 Loki Pod는 보존을 설정할 수 있습니다. (LOG-5821)
1.1.7.2. 버그 수정
-
이번 업데이트 이전에는
ClusterLogForwarder에서RFC3164사양을 따르지 않은 메시지 페이로드에 추가 공간을 도입했습니다. 이번 업데이트를 통해 추가 공간이 제거되어 문제가 해결되었습니다. (LOG-5647)
1.1.7.3. CVE
1.1.8. 로깅 5.8.9
이 릴리스에는 OpenShift Logging 버그 수정 릴리스 5.8.9 및 OpenShift Logging 버그 수정 릴리스 5.8.9 가 포함되어 있습니다.
1.1.8.1. 버그 수정
- 이번 업데이트 이전에는 로그가 생성된 경우에도 더 이상 존재하지 않는 Pod를 선택하지 못했습니다. 이번 업데이트를 통해 이 문제가 해결되어 이러한 Pod를 선택할 수 있습니다. (LOG-5698)
-
이번 업데이트 이전에는 LokiStack에 볼륨 API의 경로가 누락되어
404 not found라는 오류가 발생했습니다. 이번 업데이트를 통해 LokiStack은 볼륨 API를 노출하여 문제를 해결합니다. (LOG-5750) -
이번 업데이트 이전에는 Elasticsearch Operator가 소유권을 고려하지 않고 모든 서비스 계정 주석을 덮어씁니다. 결과적으로
kube-controller-manager가 소유하는 서비스 계정에 대한 링크를 기록했기 때문에 서비스 계정 시크릿을 다시 생성했습니다. 이번 업데이트를 통해 Elasticsearch Operator는 주석을 병합하여 문제를 해결합니다. (LOG-5776)
1.1.8.2. CVE
1.1.9. 로깅 5.8.8
이 릴리스에는 OpenShift Logging 버그 수정 릴리스 5.8.8 및 OpenShift Logging 버그 수정 릴리스 5.8.8 이 포함되어 있습니다.
1.1.9.1. 버그 수정
-
이번 업데이트 이전에는 LokiStack을 구성할 때
LokiStack을 구성할 때 Ingesters를 다시 시작할 때 Loki Operator가1x.demo크기의 write-ahead logreplay_memory_ceiling을 0바이트로 설정했기 때문에 지연이 발생했습니다. 이번 업데이트를 통해replay_memory_ceiling에 사용되는 최소 값이 지연을 방지하기 위해 증가했습니다. (LOG-5615)
1.1.9.2. CVE
- CVE-2020-15778
- CVE-2021-43618
- CVE-2023-6004
- CVE-2023-6597
- CVE-2023-6918
- CVE-2023-7008
- CVE-2024-0450
- CVE-2024-2961
- CVE-2024-22365
- CVE-2024-25062
- CVE-2024-26458
- CVE-2024-26461
- CVE-2024-26642
- CVE-2024-26643
- CVE-2024-26673
- CVE-2024-26804
- CVE-2024-28182
- CVE-2024-32487
- CVE-2024-33599
- CVE-2024-33600
- CVE-2024-33601
- CVE-2024-33602
1.1.10. 로깅 5.8.7
이 릴리스에는 OpenShift Logging 버그 수정 릴리스 5.8.7 보안 업데이트 및 OpenShift Logging 버그 수정 릴리스 5.8.7 이 포함되어 있습니다.
1.1.10.1. 버그 수정
-
이번 업데이트 이전에는 <
type> 로그(audit, infrastructure 또는 application)가 수집되지 않은 경우 elasticsearch-im-<Pod가 실패했습니다. 이번 업데이트를 통해 <type>-*type> 로그가 수집되지 않으면 Pod가 더 이상 실패하지 않습니다. (LOG-4949) - 이번 업데이트 이전에는 설계에 URL이 필요하지 않은 Amazon Cloud Logging과 같은 서비스에도 출력 구성에 대한 검증 기능에 SSL/TLS URL이 필요했습니다. 이번 업데이트를 통해 URL이 없는 서비스에 대한 검증 논리가 개선되고 오류 메시지가 더 도움이 됩니다. (LOG-5467)
- 이번 업데이트 이전에는 Logging Operator의 메트릭 컬렉션 코드의 문제로 인해 오래된 Telemetry 메트릭이 보고되었습니다. 이번 업데이트를 통해 Logging Operator는 오래된 Telemetry 메트릭을 보고하지 않습니다. (LOG-5471)
-
이번 업데이트 이전에는 Logging Operator를 변경하면
ClusterLogForwarderCR의 잘못된 구성으로 인해 오류가 발생했습니다. 결과적으로 로깅으로 업그레이드하면 daemonset 수집기가 삭제되었습니다. 이번 업데이트를 통해Not authorized to collect오류가 발생하는 경우를 제외하고 Logging Operator는 수집기 데몬 세트를 다시 생성합니다. (LOG-5514)
1.1.10.2. CVE
- CVE-2020-26555
- CVE-2021-29390
- CVE-2022-0480
- CVE-2022-38096
- CVE-2022-40090
- CVE-2022-45934
- CVE-2022-48554
- CVE-2022-48624
- CVE-2023-2975
- CVE-2023-3446
- CVE-2023-3567
- CVE-2023-3618
- CVE-2023-3817
- CVE-2023-4133
- CVE-2023-5678
- CVE-2023-6040
- CVE-2023-6121
- CVE-2023-6129
- CVE-2023-6176
- CVE-2023-6228
- CVE-2023-6237
- CVE-2023-6531
- CVE-2023-6546
- CVE-2023-6622
- CVE-2023-6915
- CVE-2023-6931
- CVE-2023-6932
- CVE-2023-7008
- CVE-2023-24023
- CVE-2023-25193
- CVE-2023-25775
- CVE-2023-28464
- CVE-2023-28866
- CVE-2023-31083
- CVE-2023-31122
- CVE-2023-37453
- CVE-2023-38469
- CVE-2023-38470
- CVE-2023-38471
- CVE-2023-38472
- CVE-2023-38473
- CVE-2023-39189
- CVE-2023-39193
- CVE-2023-39194
- CVE-2023-39198
- CVE-2023-40745
- CVE-2023-41175
- CVE-2023-42754
- CVE-2023-42756
- CVE-2023-43785
- CVE-2023-43786
- CVE-2023-43787
- CVE-2023-43788
- CVE-2023-43789
- CVE-2023-45288
- CVE-2023-45863
- CVE-2023-46862
- CVE-2023-47038
- CVE-2023-51043
- CVE-2023-51779
- CVE-2023-51780
- CVE-2023-52434
- CVE-2023-52448
- CVE-2023-52476
- CVE-2023-52489
- CVE-2023-52522
- CVE-2023-52529
- CVE-2023-52574
- CVE-2023-52578
- CVE-2023-52580
- CVE-2023-52581
- CVE-2023-52597
- CVE-2023-52610
- CVE-2023-52620
- CVE-2024-0565
- CVE-2024-0727
- CVE-2024-0841
- CVE-2024-1085
- CVE-2024-1086
- CVE-2024-21011
- CVE-2024-21012
- CVE-2024-21068
- CVE-2024-21085
- CVE-2024-21094
- CVE-2024-22365
- CVE-2024-25062
- CVE-2024-26582
- CVE-2024-26583
- CVE-2024-26584
- CVE-2024-26585
- CVE-2024-26586
- CVE-2024-26593
- CVE-2024-26602
- CVE-2024-26609
- CVE-2024-26633
- CVE-2024-27316
- CVE-2024-28834
- CVE-2024-28835
1.1.11. 로깅 5.8.6
이 릴리스에는 OpenShift Logging 버그 수정 릴리스 5.8.6 보안 업데이트 및 OpenShift Logging 버그 수정 릴리스 5.8.6 이 포함되어 있습니다.
1.1.11.1. 기능 개선
-
이번 업데이트 이전에는 Loki Operator에서 스토리지 보안에 사용된 Amazon Simple Storage Service(S3) 끝점의 유효성을 검사하지 않았습니다. 이번 업데이트를 통해 검증 프로세스는 S3 끝점이 유효한 S3 URL이고
LokiStack상태 업데이트를 통해 잘못된 URL을 나타냅니다. (LOG-5392) - 이번 업데이트 이전에는 Loki Operator에서 더 이상 사용되지 않는 Amazon Simple Storage Service(S3)에 경로 기반 스타일 액세스를 사용하도록 Loki를 구성했습니다. 이번 업데이트를 통해 Loki Operator는 사용자가 구성을 변경할 필요 없이 기본적으로 virtual-host 스타일로 설정됩니다. (LOG-5402)
1.1.11.2. 버그 수정
-
이번 업데이트 이전에는
openshift-operators-redhat네임스페이스의 Elastisearch OperatorServiceMonitor에서 인증을 위해 정적 토큰 및 CA(인증 기관) 파일을 사용하여ServiceMonitor구성의 사용자 워크로드 모니터링 사양의 Prometheus Operator에 오류가 발생했습니다. 이번 업데이트를 통해openshift-operators-redhat네임스페이스의 Elastisearch OperatorServiceMonitor에서LocalReference오브젝트의 서비스 계정 토큰 시크릿을 참조합니다. 이 방법을 사용하면 Prometheus Operator의 User Workload Monitoring 사양에서 Elastisearch OperatorServiceMonitor를 성공적으로 처리할 수 있습니다. 이를 통해 Prometheus는 Elastisearch Operator 지표를 스크랩할 수 있습니다. (LOG-5164) -
이번 업데이트 이전에는 Loki Operator에서 스토리지 보안에 사용된 Amazon Simple Storage Service(S3) 끝점 URL 형식의 유효성을 검사하지 않았습니다. 이번 업데이트를 통해 S3 끝점 URL은
LokiStack의 상태를 반영하는 검증 단계를 거칩니다. (LOG-5398)
1.1.11.3. CVE
1.1.12. 로깅 5.8.5
이 릴리스에는 OpenShift Logging 버그 수정 릴리스 5.8.5 가 포함되어 있습니다.
1.1.12.1. 버그 수정
-
이번 업데이트 이전에는 Loki Operator의
ServiceMonitor구성이 여러 Kubernetes 서비스와 일치하여 Loki Operator의 메트릭이 여러 번 수집될 수 있었습니다. 이번 업데이트를 통해ServiceMonitor의 구성은 이제 전용 메트릭 서비스와만 일치합니다. (LOG-5250) - 이번 업데이트 이전에는 Red Hat 빌드 파이프라인에서 Loki 빌드의 기존 빌드 세부 정보와 revision, 분기, 버전과 같은 생략된 정보를 사용하지 않았습니다. 이번 업데이트를 통해 Red Hat 빌드 파이프라인에서 Loki 빌드에 이러한 세부 정보를 추가하여 문제를 해결합니다. (LOG-5201)
-
이번 업데이트 이전에는 Loki Operator에서
LokiStack이 준비되었는지 확인하기 위해 Pod가 실행 중인지 확인했습니다. 이번 업데이트를 통해LokiStack의 준비 상태가 해당 구성 요소의 상태를 반영하도록 Pod가 준비되었는지도 확인합니다. (LOG-5171) - 이번 업데이트 이전에는 로그 메트릭에 대한 쿼리를 실행하면 히스토그램에 오류가 발생했습니다. 이번 업데이트를 통해 히스토그램 토글 기능 및 히스토그램이 로그 메트릭에서 작동하지 않기 때문에 히스토그램 토글 기능이 비활성화되고 숨겨집니다. (LOG-5044)
-
이번 업데이트 이전에는 Loki 및 Elasticsearch 번들에 잘못된
maxOpenShiftVersion이 있어IncompatibleOperatorsInstalled경고가 생성되었습니다. 번들의 4.16을maxOpenShiftVersion속성으로 포함하여 이 업데이트를 통해 문제가 해결되었습니다. (LOG-5272) -
이번 업데이트 이전에는 빌드 파이프라인에 빌드 날짜에 대한 링커 플래그가 포함되어 있지 않아 Loki 빌드에
buildDate및goVersion의 빈 문자열이 표시되었습니다. 이번 업데이트를 통해 빌드 파이프라인에 누락된 링커 플래그를 추가하면 문제가 해결되었습니다. (LOG-5274) - 이번 업데이트 이전에는 LogQL 구문 분석의 버그로 인해 쿼리에서 일부 줄 필터가 남겼습니다. 이번 업데이트를 통해 이제 구문 분석에 원래 쿼리를 변경하지 않고 모든 줄 필터가 포함됩니다. (LOG-5270)
-
이번 업데이트 이전에는
openshift-operators-redhat네임스페이스의 Loki OperatorServiceMonitor에서 인증에 정적 토큰과 CA 파일을 사용하여ServiceMonitor구성의 User Workload Monitoring 사양의 Prometheus Operator에 오류가 발생했습니다. 이번 업데이트를 통해openshift-operators-redhat네임스페이스의 Loki OperatorServiceMonitor는 이제LocalReference오브젝트의 서비스 계정 토큰 시크릿을 참조합니다. 이 방법을 사용하면 Prometheus Operator의 User Workload Monitoring 사양에서 Loki OperatorServiceMonitor를 성공적으로 처리할 수 있으므로 Prometheus가 Loki Operator 메트릭을 스크랩할 수 있습니다. (LOG-5240)
1.1.12.2. CVE
1.1.13. 로깅 5.8.4
이 릴리스에는 OpenShift Logging 버그 수정 릴리스 5.8.4 가 포함되어 있습니다.
1.1.13.1. 버그 수정
- 이번 업데이트 이전에는 개발자 콘솔의 로그에서 현재 네임스페이스를 고려하지 않아 클러스터 전체 로그 액세스 권한이 없는 사용자에게 쿼리 거부가 발생했습니다. 이번 업데이트를 통해 지원되는 모든 OCP 버전은 올바른 네임스페이스를 포함해야 합니다. (LOG-4905)
-
이번 업데이트 이전에는 Cluster Logging Operator가 기본 로그 출력이 LokiStack인 경우에만 LokiStack 배포를 지원하는
ClusterRoles를 배포했습니다. 이번 업데이트를 통해 역할은 읽기 및 쓰기의 두 그룹으로 나뉩니다. 쓰기 역할은 이전에 수행하는 데 사용되는 모든 역할과 마찬가지로 기본 로그 스토리지 설정을 기반으로 배포됩니다. 읽기 역할은 로깅 콘솔 플러그인이 활성화되어 있는지 여부에 따라 배포됩니다. (LOG-4987) -
이번 업데이트 이전에는 하나의 서비스에서
ownerReferences를 변경하기 때문에 동일한 입력 수신자 이름을 정의하는ClusterLogForwarders가 서비스를 끝없이 조정했습니다. 이번 업데이트를 통해 각 수신자 입력은 <CLF.Name>-<input.Name> 규칙을 사용하여 이름이 지정된 자체 서비스를 갖습니다. (LOG-5009) -
이번 업데이트 이전에는 시크릿 없이 cloudwatch로 로그를 전달할 때
ClusterLogForwarder에서 오류를 보고하지 않았습니다. 이번 업데이트를 통해 시크릿 없이 cloudwatch로 로그를 전달할 때 다음 오류 메시지가 표시됩니다.cloudwatch 출력에 시크릿을 제공해야 합니다. (LOG-5021) -
이번 업데이트 이전에는
log_forwarder_input_info에애플리케이션,인프라및감사입력 메트릭 포인트가 포함되었습니다. 이번 업데이트를 통해http도 지표 지점으로 추가됩니다. (LOG-5043)
1.1.13.2. CVE
- CVE-2021-35937
- CVE-2021-35938
- CVE-2021-35939
- CVE-2022-3545
- CVE-2022-24963
- CVE-2022-36402
- CVE-2022-41858
- CVE-2023-2166
- CVE-2023-2176
- CVE-2023-3777
- CVE-2023-3812
- CVE-2023-4015
- CVE-2023-4622
- CVE-2023-4623
- CVE-2023-5178
- CVE-2023-5363
- CVE-2023-5388
- CVE-2023-5633
- CVE-2023-6679
- CVE-2023-7104
- CVE-2023-27043
- CVE-2023-38409
- CVE-2023-40283
- CVE-2023-42753
- CVE-2023-43804
- CVE-2023-45803
- CVE-2023-46813
- CVE-2024-20918
- CVE-2024-20919
- CVE-2024-20921
- CVE-2024-20926
- CVE-2024-20945
- CVE-2024-20952
1.1.14. 로깅 5.8.3
이 릴리스에는 로깅 버그 수정 5.8.3 및 로깅 보안 수정 5.8.3이 포함되어 있습니다.
1.1.14.1. 버그 수정
- 이번 업데이트 이전에는 사용자 정의 S3 인증 기관을 읽도록 구성된 경우 Loki Operator는 ConfigMap 이름 또는 콘텐츠가 변경된 경우 구성을 자동으로 업데이트하지 않습니다. 이번 업데이트를 통해 Loki Operator에서 ConfigMap에 대한 변경 사항을 조사하고 생성된 구성을 자동으로 업데이트합니다. (LOG-4969)
- 이번 업데이트 이전에는 유효한 URL 없이 Loki 출력이 구성되어 수집기 Pod가 충돌했습니다. 이번 업데이트를 통해 출력에 URL 검증이 적용되어 문제를 해결합니다. (LOG-4822)
- 이번 업데이트 이전에는 Cluster Logging Operator가 서비스 계정 전달자 토큰을 사용할 시크릿을 지정하지 않은 출력에 대한 수집기 구성 필드를 생성합니다. 이번 업데이트를 통해 출력에 인증이 필요하지 않아 문제를 해결합니다. (LOG-4962)
-
이번 업데이트 이전에는 출력의
tls.insecureSkipVerify필드가 보안을 정의하지 않고true값으로 설정되지 않았습니다. 이번 업데이트를 통해 이 값을 설정하는 데 더 이상 시크릿이 필요하지 않습니다. (LOG-4963) - 이번 업데이트 이전에는 출력 구성에서 비보안 (HTTP) URL과 TLS 인증의 조합을 허용했습니다. 이번 업데이트를 통해 TLS 인증을 위해 구성된 출력에 보안(HTTPS) URL이 필요합니다. (LOG-4893)
1.1.14.2. CVE
1.1.15. 로깅 5.8.2
이 릴리스에는 OpenShift Logging 버그 수정 릴리스 5.8.2 가 포함되어 있습니다.
1.1.15.1. 버그 수정
- 이번 업데이트 이전에는 LokiStack 규칙러 Pod에서 교차 Pod 통신에 사용되는 HTTP URL의 IPv6 Pod IP를 포맷하지 않아 Prometheus 호환 API를 통한 규칙 및 경고를 쿼리할 수 없었습니다. 이번 업데이트를 통해 LokiStack 룰러 Pod는 IPv6 포드 IP를 대괄호로 캡슐화하여 문제를 해결합니다. (LOG-4890)
- 이번 업데이트 이전에는 개발자 콘솔 로그에서 현재 네임스페이스를 고려하지 않아 클러스터 전체 로그 액세스 권한이 없는 사용자에게 쿼리 거부가 발생했습니다. 이번 업데이트를 통해 네임스페이스 포함이 수정되어 문제를 해결합니다. (LOG-4947)
- 이번 업데이트 이전에는 OpenShift Container Platform 웹 콘솔의 로깅 보기 플러그인에서 사용자 정의 노드 배치 및 허용 오차를 허용하지 않았습니다. 이번 업데이트를 통해 OpenShift Container Platform 웹 콘솔의 로깅 보기 플러그인에 사용자 정의 노드 배치 및 허용 오차가 추가되었습니다. (LOG-4912)
1.1.15.2. CVE
1.1.16. Logging 5.8.1
이 릴리스에는 OpenShift Logging 버그 수정 릴리스 5.8.1 및 OpenShift Logging 버그 수정 릴리스 5.8.1 Kibana 가 포함되어 있습니다.
