Skip to content

Latest commit

 

History

History
124 lines (94 loc) · 3.13 KB

README.adoc

File metadata and controls

124 lines (94 loc) · 3.13 KB
Raw

openshift-rsyslog

Setup Project

# oadm new-project rsyslog --node-selector=""
$ oc project rsyslog

Set SCC

The rsyslog pods need to run privileged in order to access certain system resources.

  • /etc/machine-id - read

  • /etc/hostname - read

  • /etc/localtime - read

  • /var/log - read/write

  • /run/log - read/write

As system:admin do the following:

# oadm policy add-scc-to-user privileged system:serviceaccount:rsyslog:default

Grant DaemonSet ClusterRole (Optional)

If you are using a different user than admin, you have to grant a daemonset clusterrole.

As Admin, create a dedicated cluster role:

cat <<EOF | oc create -f -
apiVersion: v1
kind: ClusterRole
metadata:
  name: system:daemonset-admin
rules:
- resources:
  - daemonsets
  apiGroups:
  - extensions
  verbs:
  - create
  - get
  - list
  - watch
  - delete
  - update
EOF

Grant the daemonset cluster role to your user in the right namespace

# oadm policy add-role-to-user system:daemonset-admin [email protected] -n rsyslog

Create DaemonSet

$