1.1.16.1. 기능 개선
1.1.16.1.1. 로그 컬렉션
1.1.16.2. 버그 수정
-
이번 업데이트 이전에는 롤오버 조건이 충족되지 않은 경우에도
ClusterLogForwarder에서 JSON 로그의 구문 분석을 활성화한 후 빈 인덱스를 생성했습니다. 이번 업데이트를 통해write-index가 비어 있을 때ClusterLogForwarder에서 롤오버를 건너뜁니다. (LOG-4452) -
이번 업데이트 이전에는 벡터가
기본로그 수준을 잘못 설정했습니다. 이번 업데이트를 통해 로그 수준 탐지를 위해 정규식 또는regexp의 향상된 기능을 개선하여 올바른 로그 수준이 설정됩니다. (LOG-4480) -
이번 업데이트 이전에는 인덱스 패턴을 생성하는 프로세스 중에 각 로그 출력의 초기 인덱스에서 기본 별칭이 누락되었습니다. 결과적으로 Kibana 사용자는 OpenShift Elasticsearch Operator를 사용하여 인덱스 패턴을 생성할 수 없었습니다. 이번 업데이트에서는 OpenShift Elasticsearch Operator에 누락된 별칭이 추가되어 문제를 해결합니다. Kibana 사용자는
{app,infra,audit}-000001인덱스를 포함하는 인덱스 패턴을 생성할 수 있습니다. (LOG-4683) -
이번 업데이트 이전에는 IPv6 클러스터에서 Prometheus 서버가 바인딩되어 Fluentd 수집기 Pod가
CrashLoopBackOff상태에 있었습니다. 이번 업데이트를 통해 수집기는 IPv6 클러스터에서 제대로 작동합니다. (LOG-4706) -
이번 업데이트 이전에는
ClusterLogForwarder가 변경될 때마다 Red Hat OpenShift Logging Operator가 다양한 조정을 수행했습니다. 이번 업데이트를 통해 Red Hat OpenShift Logging Operator는 조정을 트리거한 수집기 데몬 세트의 상태 변경을 무시합니다. (LOG-4741) -
이번 업데이트 이전에는 IBM Power 머신의 Vector 로그 수집기 Pod가
CrashLoopBackOff상태로 중단되었습니다. 이번 업데이트를 통해 Vector 로그 수집기 Pod가 IBM Power 아키텍처 머신에서 성공적으로 시작됩니다. (LOG-4768) -
이번 업데이트 이전에는 내부 LokiStack에 대한 레거시 전달자를 사용하여 전달하면 Fluentd 수집기 Pod를 사용하여 SSL 인증서 오류가 발생했습니다. 이번 업데이트를 통해 로그 수집기 서비스 계정은 기본적으로 연결된 토큰과
ca.crt를 사용하여 인증에 사용됩니다. (LOG-4791) -
이번 업데이트 이전에는 내부 LokiStack에 대한 레거시 전달자를 사용하여 전달하면 Vector 수집기 Pod를 사용하여 SSL 인증서 오류가 발생했습니다. 이번 업데이트를 통해 기본적으로 로그 수집기 서비스 계정이 인증에 사용되며 연결된 토큰 및
ca.crt를 사용합니다. (LOG-4852) - 이번 수정 이전에는 자리 표시자에 대해 호스트 또는 여러 호스트를 평가한 후 IPv6 주소가 올바르게 구문 분석되지 않았습니다. 이번 업데이트를 통해 IPv6 주소가 올바르게 구문 분석됩니다. (LOG-4811)
-
이번 업데이트 이전에는 HTTP 수신자 입력에 대한 감사 권한을 수집하기 위해
ClusterRoleBinding을 생성해야 했습니다. 이번 업데이트를 통해 끝점이 이미 클러스터 인증 기관에 따라 다르기 때문에ClusterRoleBinding을 생성할 필요가 없습니다. (LOG-4815) - 이번 업데이트 이전에는 Loki Operator에서 사용자 정의 CA 번들을 룰러 Pod에 마운트하지 않았습니다. 결과적으로 경고 또는 레코딩 규칙을 평가하는 프로세스 중에 오브젝트 스토리지 액세스가 실패했습니다. 이번 업데이트를 통해 Loki Operator는 모든 룰러 Pod에 사용자 정의 CA 번들을 마운트합니다. 규칙자 Pod는 오브젝트 스토리지에서 로그를 다운로드하여 경고 또는 레코딩 규칙을 평가할 수 있습니다. (LOG-4836)
-
이번 업데이트 이전에는
ClusterLogForwarder에서inputs.receiver섹션을 제거하는 동안 HTTP 입력 서비스 및 관련 보안이 삭제되지 않았습니다. 이번 업데이트를 통해 필요하지 않은 경우 HTTP 입력 리소스가 삭제됩니다. (LOG-4612) -
이번 업데이트 이전에는
ClusterLogForwarder에서 상태에 검증 오류가 표시되었지만 출력 및 파이프라인 상태가 특정 문제를 정확하게 반영하지 않았습니다. 이번 업데이트를 통해 출력, 입력 또는 필터가 잘못 구성된 경우 파이프라인 상태에 검증 실패 이유가 올바르게 표시됩니다. (LOG-4821) -
이번 업데이트 이전에는 시간 범위 또는 심각도와 같은 제어를 사용하는
LogQL쿼리를 변경하면 레이블 matcher Operator가 정규식처럼 정의되었습니다. 이번 업데이트를 통해 쿼리를 업데이트할 때 정규식 Operator가 변경되지 않은 상태로 유지됩니다. (LOG-4841)
1.1.16.3. CVE
- CVE-2007-4559
- CVE-2021-3468
- CVE-2021-3502
- CVE-2021-3826
- CVE-2021-43618
- CVE-2022-3523
- CVE-2022-3565
- CVE-2022-3594
- CVE-2022-4285
- CVE-2022-38457
- CVE-2022-40133
- CVE-2022-40982
- CVE-2022-41862
- CVE-2022-42895
- CVE-2023-0597
- CVE-2023-1073
- CVE-2023-1074
- CVE-2023-1075
- CVE-2023-1076
- CVE-2023-1079
- CVE-2023-1206
- CVE-2023-1249
- CVE-2023-1252
- CVE-2023-1652
- CVE-2023-1855
- CVE-2023-1981
- CVE-2023-1989
- CVE-2023-2731
- CVE-2023-3138
- CVE-2023-3141
- CVE-2023-3161
- CVE-2023-3212
- CVE-2023-3268
- CVE-2023-3316
- CVE-2023-3358
- CVE-2023-3576
- CVE-2023-3609
- CVE-2023-3772
- CVE-2023-3773
- CVE-2023-4016
- CVE-2023-4128
- CVE-2023-4155
- CVE-2023-4194
- CVE-2023-4206
- CVE-2023-4207
- CVE-2023-4208
- CVE-2023-4273
- CVE-2023-4641
- CVE-2023-22745
- CVE-2023-26545
- CVE-2023-26965
- CVE-2023-26966
- CVE-2023-27522
- CVE-2023-29491
- CVE-2023-29499
- CVE-2023-30456
- CVE-2023-31486
- CVE-2023-32324
- CVE-2023-32573
- CVE-2023-32611
- CVE-2023-32665
- CVE-2023-33203
- CVE-2023-33285
- CVE-2023-33951
- CVE-2023-33952
- CVE-2023-34241
- CVE-2023-34410
- CVE-2023-35825
- CVE-2023-36054
- CVE-2023-37369
- CVE-2023-38197
- CVE-2023-38545
- CVE-2023-38546
- CVE-2023-39191
- CVE-2023-39975
- CVE-2023-44487
1.1.17. Logging 5.8.0
이 릴리스에는 OpenShift Logging 버그 수정 릴리스 5.8.0 및 OpenShift Logging 버그 수정 릴리스 5.8.0 Kibana 가 포함되어 있습니다.
1.1.17.1. 사용 중단 알림
로깅 5.8에서 Elasticsearch, Fluentd, Kibana는 더 이상 사용되지 않으며 Logging 6.0에서 제거될 예정이며 향후 OpenShift Container Platform 릴리스와 함께 제공될 것으로 예상됩니다. Red Hat은 현재 릴리스 라이프사이클 동안 중요한 CVE 버그 수정 및 이러한 구성 요소에 대한 지원을 제공하지만 이러한 구성 요소는 더 이상 기능 개선 사항을 받지 않습니다. Loki Operator에서 제공하는 Red Hat OpenShift Logging Operator 및 LokiStack에서 제공하는 Vector 기반 수집기는 로그 수집 및 스토리지에 권장되는 Operator입니다. 모든 사용자가 Vector 및 Loki 로그 스택을 채택하도록 권장합니다. 이는 앞으로 개선될 스택이 되기 때문입니다.
1.1.17.2. 기능 개선
1.1.17.2.1. 로그 컬렉션
-
이번 업데이트를 통해 LogFileMetricExporter는 기본적으로 수집기와 함께 더 이상 배포되지 않습니다. 컨테이너를 실행하여 생성된 로그에서 메트릭을 생성하려면
LogFileMetricExporterCR(사용자 정의 리소스)을 수동으로 생성해야 합니다.LogFileMetricExporterCR을 생성하지 않으면 OpenShift Container Platform 웹 콘솔 대시보드에 Produced Logs 의 No datapoints found 메시지가 표시될 수 있습니다. (LOG-3819) 이번 업데이트를 통해 모든 네임스페이스에 여러 개의 격리된
ClusterLogForwarderCR(사용자 정의 리소스) 인스턴스를 배포할 수 있습니다. 이를 통해 독립 그룹은 다른 컬렉터 배포에서 구성을 격리하는 동안 원하는 로그를 대상으로 전달할 수 있습니다. (LOG-1343)중요openshift-logging네임스페이스 이외의 추가 네임스페이스에서 다중 클러스터 로그 전달을 지원하려면 모든 네임스페이스를 조사하도록 Red Hat OpenShift Logging Operator를 업데이트해야 합니다. 이 기능은 새로운 Red Hat OpenShift Logging Operator 버전 5.8 설치에서 기본적으로 지원됩니다.- 이번 업데이트를 통해 흐름 제어 또는 속도 제한 메커니즘을 사용하여 과도한 로그 레코드를 삭제하여 수집하거나 전달할 수 있는 로그 데이터의 볼륨을 제한할 수 있습니다. 입력 제한으로 인해 성능이 좋지 않은 컨테이너가 로깅을 과부하하는 것을 방지하고 출력 제한으로 인해 지정된 데이터 저장소에 전달되는 로그의 비율에 문제가 발생합니다. (LOG-884)
- 이번 업데이트를 통해 HTTP 연결을 찾고 웹 후크라고도 하는 HTTP 서버로 로그를 수신하도록 로그 수집기를 구성할 수 있습니다. (LOG-4562)
- 이번 업데이트를 통해 감사 정책을 구성하여 로그 수집기에서 전달하는 Kubernetes 및 OpenShift API 서버 이벤트를 제어할 수 있습니다. (LOG-3982)
1.1.17.2.2. 로그 스토리지
- 이번 업데이트를 통해 LokiStack 관리자는 네임스페이스에 따라 로그에 대한 액세스 권한을 부여하여 누가 로그에 액세스할 수 있는 사용자를 보다 세밀하게 제어할 수 있습니다. (LOG-3841)
-
이번 업데이트를 통해 Loki Operator는 LokiStack 배포에
PodDisruptionBudget구성을 도입하여 ingestion 및 쿼리 경로를 계속 사용하여 OpenShift Container Platform 클러스터를 재시작하는 동안 정상적인 작업을 보장합니다. (LOG-3839) - 이번 업데이트를 통해 기본 Affinity 및 anti-Affinity 정책 세트를 적용하여 기존 LokiStack 설치의 안정성이 원활하게 향상됩니다. (LOG-3840)
- 이번 업데이트를 통해 영역 장애 발생 시 안정성을 높이기 위해 LokiStack에서 영역 인식 데이터 복제를 관리자로 관리할 수 있습니다. (LOG-3266)
- 이번 업데이트를 통해 몇 가지 워크로드와 작은 수집 볼륨(최대 100GB/일)을 호스팅하는 OpenShift Container Platform 클러스터에 지원되는 새로운 소규모 LokiStack 크기가 1x.extra-tekton가 도입되었습니다. (LOG-4329)
- 이번 업데이트를 통해 LokiStack 관리자는 공식 Loki 대시보드에 액세스하여 스토리지 성능 및 각 구성 요소의 상태를 검사할 수 있습니다. (LOG-4327)
1.1.17.2.3. 로그 콘솔
1.1.17.3. 확인된 문제
현재 Red Hat OpenShift Logging Operator의 버전 5.8로 업그레이드한 후 Splunk 로그 전달이 작동하지 않을 수 있습니다. 이 문제는 OpenSSL 버전 1.1.1에서 버전 3.0.7로 전환하여 발생합니다. 최신 OpenSSL 버전에서는 기본 동작 변경 사항이 있습니다. 여기서 RFC 5746 확장을 노출하지 않으면 TLS 1.2 끝점에 대한 연결이 거부됩니다.
이 문제를 해결하려면 Splunk HEC(HTTP 이벤트 수집기) 끝점 앞에 있는 TLS 종료 로드 밸런서에서 TLS 1.3 지원을 활성화합니다. Splunk는 타사 시스템이며 Splunk 끝에서 구성해야 합니다.
-
현재 HTTP/2 프로토콜에서 멀티플렉싱된 스트림을 처리하는 데 결함이 있습니다. 여기서 새로운 멀티플렉션을 반복적으로 요청하고 이를 취소하기 위해
RST_STREAM프레임을 즉시 보낼 수 있습니다. 이로 인해 서버가 스트림을 설정하고 축소하여 서버 리소스 사용으로 인해 서비스가 거부되었습니다. 현재 이 문제에 대한 해결방법이 없습니다. (LOG-4609) -
현재 FluentD를 수집기로 사용할 때 수집기 Pod는 OpenShift Container Platform IPv6 지원 클러스터에서 시작할 수 없습니다. Pod 로그는
fluentd pod [error]: unexpected error_class=SocketError error="getaddrinfo: Name 또는 service notknown오류를 생성합니다. 현재 이 문제에 대한 해결방법이 없습니다. (LOG-4706) - 현재 IPv6 지원 클러스터에서는 로그 경고를 사용할 수 없습니다. 현재 이 문제에 대한 해결방법이 없습니다. (LOG-4709)
-
현재
cluster-logging-rhel9-operator에서 필요한 OpenSSL 라이브러리를 사용할 수 없기 때문에 FIPS 지원 클러스터에서must-gather는 로그를 수집할 수 없습니다. 현재 이 문제에 대한 해결방법이 없습니다. (LOG-4403) -
현재 FIPS 지원 클러스터에 로깅 버전 5.8을 배포할 때 컬렉터 Pod는 시작할 수 없으며 FluentD를 수집기로 사용하는 동안
CrashLoopBackOff상태에서 멈춥니다. 현재 이 문제에 대한 해결방법이 없습니다. (LOG-3933)
1.1.17.4. CVE
1.2. 로깅 5.7
로깅은 코어 OpenShift Container Platform과 별도의 릴리스 사이클을 사용하여 설치 가능한 구성 요소로 제공됩니다. Red Hat OpenShift Container Platform 라이프 사이클 정책은 릴리스 호환성에 대해 간단히 설명합니다.
stable 채널은 최신 로깅 릴리스에 대한 업데이트만 제공합니다. 이전 릴리스에 대한 업데이트를 계속 받으려면 서브스크립션 채널을 stable-x.y 로 변경해야 합니다. 여기서 x.y 는 설치한 로깅 및 마이너 버전을 나타냅니다. 예를 들면 stable-5.7 입니다.
1.2.1. 로깅 5.7.15
이 릴리스에는 OpenShift Logging 버그 수정 5.7.15 가 포함되어 있습니다.
1.2.1.1. 버그 수정
-
이번 업데이트 이전에는 LokiStack을 구성할 때
LokiStack을 구성할 때 Ingesters를 다시 시작할 때 Loki Operator가1x.demo크기의 write-ahead logreplay_memory_ceiling을 0바이트로 설정했기 때문에 지연이 발생했습니다. 이번 업데이트를 통해replay_memory_ceiling에 사용되는 최소 값이 지연을 방지하기 위해 증가했습니다. (LOG-5616)
1.2.1.2. CVE
- CVE-2019-25162
- CVE-2020-15778
- CVE-2020-36777
- CVE-2021-43618
- CVE-2021-46934
- CVE-2021-47013
- CVE-2021-47055
- CVE-2021-47118
- CVE-2021-47153
- CVE-2021-47171
- CVE-2021-47185
- CVE-2022-4645
- CVE-2022-48627
- CVE-2022-48669
- CVE-2023-6004
- CVE-2023-6240
- CVE-2023-6597
- CVE-2023-6918
- CVE-2023-7008
- CVE-2023-43785
- CVE-2023-43786
- CVE-2023-43787
- CVE-2023-43788
- CVE-2023-43789
- CVE-2023-52439
- CVE-2023-52445
- CVE-2023-52477
- CVE-2023-52513
- CVE-2023-52520
- CVE-2023-52528
- CVE-2023-52565
- CVE-2023-52578
- CVE-2023-52594
- CVE-2023-52595
- CVE-2023-52598
- CVE-2023-52606
- CVE-2023-52607
- CVE-2023-52610
- CVE-2024-0340
- CVE-2024-0450
- CVE-2024-22365
- CVE-2024-23307
- CVE-2024-25062
- CVE-2024-25744
- CVE-2024-26458
- CVE-2024-26461
- CVE-2024-26593
- CVE-2024-26603
- CVE-2024-26610
- CVE-2024-26615
- CVE-2024-26642
- CVE-2024-26643
- CVE-2024-26659
- CVE-2024-26664
- CVE-2024-26693
- CVE-2024-26694
- CVE-2024-26743
- CVE-2024-26744
- CVE-2024-26779
- CVE-2024-26872
- CVE-2024-26892
- CVE-2024-26987
- CVE-2024-26901
- CVE-2024-26919
- CVE-2024-26933
- CVE-2024-26934
- CVE-2024-26964
- CVE-2024-26973
- CVE-2024-26993
- CVE-2024-27014
- CVE-2024-27048
- CVE-2024-27052
- CVE-2024-27056
- CVE-2024-27059
- CVE-2024-28834
- CVE-2024-33599
- CVE-2024-33600
- CVE-2024-33601
- CVE-2024-33602
1.2.2. 로깅 5.7.14
이 릴리스에는 OpenShift Logging 버그 수정 5.7.14 가 포함되어 있습니다.
1.2.2.1. 버그 수정
- 이번 업데이트 이전에는 Logging Operator의 메트릭 컬렉션 코드의 문제로 인해 오래된 Telemetry 메트릭이 보고되었습니다. 이번 업데이트를 통해 Logging Operator는 오래된 Telemetry 메트릭을 보고하지 않습니다. (LOG-5472)
1.2.2.2. CVE
1.2.3. 로깅 5.7.13
이 릴리스에는 OpenShift Logging 버그 수정 5.7.13 이 포함되어 있습니다.
1.2.3.1. 기능 개선
- 이번 업데이트 이전에는 Loki Operator에서 더 이상 사용되지 않는 Amazon Simple Storage Service(S3)에 경로 기반 스타일 액세스를 사용하도록 Loki를 구성했습니다. 이번 업데이트를 통해 Loki Operator는 사용자가 구성을 변경할 필요 없이 기본적으로 virtual-host 스타일로 설정됩니다. (LOG-5403)
-
이번 업데이트 이전에는 Loki Operator에서 스토리지 보안에 사용된 Amazon Simple Storage Service(S3) 끝점의 유효성을 검사하지 않았습니다. 이번 업데이트를 통해 검증 프로세스는 S3 끝점이 유효한 S3 URL이고
LokiStack상태 업데이트를 통해 잘못된 URL을 나타냅니다. (LOG-5393)
1.2.3.2. 버그 수정
-
이번 업데이트 이전에는
openshift-operators-redhat네임스페이스의 Elastisearch OperatorServiceMonitor에서 인증을 위해 정적 토큰 및 CA(인증 기관) 파일을 사용하여ServiceMonitor구성의 사용자 워크로드 모니터링 사양의 Prometheus Operator에 오류가 발생했습니다. 이번 업데이트를 통해openshift-operators-redhat네임스페이스의 Elastisearch OperatorServiceMonitor에서LocalReference오브젝트의 서비스 계정 토큰 시크릿을 참조합니다. 이 방법을 사용하면 Prometheus Operator의 User Workload Monitoring 사양에서 Elastisearch OperatorServiceMonitor를 성공적으로 처리할 수 있습니다. 이를 통해 Prometheus는 Elastisearch Operator 지표를 스크랩할 수 있습니다. (LOG-5243) -
이번 업데이트 이전에는 Loki Operator에서 스토리지 보안에 사용된 Amazon Simple Storage Service(S3) 끝점 URL 형식의 유효성을 검사하지 않았습니다. 이번 업데이트를 통해 S3 끝점 URL은
LokiStack의 상태를 반영하는 검증 단계를 거칩니다. (LOG-5399)
1.2.3.3. CVE
1.2.4.
1.2.4.1.
1.2.4.2.
1.2.5.
1.2.5.1.
1.2.5.2.
1.2.6.
1.2.6.1.
1.2.6.2.
1.2.7.
1.2.7.1.
1.2.7.2.
1.2.8.
1.2.8.1.
1.2.8.2.
1.2.9.
1.2.9.1.
1.2.9.2.
1.2.10.
1.2.10.1.
1.2.10.2.
1.2.11.
1.2.11.1.
1.2.11.2.
1.2.12.
1.2.12.1.
1.2.12.2.
1.2.13.
1.2.13.1.
tls.verify_certificate = false tls.verify_hostname = falseERROR vector::cli: Configuration error. error=redefinition of table transforms.audit for key transforms.audit
1.2.13.2.
1.2.14.
1.2.14.1.
1.2.14.2.
1.2.15.
1.2.15.1.
1.2.15.2.
1.2.15.3.
1.2.15.4.
1.3.
1.3.1.
1.3.1.1.
1.3.1.2.
1.3.2.
1.3.2.1.
1.3.2.2.
1.3.3.
1.3.3.1.
1.3.3.2.
1.3.4.
1.3.4.1.
1.3.4.2.
1.3.5.
1.3.5.1.
1.3.5.2.
1.3.6.
1.3.6.1.
1.3.6.2.
1.3.7.
1.3.7.1.
1.3.7.2.
1.3.8.
1.3.8.1.
1.3.8.2.
1.3.9.
1.3.9.1.
1.3.9.2.
1.3.10.
1.3.10.1.
1.3.10.2.
1.3.10.3.
1.3.11.
1.3.11.1.
1.3.11.2.
1.3.12.
1.3.12.1.
1.3.12.2.
1.3.13.
1.3.13.1.
1.3.13.2.
1.3.14.
1.3.14.1.
1.3.14.2.
1.3.15.
1.3.15.1.
1.3.15.2.
1.3.16.
1.3.16.1.
1.3.16.2.
1.3.17.
1.3.17.1.
1.3.17.2.
1.3.18.
1.3.18.1.
1.3.18.2.
1.3.19.
1.3.19.1.
1.3.19.2.
1.3.20.
1.3.20.1.
1.3.20.2.
1.3.21.
1.3.21.1.
1.3.21.2.
1.3.22.
1.3.22.1.
1.3.22.2.
1.3.23.
1.3.23.1.
1.3.23.2.
1.3.24.
1.3.24.1.
1.3.24.2.
1.3.25.
1.3.25.1.
1.3.25.2.
$ oc get clusterversion/version -o jsonpath='{.spec.clusterID}{"\n"}'
1.3.25.3.
1.3.25.4.
1.3.25.5.
1.4.
1.4.1.
1.4.1.1.
1.4.1.2.
1.4.2.
1.4.2.1.
1.4.2.2.
1.4.3.
1.4.3.1.
1.4.3.2.
1.4.4.
1.4.4.1.
1.4.4.2.
1.4.5.
1.4.5.1.
1.4.5.2.
1.4.6.
1.4.6.1.
1.4.6.2.
1.4.7.
1.4.7.1.
1.4.7.2.
1.4.8.
1.4.8.1.
1.4.8.2.
1.4.9.
1.4.9.1.
1.4.9.2.
1.4.10.
1.4.10.1.
1.4.10.2.
1.4.11.
1.4.11.1.
1.4.11.2.
1.4.12.
1.4.12.1.
1.4.12.2.
1.4.13.
1.4.13.1.
1.4.13.2.
1.4.14.
1.4.14.1.
1.4.14.2.
1.4.15.
1.4.15.1.
1.4.15.2.
1.4.16.
1.4.16.1.
1.4.16.2.
1.4.17.
1.4.17.1.
1.4.17.2.
1.4.17.3.
1.4.18.
1.4.18.1.
1.4.18.2.
1.4.18.3.
2장.
2.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2.2.
2.3.
- 주의
Disabling ownership via cluster version overrides prevents upgrades. Please remove overrides before continuing.주의
2.4.
2.4.1.
2.4.2.
$ oc adm must-gather --image=$(oc -n openshift-logging get deployment.apps/cluster-logging-operator -o jsonpath='{.spec.template.spec.containers[?(@.name == "cluster-logging-operator")].image}')$ tar -cvaf must-gather.tar.gz must-gather.local.4157245944708210408
3장.
3.1.
3.1.1.
$ oc project openshift-logging$ oc get clusterlogging instance -o yamlapiVersion: logging.openshift.io/v1 kind: ClusterLogging # ... status:1 collection: logs: fluentdStatus: daemonSet: fluentd2 nodes: collector-2rhqp: ip-10-0-169-13.ec2.internal collector-6fgjh: ip-10-0-165-244.ec2.internal collector-6l2ff: ip-10-0-128-218.ec2.internal collector-54nx5: ip-10-0-139-30.ec2.internal collector-flpnn: ip-10-0-147-228.ec2.internal collector-n2frh: ip-10-0-157-45.ec2.internal pods: failed: [] notReady: [] ready: - collector-2rhqp - collector-54nx5 - collector-6fgjh - collector-6l2ff - collector-flpnn - collector-n2frh logstore:3 elasticsearchStatus: - ShardAllocationEnabled: all cluster: activePrimaryShards: 5 activeShards: 5 initializingShards: 0 numDataNodes: 1 numNodes: 1 pendingTasks: 0 relocatingShards: 0 status: green unassignedShards: 0 clusterName: elasticsearch nodeConditions: elasticsearch-cdm-mkkdys93-1: nodeCount: 1 pods: client: failed: notReady: ready: - elasticsearch-cdm-mkkdys93-1-7f7c6-mjm7c data: failed: notReady: ready: - elasticsearch-cdm-mkkdys93-1-7f7c6-mjm7c master: failed: notReady: ready: - elasticsearch-cdm-mkkdys93-1-7f7c6-mjm7c visualization:4 kibanaStatus: - deployment: kibana pods: failed: [] notReady: [] ready: - kibana-7fb4fd4cc9-f2nls replicaSets: - kibana-7fb4fd4cc9 replicas: 1
3.1.1.1.
nodes:
- conditions:
- lastTransitionTime: 2019-03-15T15:57:22Z
message: Disk storage usage for node is 27.5gb (36.74%). Shards will be not
be allocated on this node.
reason: Disk Watermark Low
status: "True"
type: NodeStorage
deploymentName: example-elasticsearch-clientdatamaster-0-1
upgradeStatus: {}
nodes:
- conditions:
- lastTransitionTime: 2019-03-15T16:04:45Z
message: Disk storage usage for node is 27.5gb (36.74%). Shards will be relocated
from this node.
reason: Disk Watermark High
status: "True"
type: NodeStorage
deploymentName: cluster-logging-operator
upgradeStatus: {}
Elasticsearch Status:
Shard Allocation Enabled: shard allocation unknown
Cluster:
Active Primary Shards: 0
Active Shards: 0
Initializing Shards: 0
Num Data Nodes: 0
Num Nodes: 0
Pending Tasks: 0
Relocating Shards: 0
Status: cluster health unknown
Unassigned Shards: 0
Cluster Name: elasticsearch
Node Conditions:
elasticsearch-cdm-mkkdys93-1:
Last Transition Time: 2019-06-26T03:37:32Z
Message: 0/5 nodes are available: 5 node(s) didn't match node selector.
Reason: Unschedulable
Status: True
Type: Unschedulable
elasticsearch-cdm-mkkdys93-2:
Node Count: 2
Pods:
Client:
Failed:
Not Ready:
elasticsearch-cdm-mkkdys93-1-75dd69dccd-f7f49
elasticsearch-cdm-mkkdys93-2-67c64f5f4c-n58vl
Ready:
Data:
Failed:
Not Ready:
elasticsearch-cdm-mkkdys93-1-75dd69dccd-f7f49
elasticsearch-cdm-mkkdys93-2-67c64f5f4c-n58vl
Ready:
Master:
Failed:
Not Ready:
elasticsearch-cdm-mkkdys93-1-75dd69dccd-f7f49
elasticsearch-cdm-mkkdys93-2-67c64f5f4c-n58vl
Ready:
Node Conditions:
elasticsearch-cdm-mkkdys93-1:
Last Transition Time: 2019-06-26T03:37:32Z
Message: pod has unbound immediate PersistentVolumeClaims (repeated 5 times)
Reason: Unschedulable
Status: True
Type: Unschedulable
Status:
Collection:
Logs:
Fluentd Status:
Daemon Set: fluentd
Nodes:
Pods:
Failed:
Not Ready:
Ready:3.1.2.
$ oc project openshift-logging$ oc describe deployment cluster-logging-operatorName: cluster-logging-operator .... Conditions: Type Status Reason ---- ------ ------ Available True MinimumReplicasAvailable Progressing True NewReplicaSetAvailable .... Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal ScalingReplicaSet 62m deployment-controller Scaled up replica set cluster-logging-operator-574b8987df to 1----$ oc get replicasetNAME DESIRED CURRENT READY AGE cluster-logging-operator-574b8987df 1 1 1 159m elasticsearch-cdm-uhr537yu-1-6869694fb 1 1 1 157m elasticsearch-cdm-uhr537yu-2-857b6d676f 1 1 1 156m elasticsearch-cdm-uhr537yu-3-5b6fdd8cfd 1 1 1 155m kibana-5bd5544f87 1 1 1 157m$ oc describe replicaset cluster-logging-operator-574b8987dfName: cluster-logging-operator-574b8987df .... Replicas: 1 current / 1 desired Pods Status: 1 Running / 0 Waiting / 0 Succeeded / 0 Failed .... Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal SuccessfulCreate 66m replicaset-controller Created pod: cluster-logging-operator-574b8987df-qjhqv----
3.2.
3.2.1.
$ oc delete pod --selector logging-infra=collector
3.2.2.
"values":[["1630410392689800468","{\"kind\":\"Event\",\"apiVersion\":\ ....... ...... ...... ...... \"received_at\":\"2021-08-31T11:46:32.800278+00:00\",\"version\":\"1.7.4 1.6.0\"}},\"@timestamp\":\"2021-08-31T11:46:32.799692+00:00\",\"viaq_index_name\":\"audit-write\",\"viaq_msg_id\":\"MzFjYjJkZjItNjY0MC00YWU4LWIwMTEtNGNmM2E5ZmViMGU4\",\"log_type\":\"audit\"}"]]}]}429 Too Many Requests Ingestion rate limit exceeded2023-08-25T16:08:49.301780Z WARN sink{component_kind="sink" component_id=default_loki_infra component_type=loki component_name=default_loki_infra}: vector::sinks::util::retries: Retrying after error. error=Server responded with an error: 429 Too Many Requests internal_log_rate_limit=true2023-08-30 14:52:15 +0000 [warn]: [default_loki_infra] failed to flush the buffer. retry_times=2 next_retry_time=2023-08-30 14:52:19 +0000 chunk="604251225bf5378ed1567231a1c03b8b" error_class=Fluent::Plugin::LokiOutput::LogPostError error="429 Too Many Requests Ingestion rate limit exceeded for user infrastructure (limit: 4194304 bytes/sec) while attempting to ingest '4082' lines totaling '7820025' bytes, reduce log volume or contact your Loki administrator to see if the limit can be increased\n"level=warn ts=2023-08-30T14:57:34.155592243Z caller=grpc_logging.go:43 duration=1.434942ms method=/logproto.Pusher/Push err="rpc error: code = Code(429) desc = entry with timestamp 2023-08-30 14:57:32.012778399 +0000 UTC ignored, reason: 'Per stream rate limit exceeded (limit: 3MB/sec) while attempting to ingest for stream
3.3.
3.3.1.
$ oc -n openshift-logging get pods -l component=elasticsearch
$ export ES_POD_NAME=<elasticsearch_pod_name>
$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME -- health$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=_cat/nodes?v$ oc -n openshift-logging get pods -l component=elasticsearch$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=_cat/master?v$ oc logs <elasticsearch_master_pod_name> -c elasticsearch -n openshift-logging$ oc logs <elasticsearch_node_name> -c elasticsearch -n openshift-logging
$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=_cat/recovery?active_only=true$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- health | grep number_of_pending_tasks$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=_cluster/settings?pretty$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=_cluster/settings?pretty \ -X PUT -d '{"persistent": {"cluster.routing.allocation.enable":"all"}}'$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=_cat/indices?v$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=<elasticsearch_index_name>/_cache/clear?pretty$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=<elasticsearch_index_name>/_settings?pretty \ -X PUT -d '{"index.allocation.max_retries":10}'$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=_search/scroll/_all -X DELETE$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=<elasticsearch_index_name>/_settings?pretty \ -X PUT -d '{"index.unassigned.node_left.delayed_timeout":"10m"}'
$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=_cat/indices?v$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=<elasticsearch_red_index_name> -X DELETE
$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=_nodes/stats?pretty
3.3.2.
3.3.3.
$ oc -n openshift-logging get pods -l component=elasticsearch
$ export ES_POD_NAME=<elasticsearch_pod_name>
$ oc -n openshift-logging get po -o wide$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=_cluster/health?pretty | grep unassigned_shards$ for pod in `oc -n openshift-logging get po -l component=elasticsearch -o jsonpath='{.items[*].metadata.name}'`; \ do echo $pod; oc -n openshift-logging exec -c elasticsearch $pod \ -- df -h /elasticsearch/persistent; doneelasticsearch-cdm-kcrsda6l-1-586cc95d4f-h8zq8 Filesystem Size Used Avail Use% Mounted on /dev/nvme1n1 19G 522M 19G 3% /elasticsearch/persistent elasticsearch-cdm-kcrsda6l-2-5b548fc7b-cwwk7 Filesystem Size Used Avail Use% Mounted on /dev/nvme2n1 19G 522M 19G 3% /elasticsearch/persistent elasticsearch-cdm-kcrsda6l-3-5dfc884d99-59tjw Filesystem Size Used Avail Use% Mounted on /dev/nvme3n1 19G 528M 19G 3% /elasticsearch/persistent$ oc -n openshift-logging get es elasticsearch \ -o jsonpath='{.spec.redundancyPolicy}'$ oc -n openshift-logging get cl \ -o jsonpath='{.items[*].spec.logStore.elasticsearch.redundancyPolicy}'$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME -- indices$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=<elasticsearch_index_name> -X DELETE
3.3.4.
$ oc -n openshift-logging get pods -l component=elasticsearch
$ export ES_POD_NAME=<elasticsearch_pod_name>
$ oc -n openshift-logging get po -o wide$ for pod in `oc -n openshift-logging get po -l component=elasticsearch -o jsonpath='{.items[*].metadata.name}'`; \ do echo $pod; oc -n openshift-logging exec -c elasticsearch $pod \ -- df -h /elasticsearch/persistent; done$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=_cluster/health?pretty | grep relocating_shards$ oc -n openshift-logging get es elasticsearch \ -o jsonpath='{.spec.redundancyPolicy}'$ oc -n openshift-logging get cl \ -o jsonpath='{.items[*].spec.logStore.elasticsearch.redundancyPolicy}'$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME -- indices$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=<elasticsearch_index_name> -X DELETE
3.3.5.
$ oc -n openshift-logging get pods -l component=elasticsearch
$ export ES_POD_NAME=<elasticsearch_pod_name>
$ for pod in `oc -n openshift-logging get po -l component=elasticsearch -o jsonpath='{.items[*].metadata.name}'`; \ do echo $pod; oc -n openshift-logging exec -c elasticsearch $pod \ -- df -h /elasticsearch/persistent; doneelasticsearch-cdm-kcrsda6l-1-586cc95d4f-h8zq8 Filesystem Size Used Avail Use% Mounted on /dev/nvme1n1 19G 522M 19G 3% /elasticsearch/persistent elasticsearch-cdm-kcrsda6l-2-5b548fc7b-cwwk7 Filesystem Size Used Avail Use% Mounted on /dev/nvme2n1 19G 522M 19G 3% /elasticsearch/persistent elasticsearch-cdm-kcrsda6l-3-5dfc884d99-59tjw Filesystem Size Used Avail Use% Mounted on /dev/nvme3n1 19G 528M 19G 3% /elasticsearch/persistent$ oc -n openshift-logging get es elasticsearch \ -o jsonpath='{.spec.redundancyPolicy}'$ oc -n openshift-logging get cl \ -o jsonpath='{.items[*].spec.logStore.elasticsearch.redundancyPolicy}'$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME -- indices$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=<elasticsearch_index_name> -X DELETE
$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=_all/_settings?pretty \ -X PUT -d '{"index.blocks.read_only_allow_delete": null}'
3.3.6.
3.3.7.
3.3.8.
3.3.9.
$ for pod in `oc -n openshift-logging get po -l component=elasticsearch -o jsonpath='{.items[*].metadata.name}'`; \ do echo $pod; oc -n openshift-logging exec -c elasticsearch $pod \ -- df -h /elasticsearch/persistent; doneelasticsearch-cdm-kcrsda6l-1-586cc95d4f-h8zq8 Filesystem Size Used Avail Use% Mounted on /dev/nvme1n1 19G 522M 19G 3% /elasticsearch/persistent elasticsearch-cdm-kcrsda6l-2-5b548fc7b-cwwk7 Filesystem Size Used Avail Use% Mounted on /dev/nvme2n1 19G 522M 19G 3% /elasticsearch/persistent elasticsearch-cdm-kcrsda6l-3-5dfc884d99-59tjw Filesystem Size Used Avail Use% Mounted on /dev/nvme3n1 19G 528M 19G 3% /elasticsearch/persistent$ oc -n openshift-logging get es elasticsearch -o jsonpath='{.spec.redundancyPolicy}'$ oc -n openshift-logging get cl \ -o jsonpath='{.items[*].spec.logStore.elasticsearch.redundancyPolicy}'$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME -- indices$ oc exec -n openshift-logging -c elasticsearch $ES_POD_NAME \ -- es_util --query=<elasticsearch_index_name> -X DELETE
3.3.10.
3.4.
3.4.1.
$ oc project openshift-logging$ oc get ElasticsearchNAME AGE elasticsearch 5h9m$ oc get Elasticsearch <Elasticsearch-instance> -o yaml$ oc get Elasticsearch elasticsearch -n openshift-logging -o yamlstatus:1 cluster:2 activePrimaryShards: 30 activeShards: 60 initializingShards: 0 numDataNodes: 3 numNodes: 3 pendingTasks: 0 relocatingShards: 0 status: green unassignedShards: 0 clusterHealth: "" conditions: []3 nodes:4 - deploymentName: elasticsearch-cdm-zjf34ved-1 upgradeStatus: {} - deploymentName: elasticsearch-cdm-zjf34ved-2 upgradeStatus: {} - deploymentName: elasticsearch-cdm-zjf34ved-3 upgradeStatus: {} pods:5 client: failed: [] notReady: [] ready: - elasticsearch-cdm-zjf34ved-1-6d7fbf844f-sn422 - elasticsearch-cdm-zjf34ved-2-dfbd988bc-qkzjz - elasticsearch-cdm-zjf34ved-3-c8f566f7c-t7zkt data: failed: [] notReady: [] ready: - elasticsearch-cdm-zjf34ved-1-6d7fbf844f-sn422 - elasticsearch-cdm-zjf34ved-2-dfbd988bc-qkzjz - elasticsearch-cdm-zjf34ved-3-c8f566f7c-t7zkt master: failed: [] notReady: [] ready: - elasticsearch-cdm-zjf34ved-1-6d7fbf844f-sn422 - elasticsearch-cdm-zjf34ved-2-dfbd988bc-qkzjz - elasticsearch-cdm-zjf34ved-3-c8f566f7c-t7zkt shardAllocationEnabled: all
3.4.1.1.
status:
nodes:
- conditions:
- lastTransitionTime: 2019-03-15T15:57:22Z
message: Disk storage usage for node is 27.5gb (36.74%). Shards will be not
be allocated on this node.
reason: Disk Watermark Low
status: "True"
type: NodeStorage
deploymentName: example-elasticsearch-cdm-0-1
upgradeStatus: {}
status:
nodes:
- conditions:
- lastTransitionTime: 2019-03-15T16:04:45Z
message: Disk storage usage for node is 27.5gb (36.74%). Shards will be relocated
from this node.
reason: Disk Watermark High
status: "True"
type: NodeStorage
deploymentName: example-elasticsearch-cdm-0-1
upgradeStatus: {}
status:
nodes:
- conditions:
- lastTransitionTime: 2019-04-10T02:26:24Z
message: '0/8 nodes are available: 8 node(s) didn''t match node selector.'
reason: Unschedulable
status: "True"
type: Unschedulable
status:
nodes:
- conditions:
- last Transition Time: 2019-04-10T05:55:51Z
message: pod has unbound immediate PersistentVolumeClaims (repeated 5 times)
reason: Unschedulable
status: True
type: Unschedulable
status:
clusterHealth: ""
conditions:
- lastTransitionTime: 2019-04-17T20:01:31Z
message: Wrong RedundancyPolicy selected. Choose different RedundancyPolicy or
add more nodes with data roles
reason: Invalid Settings
status: "True"
type: InvalidRedundancy
status:
clusterHealth: green
conditions:
- lastTransitionTime: '2019-04-17T20:12:34Z'
message: >-
Invalid master nodes count. Please ensure there are no more than 3 total
nodes with master roles
reason: Invalid Settings
status: 'True'
type: InvalidMasters
status:
clusterHealth: green
conditions:
- lastTransitionTime: "2021-05-07T01:05:13Z"
message: Changing the storage structure for a custom resource is not supported
reason: StorageStructureChangeIgnored
status: 'True'
type: StorageStructureChangeIgnored
- 중요
3.4.2.
$ oc get pods --selector component=elasticsearch -o namepod/elasticsearch-cdm-1godmszn-1-6f8495-vp4lw pod/elasticsearch-cdm-1godmszn-2-5769cf-9ms2n pod/elasticsearch-cdm-1godmszn-3-f66f7d-zqkz7$ oc exec elasticsearch-cdm-4vjor49p-2-6d4d7db474-q2w7z -- indicesDefaulting container name to elasticsearch. Use 'oc describe pod/elasticsearch-cdm-4vjor49p-2-6d4d7db474-q2w7z -n openshift-logging' to see all of the containers in this pod. green open infra-000002 S4QANnf1QP6NgCegfnrnbQ 3 1 119926 0 157 78 green open audit-000001 8_EQx77iQCSTzFOXtxRqFw 3 1 0 0 0 0 green open .security iDjscH7aSUGhIdq0LheLBQ 1 1 5 0 0 0 green open .kibana_-377444158_kubeadmin yBywZ9GfSrKebz5gWBZbjw 3 1 1 0 0 0 green open infra-000001 z6Dpe__ORgiopEpW6Yl44A 3 1 871000 0 874 436 green open app-000001 hIrazQCeSISewG3c2VIvsQ 3 1 2453 0 3 1 green open .kibana_1 JCitcBMSQxKOvIq6iQW6wg 1 1 0 0 0 0 green open .kibana_-1595131456_user1 gIYFIEGRRe-ka0W3okS-mQ 3 1 1 0 0 0
$ oc get pods --selector component=elasticsearch -o namepod/elasticsearch-cdm-1godmszn-1-6f8495-vp4lw pod/elasticsearch-cdm-1godmszn-2-5769cf-9ms2n pod/elasticsearch-cdm-1godmszn-3-f66f7d-zqkz7$ oc describe pod elasticsearch-cdm-1godmszn-1-6f8495-vp4lw.... Status: Running .... Containers: elasticsearch: Container ID: cri-o://b7d44e0a9ea486e27f47763f5bb4c39dfd2 State: Running Started: Mon, 08 Jun 2020 10:17:56 -0400 Ready: True Restart Count: 0 Readiness: exec [/usr/share/elasticsearch/probe/readiness.sh] delay=10s timeout=30s period=5s #success=1 #failure=3 .... proxy: Container ID: cri-o://3f77032abaddbb1652c116278652908dc01860320b8a4e741d06894b2f8f9aa1 State: Running Started: Mon, 08 Jun 2020 10:18:38 -0400 Ready: True Restart Count: 0 .... Conditions: Type Status Initialized True Ready True ContainersReady True PodScheduled True .... Events: <none>
$ oc get deployment --selector component=elasticsearch -o namedeployment.extensions/elasticsearch-cdm-1gon-1 deployment.extensions/elasticsearch-cdm-1gon-2 deployment.extensions/elasticsearch-cdm-1gon-3$ oc describe deployment elasticsearch-cdm-1gon-1.... Containers: elasticsearch: Image: registry.redhat.io/openshift-logging/elasticsearch6-rhel8 Readiness: exec [/usr/share/elasticsearch/probe/readiness.sh] delay=10s timeout=30s period=5s #success=1 #failure=3 .... Conditions: Type Status Reason ---- ------ ------ Progressing Unknown DeploymentPaused Available True MinimumReplicasAvailable .... Events: <none>
$ oc get replicaSet --selector component=elasticsearch -o name replicaset.extensions/elasticsearch-cdm-1gon-1-6f8495 replicaset.extensions/elasticsearch-cdm-1gon-2-5769cf replicaset.extensions/elasticsearch-cdm-1gon-3-f66f7d$ oc describe replicaSet elasticsearch-cdm-1gon-1-6f8495.... Containers: elasticsearch: Image: registry.redhat.io/openshift-logging/elasticsearch6-rhel8@sha256:4265742c7cdd85359140e2d7d703e4311b6497eec7676957f455d6908e7b1c25 Readiness: exec [/usr/share/elasticsearch/probe/readiness.sh] delay=10s timeout=30s period=5s #success=1 #failure=3 .... Events: <none>
3.4.3.
eo_elasticsearch_cr_cluster_management_state{state="managed"} 1 eo_elasticsearch_cr_cluster_management_state{state="unmanaged"} 0eo_elasticsearch_cr_restart_total{reason="cert_restart"} 1 eo_elasticsearch_cr_restart_total{reason="rolling_restart"} 1 eo_elasticsearch_cr_restart_total{reason="scheduled_restart"} 3Total number of Namespaces. es_index_namespaces_total 5es_index_document_count{namespace="namespace_1"} 25 es_index_document_count{namespace="namespace_2"} 10 es_index_document_count{namespace="namespace_3"} 5
message": "Secret \"elasticsearch\" fields are either missing or empty: [admin-cert, admin-key, logging-es.crt, logging-es.key]",
"reason": "Missing Required Secrets",4장.
4.1.
- 참고
- 참고
- 참고
4.2.
4.2.1.
4.2.2.
4.2.3.
4.2.4.
4.2.5.
4.2.6.
5장.
5.1.
- 참고
5.2.
- 참고
- 참고
5.3.
apiVersion: v1 kind: Namespace metadata: name: <name>1 annotations: openshift.io/node-selector: "" labels: openshift.io/cluster-monitoring: "true"$ oc apply -f <filename>.yamlapiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: cluster-logging namespace: openshift-logging1 spec: targetNamespaces: [ ]2 $ oc apply -f <filename>.yamlapiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: cluster-logging namespace: openshift-logging1 spec: channel: stable2 name: cluster-logging source: redhat-operators3 sourceNamespace: openshift-marketplace$ oc apply -f <filename>.yaml
$ oc get csv -n <namespace>NAMESPACE NAME DISPLAY VERSION REPLACES PHASE ... openshift-logging clusterlogging.5.8.0-202007012112.p0 OpenShift Logging 5.8.0-202007012112.p0 Succeeded ...
5.4.
apiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: name: instance1 namespace: openshift-logging spec: managementState: Managed2 logStore: type: elasticsearch3 retentionPolicy:4 application: maxAge: 1d infra: maxAge: 7d audit: maxAge: 7d elasticsearch: nodeCount: 35 storage: storageClassName: <storage_class_name>6 size: 200G resources:7 limits: memory: 16Gi requests: memory: 16Gi proxy:8 resources: limits: memory: 256Mi requests: memory: 256Mi redundancyPolicy: SingleRedundancy visualization: type: kibana9 kibana: replicas: 1 collection: type: fluentd10 fluentd: {}참고$ oc get deploymentNAME READY UP-TO-DATE AVAILABLE AGE cluster-logging-operator 1/1 1 1 18h elasticsearch-cd-x6kdekli-1 1/1 1 1 6m54s elasticsearch-cdm-x6kdekli-1 1/1 1 1 18h elasticsearch-cdm-x6kdekli-2 1/1 1 1 6m49s elasticsearch-cdm-x6kdekli-3 1/1 1 1 6m44s
$ oc get pods -n openshift-loggingNAME READY STATUS RESTARTS AGE cluster-logging-operator-66f77ffccb-ppzbg 1/1 Running 0 7m elasticsearch-cdm-ftuhduuw-1-ffc4b9566-q6bhp 2/2 Running 0 2m40s elasticsearch-cdm-ftuhduuw-2-7b4994dbfc-rd2gc 2/2 Running 0 2m36s elasticsearch-cdm-ftuhduuw-3-84b5ff7ff8-gqnm2 2/2 Running 0 2m4s collector-587vb 1/1 Running 0 2m26s collector-7mpb9 1/1 Running 0 2m30s collector-flm6j 1/1 Running 0 2m33s collector-gn4rn 1/1 Running 0 2m26s collector-nlgb6 1/1 Running 0 2m30s collector-snpkt 1/1 Running 0 2m28s kibana-d6d5668c5-rppqm 2/2 Running 0 2m39s
5.5.
5.5.1.
apiVersion: logging.openshift.io/v1
kind: ClusterLogging
metadata:
name: instance
namespace: openshift-logging
spec:
managementState: Managed
# ...5.5.2.
apiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: # ... spec: # ... logStore: type: <log_store_type>1 elasticsearch:2 nodeCount: <integer> resources: {} storage: {} redundancyPolicy: <redundancy_type>3 lokistack:4 name: {} # ...apiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: name: instance namespace: openshift-logging spec: managementState: Managed logStore: type: lokistack lokistack: name: logging-loki # ...$ oc apply -f <filename>.yaml
5.5.3.
apiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: # ... spec: # ... collection: type: <log_collector_type>1 resources: {} tolerations: {} # ...$ oc apply -f <filename>.yaml
5.5.4.
5.5.5.
$ oc adm pod-network join-projects --to=openshift-operators-redhat openshift-logging$ oc label namespace openshift-operators-redhat project=openshift-operators-redhatapiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-openshift-monitoring-ingress-operators-redhat spec: ingress: - from: - podSelector: {} - from: - namespaceSelector: matchLabels: project: "openshift-operators-redhat" - from: - namespaceSelector: matchLabels: name: "openshift-monitoring" - from: - namespaceSelector: matchLabels: network.openshift.io/policy-group: ingress podSelector: {} policyTypes: - Ingress
6장.
6.1.
6.2.
6.3.
$ oc -n openshift-logging delete subscription <subscription>$ oc -n openshift-logging delete operatorgroup <operator_group_name>$ oc delete clusterserviceversion cluster-logging.<version>
$ oc get operatorgroup <operator_group_name> -o yamlapiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: openshift-logging-f52cn namespace: openshift-logging spec: upgradeStrategy: Default status: namespaces: - "" # ...
6.4.
6.5.
6.6.
- 중요
$ oc get pod -n openshift-logging --selector component=elasticsearchNAME READY STATUS RESTARTS AGE elasticsearch-cdm-1pbrl44l-1-55b7546f4c-mshhk 2/2 Running 0 31m elasticsearch-cdm-1pbrl44l-2-5c6d87589f-gx5hk 2/2 Running 0 30m elasticsearch-cdm-1pbrl44l-3-88df5d47-m45jc 2/2 Running 0 29m$ oc exec -n openshift-logging -c elasticsearch elasticsearch-cdm-1pbrl44l-1-55b7546f4c-mshhk -- health{ "cluster_name" : "elasticsearch", "status" : "green", }$ oc project openshift-logging$ oc get cronjobNAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE elasticsearch-im-app */15 * * * * False 0 <none> 56s elasticsearch-im-audit */15 * * * * False 0 <none> 56s elasticsearch-im-infra */15 * * * * False 0 <none> 56s$ oc exec -c elasticsearch <any_es_pod_in_the_cluster> -- indices예 6.1.
Tue Jun 30 14:30:54 UTC 2020 health status index uuid pri rep docs.count docs.deleted store.size pri.store.size green open infra-000008 bnBvUFEXTWi92z3zWAzieQ 3 1 222195 0 289 144 green open infra-000004 rtDSzoqsSl6saisSK7Au1Q 3 1 226717 0 297 148 green open infra-000012 RSf_kUwDSR2xEuKRZMPqZQ 3 1 227623 0 295 147 green open .kibana_7 1SJdCqlZTPWlIAaOUd78yg 1 1 4 0 0 0 green open infra-000010 iXwL3bnqTuGEABbUDa6OVw 3 1 248368 0 317 158 green open infra-000009 YN9EsULWSNaxWeeNvOs0RA 3 1 258799 0 337 168 green open infra-000014 YP0U6R7FQ_GVQVQZ6Yh9Ig 3 1 223788 0 292 146 green open infra-000015 JRBbAbEmSMqK5X40df9HbQ 3 1 224371 0 291 145 green open .orphaned.2020.06.30 n_xQC2dWQzConkvQqei3YA 3 1 9 0 0 0 green open infra-000007 llkkAVSzSOmosWTSAJM_hg 3 1 228584 0 296 148 green open infra-000005 d9BoGQdiQASsS3BBFm2iRA 3 1 227987 0 297 148 green open infra-000003 1-goREK1QUKlQPAIVkWVaQ 3 1 226719 0 295 147 green open .security zeT65uOuRTKZMjg_bbUc1g 1 1 5 0 0 0 green open .kibana-377444158_kubeadmin wvMhDwJkR-mRZQO84K0gUQ 3 1 1 0 0 0 green open infra-000006 5H-KBSXGQKiO7hdapDE23g 3 1 226676 0 295 147 green open infra-000001 eH53BQ-bSxSWR5xYZB6lVg 3 1 341800 0 443 220 green open .kibana-6 RVp7TemSSemGJcsSUmuf3A 1 1 4 0 0 0 green open infra-000011 J7XWBauWSTe0jnzX02fU6A 3 1 226100 0 293 146 green open app-000001 axSAFfONQDmKwatkjPXdtw 3 1 103186 0 126 57 green open infra-000016 m9c1iRLtStWSF1GopaRyCg 3 1 13685 0 19 9 green open infra-000002 Hz6WvINtTvKcQzw-ewmbYg 3 1 228994 0 296 148 green open infra-000013 KR9mMFUpQl-jraYtanyIGw 3 1 228166 0 298 148 green open audit-000001 eERqLdLmQOiQDFES1LBATQ 3 1 0 0 0 0$ oc get kibana kibana -o json예 6.2.
[ { "clusterCondition": { "kibana-5fdd766ffd-nb2jj": [ { "lastTransitionTime": "2020-06-30T14:11:07Z", "reason": "ContainerCreating", "status": "True", "type": "" }, { "lastTransitionTime": "2020-06-30T14:11:07Z", "reason": "ContainerCreating", "status": "True", "type": "" } ] }, "deployment": "kibana", "pods": { "failed": [], "notReady": [] "ready": [] }, "replicaSets": [ "kibana-5fdd766ffd" ], "replicas": 1 } ]
7장.
7.1.
7.1.1.
7.1.2.
7.1.2.1.
- 참고
$ oc logs -f <pod_name> -c <container_name>$ oc logs ruby-58cd97df55-mww7r$ oc logs -f ruby-57f7f4855b-znl92 -c ruby$ oc logs <object_type>/<resource_name>1 $ oc logs deployment/ruby
7.2.
7.2.1.
7.2.2.
$ oc get consoles.operator.openshift.io cluster -o yaml |grep logging-view-plugin \ || oc patch consoles.operator.openshift.io cluster --type=merge \ --patch '{ "spec": { "plugins": ["logging-view-plugin"]}}'$ oc patch clusterlogging instance --type=merge --patch \ '{ "metadata": { "annotations": { "logging.openshift.io/ocp-console-migration-target": "lokistack-dev" }}}' \ -n openshift-loggingclusterlogging.logging.openshift.io/instance patched
$ oc get clusterlogging instance \ -o=jsonpath='{.metadata.annotations.logging\.openshift\.io/ocp-console-migration-target}' \ -n openshift-logging"lokistack-dev"
7.3.
7.3.1.
7.3.2.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7.3.3.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7.4.
7.4.1.
$ oc auth can-i get pods --subresource log -n <project>yes참고
7.4.2.
$ oc auth can-i get pods --subresource log -n <project>yes참고
예 7.1.
{ "_index": "infra-000001", "_type": "_doc", "_id": "YmJmYTBlNDkZTRmLTliMGQtMjE3NmFiOGUyOWM3", "_version": 1, "_score": null, "_source": { "docker": { "container_id": "f85fa55bbef7bb783f041066be1e7c267a6b88c4603dfce213e32c1" }, "kubernetes": { "container_name": "registry-server", "namespace_name": "openshift-marketplace", "pod_name": "redhat-marketplace-n64gc", "container_image": "registry.redhat.io/redhat/redhat-marketplace-index:v4.7", "container_image_id": "registry.redhat.io/redhat/redhat-marketplace-index@sha256:65fc0c45aabb95809e376feb065771ecda9e5e59cc8b3024c4545c168f", "pod_id": "8f594ea2-c866-4b5c-a1c8-a50756704b2a", "host": "ip-10-0-182-28.us-east-2.compute.internal", "master_url": "https://kubernetes.default.svc", "namespace_id": "3abab127-7669-4eb3-b9ef-44c04ad68d38", "namespace_labels": { "openshift_io/cluster-monitoring": "true" }, "flat_labels": [ "catalogsource_operators_coreos_com/update=redhat-marketplace" ] }, "message": "time=\"2020-09-23T20:47:03Z\" level=info msg=\"serving registry\" database=/database/index.db port=50051", "level": "unknown", "hostname": "ip-10-0-182-28.internal", "pipeline_metadata": { "collector": { "ipaddr4": "10.0.182.28", "inputname": "fluent-plugin-systemd", "name": "fluentd", "received_at": "2020-09-23T20:47:15.007583+00:00", "version": "1.7.4 1.6.0" } }, "@timestamp": "2020-09-23T20:47:03.422465+00:00", "viaq_msg_id": "YmJmYTBlNDktMDMGQtMjE3NmFiOGUyOWM3", "openshift": { "labels": { "logging": "infra" } } }, "fields": { "@timestamp": [ "2020-09-23T20:47:03.422Z" ], "pipeline_metadata.collector.received_at": [ "2020-09-23T20:47:15.007Z" ] }, "sort": [ 1600894023422 ] }
7.4.3.
7.4.3.1.
$ oc -n openshift-logging edit ClusterLogging instanceapiVersion: "logging.openshift.io/v1" kind: "ClusterLogging" metadata: name: "instance" namespace: openshift-logging ... spec: managementState: "Managed" logStore: type: "elasticsearch" elasticsearch: nodeCount: 3 resources:1 limits: memory: 16Gi requests: cpu: 200m memory: 16Gi storage: storageClassName: "gp2" size: "200G" redundancyPolicy: "SingleRedundancy" visualization: type: "kibana" kibana: resources:2 limits: memory: 1Gi requests: cpu: 500m memory: 1Gi proxy: resources:3 limits: memory: 100Mi requests: cpu: 100m memory: 100Mi replicas: 2 collection: resources:4 limits: memory: 736Mi requests: cpu: 200m memory: 736Mi type: fluentd
7.4.3.2.
$ oc edit ClusterLogging instance$ oc edit ClusterLogging instance apiVersion: "logging.openshift.io/v1" kind: "ClusterLogging" metadata: name: "instance" .... spec: visualization: type: "kibana" kibana: replicas: 11
8장.
8.1.
8.1.1.
$ oc -n openshift-logging edit ClusterLogging instanceapiVersion: "logging.openshift.io/v1" kind: "ClusterLogging" metadata: name: "instance" namespace: openshift-logging ... spec: managementState: "Managed" logStore: type: "elasticsearch" elasticsearch: nodeCount: 3 resources:1 limits: memory: 16Gi requests: cpu: 200m memory: 16Gi storage: storageClassName: "gp2" size: "200G" redundancyPolicy: "SingleRedundancy" visualization: type: "kibana" kibana: resources:2 limits: memory: 1Gi requests: cpu: 500m memory: 1Gi proxy: resources:3 limits: memory: 100Mi requests: cpu: 100m memory: 100Mi replicas: 2 collection: resources:4 limits: memory: 736Mi requests: cpu: 200m memory: 736Mi type: fluentd
8.2.
8.2.1.
- 참고
variant: openshift version: 4.12.0 metadata: name: 40-worker-custom-journald labels: machineconfiguration.openshift.io/role: "worker" storage: files: - path: /etc/systemd/journald.conf mode: 06441 overwrite: true contents: inline: | Compress=yes2 ForwardToConsole=no3 ForwardToSyslog=no MaxRetentionSec=1month4 RateLimitBurst=100005 RateLimitIntervalSec=30s Storage=persistent6 SyncIntervalSec=1s7 SystemMaxUse=8G8 SystemKeepFree=20%9 SystemMaxFileSize=10M10 $ butane 40-worker-custom-journald.bu -o 40-worker-custom-journald.yaml$ oc apply -f 40-worker-custom-journald.yaml$ oc describe machineconfigpool/workerName: worker Namespace: Labels: machineconfiguration.openshift.io/mco-built-in= Annotations: <none> API Version: machineconfiguration.openshift.io/v1 Kind: MachineConfigPool ... Conditions: Message: Reason: All nodes are updating to rendered-worker-913514517bcea7c93bd446f4830bc64e
9장.
9.1.
9.1.1.
9.1.1.1.
apiVersion: logging.openshift.io/v1
kind: ClusterLogging
metadata:
name: instance
namespace: openshift-logging
spec:
collection:
logs:
type: vector
vector: {}
# ...9.1.1.2.
9.1.1.3.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
9.1.1.4.
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9.1.2.
9.1.2.1.
9.1.2.1.1.
9.1.2.1.2.
9.1.2.2.
9.1.2.2.1.
$ oc adm policy add-cluster-role-to-user <cluster_role_name> system:serviceaccount:<namespace_name>:<service_account_name>
9.2.
9.2.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9.2.2.
- 참고
- 중요
9.3.
9.3.1.
{"level":"info","name":"fred","home":"bedrock"}
pipelines:
- inputRefs: [ application ]
outputRefs: myFluentd
parse: json
{"structured": { "level": "info", "name": "fred", "home": "bedrock" },
"more fields..."}
9.3.2.
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
# ...
spec:
# ...
outputDefaults:
elasticsearch:
structuredTypeKey: kubernetes.labels.logFormat
structuredTypeName: nologformat
pipelines:
- inputRefs:
- application
outputRefs:
- default
parse: json
{
"structured":{"name":"fred","home":"bedrock"},
"kubernetes":{"labels":{"logFormat": "apache", ...}}
}
{
"structured":{"name":"wilma","home":"bedrock"},
"kubernetes":{"labels":{"logFormat": "google", ...}}
}
outputDefaults:
elasticsearch:
structuredTypeKey: openshift.labels.myLabel
structuredTypeName: nologformat
pipelines:
- name: application-logs
inputRefs:
- application
- audit
outputRefs:
- elasticsearch-secure
- default
parse: json
labels:
myLabel: myValue
{
"structured":{"name":"fred","home":"bedrock"},
"openshift":{"labels":{"myLabel": "myValue", ...}}
}
9.3.3.
outputDefaults: elasticsearch: structuredTypeKey: <log record field> structuredTypeName: <name> pipelines: - inputRefs: - application outputRefs: default parse: json- 중요
$ oc create -f <filename>.yaml$ oc delete pod --selector logging-infra=collector
9.3.4.
apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: outputDefaults: elasticsearch: structuredTypeKey: kubernetes.labels.logFormat1 structuredTypeName: nologformat enableStructuredContainerLogs: true2 pipelines: - inputRefs: - application name: application-logs outputRefs: - default parse: jsonapiVersion: v1 kind: Pod metadata: annotations: containerType.logging.openshift.io/heavy: heavy1 containerType.logging.openshift.io/low: low spec: containers: - name: heavy2 image: heavyimage - name: low image: lowimage
9.4.
9.4.1.
apiVersion: "logging.openshift.io/v1"
kind: ClusterLogForwarder
metadata:
name: <log_forwarder_name>
namespace: <log_forwarder_namespace>
spec:
serviceAccountName: <service_account_name>
outputs:
- name: elasticsearch-secure
type: "elasticsearch"
url: https://elasticsearch.secure.com:9200
secret:
name: elasticsearch
- name: elasticsearch-insecure
type: "elasticsearch"
url: http://elasticsearch.insecure.com:9200
- name: kafka-app
type: "kafka"
url: tls://kafka.secure.com:9093/app-topic
inputs:
- name: my-app-logs
application:
namespaces:
- my-project
pipelines:
- name: audit-logs
inputRefs:
- audit
outputRefs:
- elasticsearch-secure
- default
labels:
secure: "true"
datacenter: "east"
- name: infrastructure-logs
inputRefs:
- infrastructure
outputRefs:
- elasticsearch-insecure
labels:
datacenter: "west"
- name: my-app
inputRefs:
- my-app-logs
outputRefs:
- default
- inputRefs:
- application
outputRefs:
- kafka-app
labels:
datacenter: "south"
9.4.1.1.
$ oc create secret generic -n <namespace> <secret_name> \
--from-file=ca-bundle.crt=<your_bundle_file> \
--from-literal=username=<your_username> \
--from-literal=password=<your_password>
9.4.2.
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
name: <log_forwarder_name>
namespace: <log_forwarder_namespace>
spec:
serviceAccountName: <service_account_name>
pipelines:
- inputRefs:
- <log_type>
outputRefs:
- <output_name>
outputs:
- name: <output_name>
type: <output_type>
url: <log_output_url>
# ...9.4.3.
java.lang.NullPointerException: Cannot invoke "String.toString()" because "<param1>" is null
at testjava.Main.handle(Main.java:47)
at testjava.Main.printMe(Main.java:19)
at testjava.Main.main(Main.java:10)
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
name: instance
namespace: openshift-logging
spec:
pipelines:
- name: my-app-logs
inputRefs:
- application
outputRefs:
- default
detectMultilineErrors: true9.4.3.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9.4.3.2.
[transforms.detect_exceptions_app-logs]
type = "detect_exceptions"
inputs = ["application"]
languages = ["All"]
group_by = ["kubernetes.namespace_name","kubernetes.pod_name","kubernetes.container_name"]
expire_after_ms = 2000
multiline_flush_interval_ms = 1000
<label @MULTILINE_APP_LOGS>
<match kubernetes.**>
@type detect_exceptions
remove_tag_prefix 'kubernetes'
message message
force_line_breaks true
multiline_flush_interval .2
</match>
</label>9.4.4.
$ oc -n openshift-logging create secret generic gcp-secret --from-file google-application-credentials.json=<your_service_account_key_file.json>apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: <log_forwarder_name>1 namespace: <log_forwarder_namespace>2 spec: serviceAccountName: <service_account_name>3 outputs: - name: gcp-1 type: googleCloudLogging secret: name: gcp-secret googleCloudLogging: projectId : "openshift-gce-devel"4 logId : "app-gcp"5 pipelines: - name: test-app inputRefs:6 - application outputRefs: - gcp-1
9.4.5.
$ oc -n openshift-logging create secret generic vector-splunk-secret --from-literal hecToken=<HEC_Token>apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: <log_forwarder_name>1 namespace: <log_forwarder_namespace>2 spec: serviceAccountName: <service_account_name>3 outputs: - name: splunk-receiver4 secret: name: vector-splunk-secret5 type: splunk6 url: <http://your.splunk.hec.url:8088>7 pipelines:8 - inputRefs: - application - infrastructure name:9 outputRefs: - splunk-receiver10
9.4.6.
apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: <log_forwarder_name>1 namespace: <log_forwarder_namespace>2 spec: serviceAccountName: <service_account_name>3 outputs: - name: httpout-app type: http url:4 http: headers:5 h1: v1 h2: v2 method: POST secret: name:6 tls: insecureSkipVerify:7 pipelines: - name: inputRefs: - application outputRefs: - httpout-app8
9.4.7.
apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: instance1 namespace: openshift-logging2 spec: outputs: - name: fluentd-server-secure3 type: fluentdForward4 url: 'tls://fluentdserver.security.example.com:24224'5 secret:6 name: fluentd-secret - name: fluentd-server-insecure type: fluentdForward url: 'tcp://fluentdserver.home.example.com:24224' inputs:7 - name: my-app-logs application: namespaces: - my-project8 pipelines: - name: forward-to-fluentd-insecure9 inputRefs:10 - my-app-logs outputRefs:11 - fluentd-server-insecure labels: project: "my-project"12 - name: forward-to-fluentd-secure13 inputRefs: - application14 - audit - infrastructure outputRefs: - fluentd-server-secure - default labels: clusterId: "C1234"$ oc apply -f <filename>.yaml
9.4.8.
apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: <log_forwarder_name>1 namespace: <log_forwarder_namespace>2 spec: pipelines: - inputRefs: [ myAppLogData ]3 outputRefs: [ default ]4 inputs:5 - name: myAppLogData application: selector: matchLabels:6 environment: production app: nginx namespaces:7 - app1 - app2 outputs:8 - <output_name> ...- inputRefs: [ myAppLogData, myOtherAppLogData ]
$ oc create -f <file-name>.yaml
9.4.9.
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
name: instance
namespace: openshift-logging
spec:
pipelines:
- name: my-pipeline
inputRefs: audit
filterRefs: my-policy
outputRefs: default
filters:
- name: my-policy
type: kubeAPIAudit
kubeAPIAudit:
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata9.4.10.
apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: <log_forwarder_name>1 namespace: <log_forwarder_namespace>2 spec: serviceAccountName: <service_account_name>3 outputs: - name: loki-insecure4 type: "loki"5 url: http://loki.insecure.com:31006 loki: tenantKey: kubernetes.namespace_name labelKeys: - kubernetes.labels.foo - name: loki-secure7 type: "loki" url: https://loki.secure.com:3100 secret: name: loki-secret8 loki: tenantKey: kubernetes.namespace_name9 labelKeys: - kubernetes.labels.foo10 pipelines: - name: application-logs11 inputRefs:12 - application - audit outputRefs:13 - loki-secure참고$ oc apply -f <filename>.yaml
9.4.11.
apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: <log_forwarder_name>1 namespace: <log_forwarder_namespace>2 spec: serviceAccountName: <service_account_name>3 outputs: - name: elasticsearch-example4 type: elasticsearch5 elasticsearch: version: 86 url: http://elasticsearch.example.com:92007 secret: name: es-secret8 pipelines: - name: application-logs9 inputRefs:10 - application - audit outputRefs: - elasticsearch-example11 - default12 labels: myLabel: "myValue"13 # ...$ oc apply -f <filename>.yaml
apiVersion: v1 kind: Secret metadata: name: openshift-test-secret data: username: <username> password: <password> # ...$ oc create secret -n openshift-logging openshift-test-secret.yamlkind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: outputs: - name: elasticsearch type: "elasticsearch" url: https://elasticsearch.secure.com:9200 secret: name: openshift-test-secret # ...참고$ oc apply -f <filename>.yaml
9.4.12.
apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: instance1 namespace: openshift-logging2 spec: outputs: - name: fluentd-server-secure3 type: fluentdForward4 url: 'tls://fluentdserver.security.example.com:24224'5 secret:6 name: fluentd-secret - name: fluentd-server-insecure type: fluentdForward url: 'tcp://fluentdserver.home.example.com:24224' pipelines: - name: forward-to-fluentd-secure7 inputRefs:8 - application - audit outputRefs: - fluentd-server-secure9 - default10 labels: clusterId: "C1234"11 - name: forward-to-fluentd-insecure12 inputRefs: - infrastructure outputRefs: - fluentd-server-insecure labels: clusterId: "C1234"$ oc create -f <file-name>.yaml
9.4.12.1.
input { tcp { codec => fluent { nanosecond_precision => true } port => 24114 } }
filter { }
output { stdout { codec => rubydebug } }9.4.13.
apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: <log_forwarder_name>1 namespace: <log_forwarder_namespace>2 spec: serviceAccountName: <service_account_name>3 outputs: - name: rsyslog-east4 type: syslog5 syslog:6 facility: local0 rfc: RFC3164 payloadKey: message severity: informational url: 'tls://rsyslogserver.east.example.com:514'7 secret:8 name: syslog-secret - name: rsyslog-west type: syslog syslog: appName: myapp facility: user msgID: mymsg procID: myproc rfc: RFC5424 severity: debug url: 'tcp://rsyslogserver.west.example.com:514' pipelines: - name: syslog-east9 inputRefs:10 - audit - application outputRefs:11 - rsyslog-east - default12 labels: secure: "true"13 syslog: "east" - name: syslog-west14 inputRefs: - infrastructure outputRefs: - rsyslog-west - default labels: syslog: "west"$ oc create -f <filename>.yaml
9.4.13.1.
spec:
outputs:
- name: syslogout
syslog:
addLogSource: true
facility: user
payloadKey: message
rfc: RFC3164
severity: debug
tag: mytag
type: syslog
url: tls://syslog-receiver.openshift-logging.svc:24224
pipelines:
- inputRefs:
- application
name: test-app
outputRefs:
- syslogout
<15>1 2020-11-15T17:06:14+00:00 fluentd-9hkb4 mytag - - - {"msgcontent"=>"Message Contents", "timestamp"=>"2020-11-15 17:06:09", "tag_key"=>"rec_tag", "index"=>56}
<15>1 2020-11-16T10:49:37+00:00 crc-j55b9-master-0 mytag - - - namespace_name=clo-test-6327,pod_name=log-generator-ff9746c49-qxm7l,container_name=log-generator,message={"msgcontent":"My life is my message", "timestamp":"2020-11-16 10:49:36", "tag_key":"rec_tag", "index":76}9.4.13.2.
- 참고
9.4.13.3.
9.4.14.
apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: <log_forwarder_name>1 namespace: <log_forwarder_namespace>2 spec: serviceAccountName: <service_account_name>3 outputs: - name: app-logs4 type: kafka5 url: tls://kafka.example.devlab.com:9093/app-topic6 secret: name: kafka-secret7 - name: infra-logs type: kafka url: tcp://kafka.devlab2.example.com:9093/infra-topic8 - name: audit-logs type: kafka url: tls://kafka.qelab.example.com:9093/audit-topic secret: name: kafka-secret-qe pipelines: - name: app-topic9 inputRefs:10 - application outputRefs:11 - app-logs labels: logType: "application"12 - name: infra-topic13 inputRefs: - infrastructure outputRefs: - infra-logs labels: logType: "infra" - name: audit-topic inputRefs: - audit outputRefs: - audit-logs labels: logType: "audit"# ... spec: outputs: - name: app-logs type: kafka secret: name: kafka-secret-dev kafka:1 brokers:2 - tls://kafka-broker1.example.com:9093/ - tls://kafka-broker2.example.com:9093/ topic: app-topic3 # ...$ oc apply -f <filename>.yaml
9.4.15.
apiVersion: v1 kind: Secret metadata: name: cw-secret namespace: openshift-logging data: aws_access_key_id: QUtJQUlPU0ZPRE5ON0VYQU1QTEUK aws_secret_access_key: d0phbHJYVXRuRkVNSS9LN01ERU5HL2JQeFJmaUNZRVhBTVBMRUtFWQo=$ oc apply -f cw-secret.yamlapiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: <log_forwarder_name>1 namespace: <log_forwarder_namespace>2 spec: serviceAccountName: <service_account_name>3 outputs: - name: cw4 type: cloudwatch5 cloudwatch: groupBy: logType6 groupPrefix: <group prefix>7 region: us-east-28 secret: name: cw-secret9 pipelines: - name: infra-logs10 inputRefs:11 - infrastructure - audit - application outputRefs: - cw12 $ oc create -f <file-name>.yaml
$ oc get Infrastructure/cluster -ojson | jq .status.infrastructureName
"mycluster-7977k"
$ oc run busybox --image=busybox -- sh -c 'while true; do echo "My life is my message"; sleep 3; done'
$ oc logs -f busybox
My life is my message
My life is my message
My life is my message
...
$ oc get ns/app -ojson | jq .metadata.uid
"794e1e1a-b9f5-4958-a190-e76a9b53d7bf"
apiVersion: "logging.openshift.io/v1"
kind: ClusterLogForwarder
metadata:
name: instance
namespace: openshift-logging
spec:
outputs:
- name: cw
type: cloudwatch
cloudwatch:
groupBy: logType
region: us-east-2
secret:
name: cw-secret
pipelines:
- name: all-logs
inputRefs:
- infrastructure
- audit
- application
outputRefs:
- cw
$ aws --output json logs describe-log-groups | jq .logGroups[].logGroupName
"mycluster-7977k.application"
"mycluster-7977k.audit"
"mycluster-7977k.infrastructure"
$ aws --output json logs describe-log-streams --log-group-name mycluster-7977k.application | jq .logStreams[].logStreamName
"kubernetes.var.log.containers.busybox_app_busybox-da085893053e20beddd6747acdbaf98e77c37718f85a7f6a4facf09ca195ad76.log"$ aws --output json logs describe-log-streams --log-group-name mycluster-7977k.audit | jq .logStreams[].logStreamName
"ip-10-0-131-228.us-east-2.compute.internal.k8s-audit.log"
"ip-10-0-131-228.us-east-2.compute.internal.linux-audit.log"
"ip-10-0-131-228.us-east-2.compute.internal.openshift-audit.log"
...$ aws --output json logs describe-log-streams --log-group-name mycluster-7977k.infrastructure | jq .logStreams[].logStreamName
"ip-10-0-131-228.us-east-2.compute.internal.kubernetes.var.log.containers.apiserver-69f9fd9b58-zqzw5_openshift-oauth-apiserver_oauth-apiserver-453c5c4ee026fe20a6139ba6b1cdd1bed25989c905bf5ac5ca211b7cbb5c3d7b.log"
"ip-10-0-131-228.us-east-2.compute.internal.kubernetes.var.log.containers.apiserver-797774f7c5-lftrx_openshift-apiserver_openshift-apiserver-ce51532df7d4e4d5f21c4f4be05f6575b93196336be0027067fd7d93d70f66a4.log"
"ip-10-0-131-228.us-east-2.compute.internal.kubernetes.var.log.containers.apiserver-797774f7c5-lftrx_openshift-apiserver_openshift-apiserver-check-endpoints-82a9096b5931b5c3b1d6dc4b66113252da4a6472c9fff48623baee761911a9ef.log"
...
$ aws logs get-log-events --log-group-name mycluster-7977k.application --log-stream-name kubernetes.var.log.containers.busybox_app_busybox-da085893053e20beddd6747acdbaf98e77c37718f85a7f6a4facf09ca195ad76.log
{
"events": [
{
"timestamp": 1629422704178,
"message": "{\"docker\":{\"container_id\":\"da085893053e20beddd6747acdbaf98e77c37718f85a7f6a4facf09ca195ad76\"},\"kubernetes\":{\"container_name\":\"busybox\",\"namespace_name\":\"app\",\"pod_name\":\"busybox\",\"container_image\":\"docker.io/library/busybox:latest\",\"container_image_id\":\"docker.io/library/busybox@sha256:0f354ec1728d9ff32edcd7d1b8bbdfc798277ad36120dc3dc683be44524c8b60\",\"pod_id\":\"870be234-90a3-4258-b73f-4f4d6e2777c7\",\"host\":\"ip-10-0-216-3.us-east-2.compute.internal\",\"labels\":{\"run\":\"busybox\"},\"master_url\":\"https://kubernetes.default.svc\",\"namespace_id\":\"794e1e1a-b9f5-4958-a190-e76a9b53d7bf\",\"namespace_labels\":{\"kubernetes_io/metadata_name\":\"app\"}},\"message\":\"My life is my message\",\"level\":\"unknown\",\"hostname\":\"ip-10-0-216-3.us-east-2.compute.internal\",\"pipeline_metadata\":{\"collector\":{\"ipaddr4\":\"10.0.216.3\",\"inputname\":\"fluent-plugin-systemd\",\"name\":\"fluentd\",\"received_at\":\"2021-08-20T01:25:08.085760+00:00\",\"version\":\"1.7.4 1.6.0\"}},\"@timestamp\":\"2021-08-20T01:25:04.178986+00:00\",\"viaq_index_name\":\"app-write\",\"viaq_msg_id\":\"NWRjZmUyMWQtZjgzNC00MjI4LTk3MjMtNTk3NmY3ZjU4NDk1\",\"log_type\":\"application\",\"time\":\"2021-08-20T01:25:04+00:00\"}",
"ingestionTime": 1629422744016
},
...
cloudwatch:
groupBy: logType
groupPrefix: demo-group-prefix
region: us-east-2
$ aws --output json logs describe-log-groups | jq .logGroups[].logGroupName
"demo-group-prefix.application"
"demo-group-prefix.audit"
"demo-group-prefix.infrastructure"
cloudwatch:
groupBy: namespaceName
region: us-east-2
$ aws --output json logs describe-log-groups | jq .logGroups[].logGroupName
"mycluster-7977k.app"
"mycluster-7977k.audit"
"mycluster-7977k.infrastructure"
cloudwatch:
groupBy: namespaceUUID
region: us-east-2
$ aws --output json logs describe-log-groups | jq .logGroups[].logGroupName
"mycluster-7977k.794e1e1a-b9f5-4958-a190-e76a9b53d7bf" // uid of the "app" namespace
"mycluster-7977k.audit"
"mycluster-7977k.infrastructure"
9.4.15.1.
$ oc create secret generic cw-sts-secret -n openshift-logging --from-literal=role_arn=arn:aws:iam::123456789012:role/my-role_with-permissionsapiVersion: v1 kind: Secret metadata: namespace: openshift-logging name: my-secret-name stringData: role_arn: arn:aws:iam::123456789012:role/my-role_with-permissions
9.4.16.
apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: name: <your_role_name>-credrequest namespace: openshift-cloud-credential-operator spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: AWSProviderSpec statementEntries: - action: - logs:PutLogEvents - logs:CreateLogGroup - logs:PutRetentionPolicy - logs:CreateLogStream - logs:DescribeLogGroups - logs:DescribeLogStreams effect: Allow resource: arn:aws:logs:*:*:* secretRef: name: <your_role_name> namespace: openshift-logging serviceAccountNames: - logcollector$ ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_directory_with_list_of_credentials_requests>/credrequests \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com1 $ oc apply -f output/manifests/openshift-logging-<your_role_name>-credentials.yamlapiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: <log_forwarder_name>1 namespace: <log_forwarder_namespace>2 spec: serviceAccountName: clf-collector3 outputs: - name: cw4 type: cloudwatch5 cloudwatch: groupBy: logType6 groupPrefix: <group prefix>7 region: us-east-28 secret: name: <your_secret_name>9 pipelines: - name: to-cloudwatch10 inputRefs:11 - infrastructure - audit - application outputRefs: - cw12
9.5.
9.5.1.
apiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: # ... spec: # ... collection: type: <log_collector_type>1 resources: {} tolerations: {} # ...$ oc apply -f <filename>.yaml
9.5.2.
apiVersion: logging.openshift.io/v1alpha1 kind: LogFileMetricExporter metadata: name: instance namespace: openshift-logging spec: nodeSelector: {}1 resources:2 limits: cpu: 500m memory: 256Mi requests: cpu: 200m memory: 128Mi tolerations: []3 # ...$ oc apply -f <filename>.yaml
$ oc get pods -l app.kubernetes.io/component=logfilesmetricexporter -n openshift-loggingNAME READY STATUS RESTARTS AGE logfilesmetricexporter-9qbjj 1/1 Running 0 2m46s logfilesmetricexporter-cbc4v 1/1 Running 0 2m46s
9.5.3.
$ oc -n openshift-logging edit ClusterLogging instanceapiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: name: instance namespace: openshift-logging spec: collection: type: fluentd resources: limits:1 memory: 736Mi requests: cpu: 100m memory: 736Mi # ...
9.5.4.
9.5.4.1.
apiVersion: logging.openshift.io/v1beta1 kind: ClusterLogForwarder metadata: # ... spec: serviceAccountName: <service_account_name> inputs: - name: http-receiver1 receiver: type: http2 http: format: kubeAPIAudit3 port: 84434 pipelines:5 - name: http-pipeline inputRefs: - http-receiver # ...apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: inputs: - name: http-receiver1 receiver: type: http2 http: format: kubeAPIAudit3 port: 84434 pipelines:5 - inputRefs: - http-receiver name: http-pipeline # ...$ oc apply -f <filename>.yaml
9.5.5.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
$ oc edit ClusterLogging instanceapiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: name: instance namespace: openshift-logging spec: collection: fluentd: buffer: chunkLimitSize: 8m1 flushInterval: 5s2 flushMode: interval3 flushThreadCount: 34 overflowAction: throw_exception5 retryMaxInterval: "300s"6 retryType: periodic7 retryWait: 1s8 totalLimitSize: 32m9 # ...$ oc get pods -l component=collector -n openshift-logging$ oc extract configmap/collector-config --confirm<buffer> @type file path '/var/lib/fluentd/default' flush_mode interval flush_interval 5s flush_thread_count 3 retry_type periodic retry_wait 1s retry_max_interval 300s retry_timeout 60m queued_chunks_limit_size "#{ENV['BUFFER_QUEUE_LIMIT'] || '32'}" total_limit_size "#{ENV['TOTAL_LIMIT_SIZE_PER_BUFFER'] || '8589934592'}" chunk_limit_size 8m overflow_action throw_exception disable_chunk_backup true </buffer>
9.6.
9.6.1.
apiVersion: template.openshift.io/v1 kind: Template metadata: name: eventrouter-template annotations: description: "A pod forwarding kubernetes events to OpenShift Logging stack." tags: "events,EFK,logging,cluster-logging" objects: - kind: ServiceAccount1 apiVersion: v1 metadata: name: eventrouter namespace: ${NAMESPACE} - kind: ClusterRole2 apiVersion: rbac.authorization.k8s.io/v1 metadata: name: event-reader rules: - apiGroups: [""] resources: ["events"] verbs: ["get", "watch", "list"] - kind: ClusterRoleBinding3 apiVersion: rbac.authorization.k8s.io/v1 metadata: name: event-reader-binding subjects: - kind: ServiceAccount name: eventrouter namespace: ${NAMESPACE} roleRef: kind: ClusterRole name: event-reader - kind: ConfigMap4 apiVersion: v1 metadata: name: eventrouter namespace: ${NAMESPACE} data: config.json: |- { "sink": "stdout" } - kind: Deployment5 apiVersion: apps/v1 metadata: name: eventrouter namespace: ${NAMESPACE} labels: component: "eventrouter" logging-infra: "eventrouter" provider: "openshift" spec: selector: matchLabels: component: "eventrouter" logging-infra: "eventrouter" provider: "openshift" replicas: 1 template: metadata: labels: component: "eventrouter" logging-infra: "eventrouter" provider: "openshift" name: eventrouter spec: serviceAccount: eventrouter containers: - name: kube-eventrouter image: ${IMAGE} imagePullPolicy: IfNotPresent resources: requests: cpu: ${CPU} memory: ${MEMORY} volumeMounts: - name: config-volume mountPath: /etc/eventrouter securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault volumes: - name: config-volume configMap: name: eventrouter parameters: - name: IMAGE6 displayName: Image value: "registry.redhat.io/openshift-logging/eventrouter-rhel8:v0.4" - name: CPU7 displayName: CPU value: "100m" - name: MEMORY8 displayName: Memory value: "128Mi" - name: NAMESPACE displayName: Namespace value: "openshift-logging"9 $ oc process -f <templatefile> | oc apply -n openshift-logging -f -$ oc process -f eventrouter.yaml | oc apply -n openshift-logging -f -serviceaccount/eventrouter created clusterrole.rbac.authorization.k8s.io/event-reader created clusterrolebinding.rbac.authorization.k8s.io/event-reader-binding created configmap/eventrouter created deployment.apps/eventrouter created$ oc get pods --selector component=eventrouter -o name -n openshift-loggingpod/cluster-logging-eventrouter-d649f97c8-qvv8r$ oc logs <cluster_logging_eventrouter_pod> -n openshift-logging$ oc logs cluster-logging-eventrouter-d649f97c8-qvv8r -n openshift-logging{"verb":"ADDED","event":{"metadata":{"name":"openshift-service-catalog-controller-manager-remover.1632d931e88fcd8f","namespace":"openshift-service-catalog-removed","selfLink":"/api/v1/namespaces/openshift-service-catalog-removed/events/openshift-service-catalog-controller-manager-remover.1632d931e88fcd8f","uid":"787d7b26-3d2f-4017-b0b0-420db4ae62c0","resourceVersion":"21399","creationTimestamp":"2020-09-08T15:40:26Z"},"involvedObject":{"kind":"Job","namespace":"openshift-service-catalog-removed","name":"openshift-service-catalog-controller-manager-remover","uid":"fac9f479-4ad5-4a57-8adc-cb25d3d9cf8f","apiVersion":"batch/v1","resourceVersion":"21280"},"reason":"Completed","message":"Job completed","source":{"component":"job-controller"},"firstTimestamp":"2020-09-08T15:40:26Z","lastTimestamp":"2020-09-08T15:40:26Z","count":1,"type":"Normal"}}
10장.
10.1.
10.1.1.
10.1.1.1.
10.1.2.
10.2.
10.2.1.
10.2.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10.2.1.2.
- 중요
- 참고
10.2.1.3.
apiVersion: v1 kind: Secret metadata: name: logging-loki-s3 namespace: openshift-logging stringData: access_key_id: AKIAIOSFODNN7EXAMPLE access_key_secret: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY bucketnames: s3-bucket-name endpoint: https://s3.eu-central-1.amazonaws.com region: eu-central-1
10.2.1.4.
apiVersion: loki.grafana.com/v1 kind: LokiStack metadata: name: logging-loki1 namespace: openshift-logging spec: size: 1x.small2 storage: schemas: - version: v12 effectiveDate: '2022-06-01' secret: name: logging-loki-s33 type: s34 storageClassName: <storage_class_name>5 tenants: mode: openshift-logging6
10.2.1.5.
10.2.1.6.
$ oc create secret generic -n openshift-logging <your_secret_name> \ --from-file=tls.key=<your_key_file> --from-file=tls.crt=<your_crt_file> --from-file=ca-bundle.crt=<your_bundle_file> --from-literal=username=<your_username> --from-literal=password=<your_password>
$ oc get secrets
10.2.1.7.
apiVersion: loki.grafana.com/v1 kind: LokiStack metadata: name: logging-loki namespace: openshift-logging spec: size: 1x.small1 storage: schemas: - version: v12 effectiveDate: "2022-06-01" secret: name: logging-loki-s32 type: s33 storageClassName: <storage_class_name>4 tenants: mode: openshift-logging5 $ oc apply -f <filename>.yaml
$ oc get pods -n openshift-loggingNAME READY STATUS RESTARTS AGE cluster-logging-operator-78fddc697-mnl82 1/1 Running 0 14m collector-6cglq 2/2 Running 0 45s collector-8r664 2/2 Running 0 45s collector-8z7px 2/2 Running 0 45s collector-pdxl9 2/2 Running 0 45s collector-tc9dx 2/2 Running 0 45s collector-xkd76 2/2 Running 0 45s logging-loki-compactor-0 1/1 Running 0 8m2s logging-loki-distributor-b85b7d9fd-25j9g 1/1 Running 0 8m2s logging-loki-distributor-b85b7d9fd-xwjs6 1/1 Running 0 8m2s logging-loki-gateway-7bb86fd855-hjhl4 2/2 Running 0 8m2s logging-loki-gateway-7bb86fd855-qjtlb 2/2 Running 0 8m2s logging-loki-index-gateway-0 1/1 Running 0 8m2s logging-loki-index-gateway-1 1/1 Running 0 7m29s logging-loki-ingester-0 1/1 Running 0 8m2s logging-loki-ingester-1 1/1 Running 0 6m46s logging-loki-querier-f5cf9cb87-9fdjd 1/1 Running 0 8m2s logging-loki-querier-f5cf9cb87-fp9v5 1/1 Running 0 8m2s logging-loki-query-frontend-58c579fcb7-lfvbc 1/1 Running 0 8m2s logging-loki-query-frontend-58c579fcb7-tjf9k 1/1 Running 0 8m2s logging-view-plugin-79448d8df6-ckgmx 1/1 Running 0 46s
10.2.2.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10.2.2.1.
$ oc create secret generic logging-loki-aws \ --from-literal=bucketnames="<bucket_name>" \ --from-literal=endpoint="<aws_bucket_endpoint>" \ --from-literal=access_key_id="<aws_access_key_id>" \ --from-literal=access_key_secret="<aws_access_key_secret>" \ --from-literal=region="<aws_region_of_your_bucket>"
10.2.2.2.
$ oc create secret generic logging-loki-azure \ --from-literal=container="<azure_container_name>" \ --from-literal=environment="<azure_environment>" \1 --from-literal=account_name="<azure_account_name>" \ --from-literal=account_key="<azure_account_key>"
10.2.2.3.
$ oc create secret generic logging-loki-gcs \ --from-literal=bucketname="<bucket_name>" \ --from-file=key.json="<path/to/key.json>"
10.2.2.4.
$ oc create secret generic logging-loki-minio \ --from-literal=bucketnames="<bucket_name>" \ --from-literal=endpoint="<minio_bucket_endpoint>" \ --from-literal=access_key_id="<minio_access_key_id>" \ --from-literal=access_key_secret="<minio_access_key_secret>"
10.2.2.5.
apiVersion: objectbucket.io/v1alpha1 kind: ObjectBucketClaim metadata: name: loki-bucket-odf namespace: openshift-logging spec: generateBucketName: loki-bucket-odf storageClassName: openshift-storage.noobaa.ioBUCKET_HOST=$(oc get -n openshift-logging configmap loki-bucket-odf -o jsonpath='{.data.BUCKET_HOST}') BUCKET_NAME=$(oc get -n openshift-logging configmap loki-bucket-odf -o jsonpath='{.data.BUCKET_NAME}') BUCKET_PORT=$(oc get -n openshift-logging configmap loki-bucket-odf -o jsonpath='{.data.BUCKET_PORT}')ACCESS_KEY_ID=$(oc get -n openshift-logging secret loki-bucket-odf -o jsonpath='{.data.AWS_ACCESS_KEY_ID}' | base64 -d) SECRET_ACCESS_KEY=$(oc get -n openshift-logging secret loki-bucket-odf -o jsonpath='{.data.AWS_SECRET_ACCESS_KEY}' | base64 -d)$ oc create -n openshift-logging secret generic logging-loki-odf \ --from-literal=access_key_id="<access_key_id>" \ --from-literal=access_key_secret="<secret_access_key>" \ --from-literal=bucketnames="<bucket_name>" \ --from-literal=endpoint="https://<bucket_host>:<bucket_port>"
10.2.2.6.
$ oc create secret generic logging-loki-swift \ --from-literal=auth_url="<swift_auth_url>" \ --from-literal=username="<swift_usernameclaim>" \ --from-literal=user_domain_name="<swift_user_domain_name>" \ --from-literal=user_domain_id="<swift_user_domain_id>" \ --from-literal=user_id="<swift_user_id>" \ --from-literal=password="<swift_password>" \ --from-literal=domain_id="<swift_domain_id>" \ --from-literal=domain_name="<swift_domain_name>" \ --from-literal=container_name="<swift_container_name>"$ oc create secret generic logging-loki-swift \ --from-literal=auth_url="<swift_auth_url>" \ --from-literal=username="<swift_usernameclaim>" \ --from-literal=user_domain_name="<swift_user_domain_name>" \ --from-literal=user_domain_id="<swift_user_domain_id>" \ --from-literal=user_id="<swift_user_id>" \ --from-literal=password="<swift_password>" \ --from-literal=domain_id="<swift_domain_id>" \ --from-literal=domain_name="<swift_domain_name>" \ --from-literal=container_name="<swift_container_name>" \ --from-literal=project_id="<swift_project_id>" \ --from-literal=project_name="<swift_project_name>" \ --from-literal=project_domain_id="<swift_project_domain_id>" \ --from-literal=project_domain_name="<swift_project_domain_name>" \ --from-literal=region="<swift_region>"
10.2.3.
10.2.3.1.
10.2.3.2.
- 참고
10.2.3.3.
- 참고
apiVersion: v1 kind: Namespace metadata: name: openshift-operators-redhat1 annotations: openshift.io/node-selector: "" labels: openshift.io/cluster-monitoring: "true"2 $ oc apply -f <filename>.yamlapiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: openshift-operators-redhat namespace: openshift-operators-redhat1 spec: {}$ oc apply -f <filename>.yamlapiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: elasticsearch-operator namespace: openshift-operators-redhat1 spec: channel: stable-x.y2 installPlanApproval: Automatic3 source: redhat-operators4 sourceNamespace: openshift-marketplace name: elasticsearch-operator참고$ oc apply -f <filename>.yaml
$ oc get csv -n --all-namespacesNAMESPACE NAME DISPLAY VERSION REPLACES PHASE default elasticsearch-operator.v5.8.1 OpenShift Elasticsearch Operator 5.8.1 elasticsearch-operator.v5.8.0 Succeeded kube-node-lease elasticsearch-operator.v5.8.1 OpenShift Elasticsearch Operator 5.8.1 elasticsearch-operator.v5.8.0 Succeeded kube-public elasticsearch-operator.v5.8.1 OpenShift Elasticsearch Operator 5.8.1 elasticsearch-operator.v5.8.0 Succeeded kube-system elasticsearch-operator.v5.8.1 OpenShift Elasticsearch Operator 5.8.1 elasticsearch-operator.v5.8.0 Succeeded non-destructive-test elasticsearch-operator.v5.8.1 OpenShift Elasticsearch Operator 5.8.1 elasticsearch-operator.v5.8.0 Succeeded openshift-apiserver-operator elasticsearch-operator.v5.8.1 OpenShift Elasticsearch Operator 5.8.1 elasticsearch-operator.v5.8.0 Succeeded openshift-apiserver elasticsearch-operator.v5.8.1 OpenShift Elasticsearch Operator 5.8.1 elasticsearch-operator.v5.8.0 Succeeded ...
10.2.4.
apiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: # ... spec: # ... logStore: type: <log_store_type>1 elasticsearch:2 nodeCount: <integer> resources: {} storage: {} redundancyPolicy: <redundancy_type>3 lokistack:4 name: {} # ...apiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: name: instance namespace: openshift-logging spec: managementState: Managed logStore: type: lokistack lokistack: name: logging-loki # ...$ oc apply -f <filename>.yaml
10.3.
10.3.1.
$ oc adm groups new cluster-admin$ oc adm groups add-users cluster-admin <username>$ oc adm policy add-cluster-role-to-group cluster-admin cluster-admin
10.3.2.
10.3.3.
apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
name: logging-loki
namespace: openshift-logging
spec:
# ...
template:
ingester:
podAntiAffinity:
# ...
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/component: ingester
topologyKey: kubernetes.io/hostname
# ...10.3.4.
apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
name: logging-loki
namespace: openshift-logging
spec:
replicationFactor: 2
replication:
factor: 2
zones:
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone 10.3.4.1.
oc get pods --field-selector status.phase==Pending -n openshift-loggingNAME READY STATUS RESTARTS AGE1 logging-loki-index-gateway-1 0/1 Pending 0 17m logging-loki-ingester-1 0/1 Pending 0 16m logging-loki-ruler-1 0/1 Pending 0 16moc get pvc -o=json -n openshift-logging | jq '.items[] | select(.status.phase == "Pending") | .metadata.name' -rstorage-logging-loki-index-gateway-1 storage-logging-loki-ingester-1 wal-logging-loki-ingester-1 storage-logging-loki-ruler-1 wal-logging-loki-ruler-1oc delete pvc __<pvc_name>__ -n openshift-loggingoc delete pod __<pod_name>__ -n openshift-logging
10.3.4.1.1.
oc patch pvc __<pvc_name>__ -p '{"metadata":{"finalizers":null}}' -n openshift-logging
10.3.5.
10.3.5.1.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: logging-all-application-logs-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-logging-application-view
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io10.3.5.2.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: allow-read-logs
namespace: log-test-0
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-logging-application-view
subjects:
- kind: User
apiGroup: rbac.authorization.k8s.io
name: testuser-010.3.5.3.
apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
name: logging-loki
namespace: openshift-logging
spec:
tenants:
mode: openshift-logging
openshift:
adminGroups:
- cluster-admin
- custom-admin-group 10.3.6.
apiVersion: loki.grafana.com/v1 kind: LokiStack metadata: name: logging-loki namespace: openshift-logging spec: limits: global:1 retention:2 days: 20 streams: - days: 4 priority: 1 selector: '{kubernetes_namespace_name=~"test.+"}'3 - days: 1 priority: 1 selector: '{log_type="infrastructure"}' managementState: Managed replicationFactor: 1 size: 1x.small storage: schemas: - effectiveDate: "2020-10-11" version: v11 secret: name: logging-loki-s3 type: aws storageClassName: standard tenants: mode: openshift-loggingapiVersion: loki.grafana.com/v1 kind: LokiStack metadata: name: logging-loki namespace: openshift-logging spec: limits: global: retention: days: 20 tenants:1 application: retention: days: 1 streams: - days: 4 selector: '{kubernetes_namespace_name=~"test.+"}'2 infrastructure: retention: days: 5 streams: - days: 1 selector: '{kubernetes_namespace_name=~"openshift-cluster.+"}' managementState: Managed replicationFactor: 1 size: 1x.small storage: schemas: - effectiveDate: "2020-10-11" version: v11 secret: name: logging-loki-s3 type: aws storageClassName: standard tenants: mode: openshift-logging$ oc apply -f <filename>.yaml
10.3.7.
"values":[["1630410392689800468","{\"kind\":\"Event\",\"apiVersion\":\ ....... ...... ...... ...... \"received_at\":\"2021-08-31T11:46:32.800278+00:00\",\"version\":\"1.7.4 1.6.0\"}},\"@timestamp\":\"2021-08-31T11:46:32.799692+00:00\",\"viaq_index_name\":\"audit-write\",\"viaq_msg_id\":\"MzFjYjJkZjItNjY0MC00YWU4LWIwMTEtNGNmM2E5ZmViMGU4\",\"log_type\":\"audit\"}"]]}]}429 Too Many Requests Ingestion rate limit exceeded2023-08-25T16:08:49.301780Z WARN sink{component_kind="sink" component_id=default_loki_infra component_type=loki component_name=default_loki_infra}: vector::sinks::util::retries: Retrying after error. error=Server responded with an error: 429 Too Many Requests internal_log_rate_limit=true2023-08-30 14:52:15 +0000 [warn]: [default_loki_infra] failed to flush the buffer. retry_times=2 next_retry_time=2023-08-30 14:52:19 +0000 chunk="604251225bf5378ed1567231a1c03b8b" error_class=Fluent::Plugin::LokiOutput::LogPostError error="429 Too Many Requests Ingestion rate limit exceeded for user infrastructure (limit: 4194304 bytes/sec) while attempting to ingest '4082' lines totaling '7820025' bytes, reduce log volume or contact your Loki administrator to see if the limit can be increased\n"level=warn ts=2023-08-30T14:57:34.155592243Z caller=grpc_logging.go:43 duration=1.434942ms method=/logproto.Pusher/Push err="rpc error: code = Code(429) desc = entry with timestamp 2023-08-30 14:57:32.012778399 +0000 UTC ignored, reason: 'Per stream rate limit exceeded (limit: 3MB/sec) while attempting to ingest for stream
10.3.8.
$ oc patch LokiStack logging-loki -n openshift-logging --type=merge -p '{"spec": {"hashRing":{"memberlist":{"instanceAddrType":"podIP","type": "memberlist"}}}}'
apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
name: logging-loki
namespace: openshift-logging
spec:
# ...
hashRing:
type: memberlist
memberlist:
instanceAddrType: podIP
# ...10.4.
10.4.1.
apiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: # ... spec: # ... logStore: type: <log_store_type>1 elasticsearch:2 nodeCount: <integer> resources: {} storage: {} redundancyPolicy: <redundancy_type>3 lokistack:4 name: {} # ...apiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: name: instance namespace: openshift-logging spec: managementState: Managed logStore: type: lokistack lokistack: name: logging-loki # ...$ oc apply -f <filename>.yaml
10.4.2.
apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: pipelines:1 - name: all-to-default inputRefs: - infrastructure - application - audit outputRefs: - default참고apiVersion: "logging.openshift.io/v1" kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: outputs: - name: elasticsearch-insecure type: "elasticsearch" url: http://elasticsearch-insecure.messaging.svc.cluster.local insecure: true - name: elasticsearch-secure type: "elasticsearch" url: https://elasticsearch-secure.messaging.svc.cluster.local secret: name: es-audit - name: secureforward-offcluster type: "fluentdForward" url: https://secureforward.offcluster.com:24224 secret: name: secureforward pipelines: - name: container-logs inputRefs: - application outputRefs: - secureforward-offcluster - name: infra-logs inputRefs: - infrastructure outputRefs: - elasticsearch-insecure - name: audit-logs inputRefs: - audit outputRefs: - elasticsearch-secure - default1
10.4.3.
apiVersion: "logging.openshift.io/v1" kind: "ClusterLogging" ... spec: managementState: "Managed" logStore: type: "elasticsearch" retentionPolicy:1 application: maxAge: 1d infra: maxAge: 7d audit: maxAge: 7d elasticsearch: nodeCount: 3 ...apiVersion: "logging.openshift.io/v1" kind: "Elasticsearch" metadata: name: "elasticsearch" spec: ... indexManagement: policies:1 - name: infra-policy phases: delete: minAge: 7d2 hot: actions: rollover: maxAge: 8h3 pollInterval: 15m4 ...참고$ oc get cronjobNAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE elasticsearch-im-app */15 * * * * False 0 <none> 4s elasticsearch-im-audit */15 * * * * False 0 <none> 4s elasticsearch-im-infra */15 * * * * False 0 <none> 4s
10.4.4.
$ oc edit ClusterLogging instanceapiVersion: "logging.openshift.io/v1" kind: "ClusterLogging" metadata: name: "instance" .... spec: logStore: type: "elasticsearch" elasticsearch:1 resources: limits:2 memory: "32Gi" requests:3 cpu: "1" memory: "16Gi" proxy:4 resources: limits: memory: 100Mi requests: memory: 100Mi
resources:
limits:
memory: "32Gi"
requests:
cpu: "8"
memory: "32Gi"
10.4.5.
$ oc -n openshift-logging edit ClusterLogging instanceapiVersion: "logging.openshift.io/v1" kind: "ClusterLogging" metadata: name: "instance" .... spec: logStore: type: "elasticsearch" elasticsearch: redundancyPolicy: "SingleRedundancy"1
10.4.6.
10.4.7.
apiVersion: "logging.openshift.io/v1" kind: "ClusterLogging" metadata: name: "instance" # ... spec: logStore: type: "elasticsearch" elasticsearch: nodeCount: 3 storage: storageClassName: "gp2" size: "200G"
10.4.8.
spec: logStore: type: "elasticsearch" elasticsearch: nodeCount: 3 storage: {}
10.4.9.
$ oc project openshift-logging$ oc get pods -l component=elasticsearch$ oc -n openshift-logging patch daemonset/collector -p '{"spec":{"template":{"spec":{"nodeSelector":{"logging-infra-collector": "false"}}}}}'$ oc exec <any_es_pod_in_the_cluster> -c elasticsearch -- es_util --query="_flush/synced" -XPOST$ oc exec -c elasticsearch-cdm-5ceex6ts-1-dcd6c4c7c-jpw6 -c elasticsearch -- es_util --query="_flush/synced" -XPOST{"_shards":{"total":4,"successful":4,"failed":0},".security":{"total":2,"successful":2,"failed":0},".kibana_1":{"total":2,"successful":2,"failed":0}}$ oc exec <any_es_pod_in_the_cluster> -c elasticsearch -- es_util --query="_cluster/settings" -XPUT -d '{ "persistent": { "cluster.routing.allocation.enable" : "primaries" } }'$ oc exec elasticsearch-cdm-5ceex6ts-1-dcd6c4c7c-jpw6 -c elasticsearch -- es_util --query="_cluster/settings" -XPUT -d '{ "persistent": { "cluster.routing.allocation.enable" : "primaries" } }'{"acknowledged":true,"persistent":{"cluster":{"routing":{"allocation":{"enable":"primaries"}}}},"transient":$ oc rollout resume deployment/<deployment-name>$ oc rollout resume deployment/elasticsearch-cdm-0-1deployment.extensions/elasticsearch-cdm-0-1 resumed$ oc get pods -l component=elasticsearch-NAME READY STATUS RESTARTS AGE elasticsearch-cdm-5ceex6ts-1-dcd6c4c7c-jpw6k 2/2 Running 0 22h elasticsearch-cdm-5ceex6ts-2-f799564cb-l9mj7 2/2 Running 0 22h elasticsearch-cdm-5ceex6ts-3-585968dc68-k7kjr 2/2 Running 0 22h$ oc rollout pause deployment/<deployment-name>$ oc rollout pause deployment/elasticsearch-cdm-0-1deployment.extensions/elasticsearch-cdm-0-1 paused$ oc exec <any_es_pod_in_the_cluster> -c elasticsearch -- es_util --query=_cluster/health?pretty=true참고$ oc exec elasticsearch-cdm-5ceex6ts-1-dcd6c4c7c-jpw6 -c elasticsearch -- es_util --query=_cluster/health?pretty=true{ "cluster_name" : "elasticsearch", "status" : "yellow",1 "timed_out" : false, "number_of_nodes" : 3, "number_of_data_nodes" : 3, "active_primary_shards" : 8, "active_shards" : 16, "relocating_shards" : 0, "initializing_shards" : 0, "unassigned_shards" : 1, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 100.0 }
$ oc exec <any_es_pod_in_the_cluster> -c elasticsearch -- es_util --query="_cluster/settings" -XPUT -d '{ "persistent": { "cluster.routing.allocation.enable" : "all" } }'$ oc exec elasticsearch-cdm-5ceex6ts-1-dcd6c4c7c-jpw6 -c elasticsearch -- es_util --query="_cluster/settings" -XPUT -d '{ "persistent": { "cluster.routing.allocation.enable" : "all" } }'{ "acknowledged" : true, "persistent" : { }, "transient" : { "cluster" : { "routing" : { "allocation" : { "enable" : "all" } } } } }$ oc -n openshift-logging patch daemonset/collector -p '{"spec":{"template":{"spec":{"nodeSelector":{"logging-infra-collector": "true"}}}}}'
10.4.10.
$ oc get service elasticsearch -o jsonpath={.spec.clusterIP} -n openshift-logging
172.30.183.229$ oc get service elasticsearch -n openshift-logging
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
elasticsearch ClusterIP 172.30.183.229 <none> 9200/TCP 22h
$ oc exec elasticsearch-cdm-oplnhinv-1-5746475887-fj2f8 -n openshift-logging -- curl -tlsv1.2 --insecure -H "Authorization: Bearer ${token}" "https://172.30.183.229:9200/_cat/health"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 29 100 29 0 0 108 0 --:--:-- --:--:-- --:--:-- 108
$ oc project openshift-logging$ oc extract secret/elasticsearch --to=. --keys=admin-caadmin-caapiVersion: route.openshift.io/v1 kind: Route metadata: name: elasticsearch namespace: openshift-logging spec: host: to: kind: Service name: elasticsearch tls: termination: reencrypt destinationCACertificate: |1 $ cat ./admin-ca | sed -e "s/^/ /" >> <file-name>.yaml$ oc create -f <file-name>.yamlroute.route.openshift.io/elasticsearch created
$ token=$(oc whoami -t)$ routeES=`oc get route elasticsearch -o jsonpath={.spec.host}`curl -tlsv1.2 --insecure -H "Authorization: Bearer ${token}" "https://${routeES}"{ "name" : "elasticsearch-cdm-i40ktba0-1", "cluster_name" : "elasticsearch", "cluster_uuid" : "0eY-tJzcR3KOdpgeMJo-MQ", "version" : { "number" : "6.8.1", "build_flavor" : "oss", "build_type" : "zip", "build_hash" : "Unknown", "build_date" : "Unknown", "build_snapshot" : true, "lucene_version" : "7.7.0", "minimum_wire_compatibility_version" : "5.6.0", "minimum_index_compatibility_version" : "5.0.0" }, "<tagline>" : "<for search>" }
10.4.11.
outputRefs: - default
$ oc edit ClusterLogging instanceapiVersion: "logging.openshift.io/v1" kind: "ClusterLogging" metadata: name: "instance" namespace: "openshift-logging" spec: managementState: "Managed" collection: type: "fluentd" fluentd: {}$ oc get pods -l component=collector -n openshift-logging
11장.
11.1.
11.1.1.
11.1.2.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11.1.3.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11.1.4.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11.1.5.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12장.
12.1.
12.1.1.
12.1.2.
12.1.3.
12.1.4.
apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: # ... spec: # ... inputs: - name: <input_name>1 application: selector: matchLabels: { example: label }2 containerLimit: maxRecordsPerSecond: 03 # ...apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: # ... spec: # ... inputs: - name: <input_name>1 application: namespaces: [ example-ns-1, example-ns-2 ]2 containerLimit: maxRecordsPerSecond: 103 - name: <input_name> application: namespaces: [ test ] containerLimit: maxRecordsPerSecond: 1000 # ...$ oc apply -f <filename>.yaml
13장.
13.1.
13.1.1.
- 참고
kind: Node apiVersion: v1 metadata: name: ip-10-0-131-14.ec2.internal selfLink: /api/v1/nodes/ip-10-0-131-14.ec2.internal uid: 7bc2580a-8b8e-11e9-8e01-021ab4174c74 resourceVersion: '478704' creationTimestamp: '2019-06-10T14:46:08Z' labels: kubernetes.io/os: linux failure-domain.beta.kubernetes.io/zone: us-east-1a node.openshift.io/os_version: '4.5' node-role.kubernetes.io/worker: '' failure-domain.beta.kubernetes.io/region: us-east-1 node.openshift.io/os_id: rhcos beta.kubernetes.io/instance-type: m4.large kubernetes.io/hostname: ip-10-0-131-14 beta.kubernetes.io/arch: amd64 region: east1 type: user-node #...apiVersion: v1 kind: Pod metadata: name: s1 #... spec: nodeSelector:1 region: east type: user-node #... apiVersion: config.openshift.io/v1 kind: Scheduler metadata: name: cluster #... spec: defaultNodeSelector: type=user-node,region=east #...apiVersion: v1 kind: Node metadata: name: ci-ln-qg1il3k-f76d1-hlmhl-worker-b-df2s4 #... labels: region: east type: user-node #...apiVersion: v1 kind: Pod metadata: name: s1 #... spec: nodeSelector: region: east #...NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod-s1 1/1 Running 0 20s 10.131.2.6 ci-ln-qg1il3k-f76d1-hlmhl-worker-b-df2s4 <none> <none>참고
apiVersion: v1 kind: Namespace metadata: name: east-region annotations: openshift.io/node-selector: "region=east" #...apiVersion: v1 kind: Node metadata: name: ci-ln-qg1il3k-f76d1-hlmhl-worker-b-df2s4 #... labels: region: east type: user-node #...apiVersion: v1 kind: Pod metadata: namespace: east-region #... spec: nodeSelector: region: east type: user-node #...NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod-s1 1/1 Running 0 20s 10.131.2.6 ci-ln-qg1il3k-f76d1-hlmhl-worker-b-df2s4 <none> <none>apiVersion: v1 kind: Pod metadata: name: west-region #... spec: nodeSelector: region: west #...
13.1.2.
apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
name: logging-loki
namespace: openshift-logging
spec:
# ...
template:
compactor:
nodeSelector:
node-role.kubernetes.io/infra: ""
distributor:
nodeSelector:
node-role.kubernetes.io/infra: ""
gateway:
nodeSelector:
node-role.kubernetes.io/infra: ""
indexGateway:
nodeSelector:
node-role.kubernetes.io/infra: ""
ingester:
nodeSelector:
node-role.kubernetes.io/infra: ""
querier:
nodeSelector:
node-role.kubernetes.io/infra: ""
queryFrontend:
nodeSelector:
node-role.kubernetes.io/infra: ""
ruler:
nodeSelector:
node-role.kubernetes.io/infra: ""
# ...
apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
name: logging-loki
namespace: openshift-logging
spec:
# ...
template:
compactor:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
distributor:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
indexGateway:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
ingester:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
querier:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
queryFrontend:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
ruler:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
gateway:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
# ...
$ oc explain lokistack.spec.template
KIND: LokiStack
VERSION: loki.grafana.com/v1
RESOURCE: template <Object>
DESCRIPTION:
Template defines the resource/limits/tolerations/nodeselectors per
component
FIELDS:
compactor <Object>
Compactor defines the compaction component spec.
distributor <Object>
Distributor defines the distributor component spec.
...
$ oc explain lokistack.spec.template.compactor
KIND: LokiStack
VERSION: loki.grafana.com/v1
RESOURCE: compactor <Object>
DESCRIPTION:
Compactor defines the compaction component spec.
FIELDS:
nodeSelector <map[string]string>
NodeSelector defines the labels required by a node to schedule the
component onto it.
...13.1.3.
apiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: name: <name>1 namespace: <namespace>2 spec: managementState: "Managed" collection: type: "vector" tolerations: - key: "logging" operator: "Exists" effect: "NoExecute" tolerationSeconds: 6000 resources: limits: memory: 1Gi requests: cpu: 100m memory: 1Gi nodeSelector: collector: needed # ...$ oc apply -f <filename>.yaml
13.1.4.
$ oc get pods --selector component=collector -o wide -n <project_name>NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES collector-8d69v 1/1 Running 0 134m 10.130.2.30 master1.example.com <none> <none> collector-bd225 1/1 Running 0 134m 10.131.1.11 master2.example.com <none> <none> collector-cvrzs 1/1 Running 0 134m 10.130.0.21 master3.example.com <none> <none> collector-gpqg2 1/1 Running 0 134m 10.128.2.27 worker1.example.com <none> <none> collector-l9j7j 1/1 Running 0 134m 10.129.2.31 worker2.example.com <none> <none>
13.2.
13.2.1.
apiVersion: v1
kind: Node
metadata:
name: my-node
#...
spec:
taints:
- effect: NoExecute
key: key1
value: value1
#...
apiVersion: v1
kind: Pod
metadata:
name: my-pod
#...
spec:
tolerations:
- key: "key1"
operator: "Equal"
value: "value1"
effect: "NoExecute"
tolerationSeconds: 3600
#...
|
|
| ||||||
|
|
| ||||||
|
|
| ||||||
|
|
|
apiVersion: v1 kind: Node metadata: annotations: machine.openshift.io/machine: openshift-machine-api/ci-ln-62s7gtb-f76d1-v8jxv-master-0 machineconfiguration.openshift.io/currentConfig: rendered-master-cdc1ab7da414629332cc4c3926e6e59c name: my-node #... spec: taints: - effect: NoSchedule key: node-role.kubernetes.io/master #...
- 중요
13.2.2.
apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
name: logging-loki
namespace: openshift-logging
spec:
# ...
template:
compactor:
nodeSelector:
node-role.kubernetes.io/infra: ""
distributor:
nodeSelector:
node-role.kubernetes.io/infra: ""
gateway:
nodeSelector:
node-role.kubernetes.io/infra: ""
indexGateway:
nodeSelector:
node-role.kubernetes.io/infra: ""
ingester:
nodeSelector:
node-role.kubernetes.io/infra: ""
querier:
nodeSelector:
node-role.kubernetes.io/infra: ""
queryFrontend:
nodeSelector:
node-role.kubernetes.io/infra: ""
ruler:
nodeSelector:
node-role.kubernetes.io/infra: ""
# ...
apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
name: logging-loki
namespace: openshift-logging
spec:
# ...
template:
compactor:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
distributor:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
indexGateway:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
ingester:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
querier:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
queryFrontend:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
ruler:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
gateway:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
value: reserved
- effect: NoExecute
key: node-role.kubernetes.io/infra
value: reserved
# ...
$ oc explain lokistack.spec.template
KIND: LokiStack
VERSION: loki.grafana.com/v1
RESOURCE: template <Object>
DESCRIPTION:
Template defines the resource/limits/tolerations/nodeselectors per
component
FIELDS:
compactor <Object>
Compactor defines the compaction component spec.
distributor <Object>
Distributor defines the distributor component spec.
...
$ oc explain lokistack.spec.template.compactor
KIND: LokiStack
VERSION: loki.grafana.com/v1
RESOURCE: compactor <Object>
DESCRIPTION:
Compactor defines the compaction component spec.
FIELDS:
nodeSelector <map[string]string>
NodeSelector defines the labels required by a node to schedule the
component onto it.
...13.2.3.
apiVersion: v1
kind: Pod
metadata:
name: collector-example
namespace: openshift-logging
spec:
# ...
collection:
type: vector
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/disk-pressure
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/memory-pressure
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/pid-pressure
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/unschedulable
operator: Exists
# ...$ oc adm taint nodes <node_name> <key>=<value>:<effect>$ oc adm taint nodes node1 collector=node:NoExecuteapiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: # ... spec: # ... collection: type: vector tolerations: - key: collector1 operator: Exists2 effect: NoExecute3 tolerationSeconds: 60004 resources: limits: memory: 2Gi requests: cpu: 100m memory: 1Gi # ...
13.2.4.
apiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: name: <name>1 namespace: <namespace>2 spec: managementState: "Managed" collection: type: "vector" tolerations: - key: "logging" operator: "Exists" effect: "NoExecute" tolerationSeconds: 6000 resources: limits: memory: 1Gi requests: cpu: 100m memory: 1Gi nodeSelector: collector: needed # ...$ oc apply -f <filename>.yaml
13.2.5.
$ oc get pods --selector component=collector -o wide -n <project_name>NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES collector-8d69v 1/1 Running 0 134m 10.130.2.30 master1.example.com <none> <none> collector-bd225 1/1 Running 0 134m 10.131.1.11 master2.example.com <none> <none> collector-cvrzs 1/1 Running 0 134m 10.130.0.21 master3.example.com <none> <none> collector-gpqg2 1/1 Running 0 134m 10.128.2.27 worker1.example.com <none> <none> collector-l9j7j 1/1 Running 0 134m 10.129.2.31 worker2.example.com <none> <none>
14장.
14.1.
- 주의
- 주의
14.2.
14.3.
- 중요
14.4.
- 중요
14.5.
$ oc get subscription.operators.coreos.com serverless-operator -n openshift-serverless -o yaml | grep currentCSVcurrentCSV: serverless-operator.v1.28.0$ oc delete subscription.operators.coreos.com serverless-operator -n openshift-serverlesssubscription.operators.coreos.com "serverless-operator" deleted$ oc delete clusterserviceversion serverless-operator.v1.28.0 -n openshift-serverlessclusterserviceversion.operators.coreos.com "serverless-operator.v1.28.0" deleted
15장.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
16장.
|
|
|
|
|
|
|
|
|
17장.
|
|
|
17.1.
|
|
|
17.2.
|
|
|
17.3.
|
|
|
17.4.
|
|
|
17.5.
|
|
|
17.6.
|
|
|
17.7.
|
|
|
17.8.
|
|
|
17.9.
|
|
|
17.9.1.
|
|
|
|
|
|
17.9.2.
|
|
|
17.9.2.1.
|
|
|
|
|
|
17.9.2.2.
|
|
|
|
|
|
17.9.2.3.
|
|
|
|
|
|
17.9.2.4.
|
|
|
|
|
|
17.9.2.5.
|
|
|
|
|
|
17.9.3.
|
|
|
17.9.3.1.
|
|
|
|
|
|
17.9.3.2.
|
|
|
|
|
|
17.9.3.3.
|
|
|
|
|
|
17.9.3.4.
|
|
|
|
|
|
17.9.3.5.
|
|
|
|
|
|
17.9.3.6.
|
|
|
|
|
|
17.9.4.
|
|
|
|
|
|
17.9.5.
|
|
|
|
|
|
17.9.6.
|
|
|
|
|
|
17.9.7.
|
|
|
|
|
|
17.9.8.
|
|
|
|
|
|
18장.
|
|
|
18.1.
|
|
|
19장.
19.1.
19.1.1.
19.1.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.1.
19.1.1.1.1.1.
19.1.1.1.1.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.2.
19.1.1.1.2.1.
19.1.1.1.2.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.3.
19.1.1.1.3.1.
19.1.1.1.3.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.4.
19.1.1.1.4.1.
19.1.1.1.4.1.1.
19.1.1.1.5.
19.1.1.1.5.1.
19.1.1.1.5.1.1.
|
|
|
|
19.1.1.1.6.
19.1.1.1.6.1.
19.1.1.1.6.1.1.
19.1.1.1.7.
19.1.1.1.7.1.
19.1.1.1.7.1.1.
|
|
|
|
19.1.1.1.8.
19.1.1.1.8.1.
19.1.1.1.8.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.9.
19.1.1.1.9.1.
19.1.1.1.9.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.10.
19.1.1.1.10.1.
19.1.1.1.10.1.1.
|
|
|
|
19.1.1.1.11.
19.1.1.1.11.1.
19.1.1.1.11.1.1.
|
|
|
|
19.1.1.1.12.
19.1.1.1.12.1.
19.1.1.1.12.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.13.
19.1.1.1.13.1.
19.1.1.1.13.1.1.
19.1.1.1.14.
19.1.1.1.14.1.
19.1.1.1.14.1.1.
19.1.1.1.15.
19.1.1.1.15.1.
19.1.1.1.15.1.1.
19.1.1.1.16.
19.1.1.1.16.1.
19.1.1.1.16.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.17.
19.1.1.1.17.1.
19.1.1.1.17.1.1.
19.1.1.1.18.
19.1.1.1.18.1.
19.1.1.1.18.1.1.
19.1.1.1.19.
19.1.1.1.19.1.
19.1.1.1.19.1.1.
19.1.1.1.20.
19.1.1.1.20.1.
19.1.1.1.20.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.21.
19.1.1.1.21.1.
19.1.1.1.21.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.22.
19.1.1.1.22.1.
19.1.1.1.22.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.23.
19.1.1.1.23.1.
19.1.1.1.23.1.1.
|
|
| |
|
|
|
19.1.1.1.24.
19.1.1.1.24.1.
19.1.1.1.24.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.25.
19.1.1.1.25.1.
19.1.1.1.25.1.1.
|
|
|
|
19.1.1.1.26.
19.1.1.1.26.1.
19.1.1.1.26.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.27.
19.1.1.1.27.1.
19.1.1.1.27.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.28.
19.1.1.1.28.1.
19.1.1.1.28.1.1.
19.1.1.1.29.
19.1.1.1.29.1.
19.1.1.1.29.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.30.
19.1.1.1.30.1.
19.1.1.1.30.1.1.
19.1.1.1.31.
19.1.1.1.31.1.
19.1.1.1.31.1.1.
19.1.1.1.32.
19.1.1.1.32.1.
19.1.1.1.32.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.33.
19.1.1.1.33.1.
19.1.1.1.33.1.1.
19.1.1.1.34.
19.1.1.1.34.1.
19.1.1.1.34.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.35.
19.1.1.1.35.1.
19.1.1.1.35.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.36.
19.1.1.1.36.1.
19.1.1.1.36.1.1.
19.1.1.1.37.
19.1.1.1.37.1.
19.1.1.1.37.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.38.
19.1.1.1.38.1.
19.1.1.1.38.1.1.
19.1.1.1.39.
19.1.1.1.39.1.
19.1.1.1.39.1.1.
19.1.1.1.40.
19.1.1.1.40.1.
19.1.1.1.40.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.41.
19.1.1.1.41.1.
19.1.1.1.41.1.1.
19.1.1.1.42.
19.1.1.1.42.1.
19.1.1.1.42.1.1.
|
|
|
19.1.1.1.43.
19.1.1.1.43.1.
19.1.1.1.43.1.1.
|
|
| |
|
|
|
19.1.1.1.44.
19.1.1.1.44.1.
19.1.1.1.44.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.45.
19.1.1.1.45.1.
19.1.1.1.45.1.1.
|
|
|
|
19.1.1.1.46.
19.1.1.1.46.1.
19.1.1.1.46.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.47.
19.1.1.1.47.1.
19.1.1.1.47.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.48.
19.1.1.1.48.1.
19.1.1.1.48.1.1.
19.1.1.1.49.
19.1.1.1.49.1.
19.1.1.1.49.1.1.
|
|
|
19.1.1.1.50.
19.1.1.1.50.1.
19.1.1.1.50.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.51.
19.1.1.1.51.1.
19.1.1.1.51.1.1.
19.1.1.1.52.
19.1.1.1.52.1.
19.1.1.1.52.1.1.
19.1.1.1.53.
19.1.1.1.53.1.
19.1.1.1.53.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.54.
19.1.1.1.54.1.
19.1.1.1.54.1.1.
19.1.1.1.55.
19.1.1.1.55.1.
19.1.1.1.55.1.1.
19.1.1.1.56.
19.1.1.1.56.1.
19.1.1.1.56.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.57.
19.1.1.1.57.1.
19.1.1.1.57.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.58.
19.1.1.1.58.1.
19.1.1.1.58.1.1.
|
|
|
19.1.1.1.59.
19.1.1.1.59.1.
19.1.1.1.59.1.1.
|
|
| |
|
|
|
19.1.1.1.60.
19.1.1.1.60.1.
19.1.1.1.60.1.1.
|
|
|
|
|
|
|
19.1.1.1.61.
19.1.1.1.61.1.
19.1.1.1.61.1.1.
19.1.1.1.62.
19.1.1.1.62.1.
19.1.1.1.62.1.1.
|
|
| |
|
|
|
19.1.1.1.63.
19.1.1.1.63.1.
19.1.1.1.63.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.64.
19.1.1.1.64.1.
19.1.1.1.64.1.1.
19.1.1.1.65.
19.1.1.1.65.1.
19.1.1.1.65.1.1.
|
|
|
|
19.1.1.1.66.
19.1.1.1.66.1.
19.1.1.1.66.1.1.
|
|
| |
|
|
| |
|
|
|
19.1.1.1.67.
19.1.1.1.67.1.
19.1.1.1.67.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.68.
19.1.1.1.68.1.
19.1.1.1.68.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.69.
19.1.1.1.69.1.
19.1.1.1.69.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.70.
19.1.1.1.70.1.
19.1.1.1.70.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.71.
19.1.1.1.71.1.
19.1.1.1.71.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.72.
19.1.1.1.72.1.
19.1.1.1.72.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.73.
19.1.1.1.73.1.
19.1.1.1.73.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.74.
19.1.1.1.74.1.
19.1.1.1.74.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.75.
19.1.1.1.75.1.
19.1.1.1.75.1.1.
19.1.1.1.76.
19.1.1.1.76.1.
19.1.1.1.76.1.1.
|
|
|
19.1.1.1.77.
19.1.1.1.77.1.
19.1.1.1.77.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.78.
19.1.1.1.78.1.
19.1.1.1.78.1.1.
19.1.1.1.79.
19.1.1.1.79.1.
19.1.1.1.79.1.1.
19.1.1.1.80.
19.1.1.1.80.1.
19.1.1.1.80.1.1.
19.1.1.1.81.
19.1.1.1.81.1.
19.1.1.1.81.1.1.
|
|
|
|
|
|
|
|
19.1.1.1.82.
19.1.1.1.82.1.
19.1.1.1.82.1.1.
19.1.1.1.83.
19.1.1.1.83.1.
19.1.1.1.83.1.1.
19.1.1.1.84.
19.1.1.1.84.1.
19.1.1.1.84.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.85.
19.1.1.1.85.1.
19.1.1.1.85.1.1.
19.1.1.1.86.
19.1.1.1.86.1.
19.1.1.1.86.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.87.
19.1.1.1.87.1.
19.1.1.1.87.1.1.
|
|
|
|
19.1.1.1.88.
19.1.1.1.88.1.
19.1.1.1.88.1.1.
|
|
|
|
19.1.1.1.89.
19.1.1.1.89.1.
19.1.1.1.89.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.90.
19.1.1.1.90.1.
19.1.1.1.90.1.1.
19.1.1.1.91.
19.1.1.1.91.1.
19.1.1.1.91.1.1.
19.1.1.1.92.
19.1.1.1.92.1.
19.1.1.1.92.1.1.
19.1.1.1.93.
19.1.1.1.93.1.
19.1.1.1.93.1.1.
|
|
|
|
19.1.1.1.94.
19.1.1.1.94.1.
19.1.1.1.94.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.95.
19.1.1.1.95.1.
19.1.1.1.95.1.1.
19.1.1.1.96.
19.1.1.1.96.1.
19.1.1.1.96.1.1.
|
|
|
|
19.1.1.1.97.
19.1.1.1.97.1.
19.1.1.1.97.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.98.
19.1.1.1.98.1.
19.1.1.1.98.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.99.
19.1.1.1.99.1.
19.1.1.1.99.1.1.
19.1.1.1.100.
19.1.1.1.100.1.
19.1.1.1.100.1.1.
19.1.1.1.101.
19.1.1.1.101.1.
19.1.1.1.101.1.1.
19.1.1.1.102.
19.1.1.1.102.1.
19.1.1.1.102.1.1.
19.1.1.1.103.
19.1.1.1.103.1.
19.1.1.1.103.1.1.
19.1.1.1.104.
19.1.1.1.104.1.
19.1.1.1.104.1.1.
19.1.1.1.105.
19.1.1.1.105.1.
19.1.1.1.105.1.1.
|
|
|
|
19.1.1.1.106.
19.1.1.1.106.1.
19.1.1.1.106.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.1.1.1.107.
19.1.1.1.107.1.
19.1.1.1.107.1.1.
19.1.1.1.108.
19.1.1.1.108.1.
19.1.1.1.108.1.1.
20장.
Legal Notice
Copyright © Red Hat
OpenShift documentation is licensed under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0).
Modified versions must remove all Red Hat trademarks.
Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat.
Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of the OpenJS Foundation.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}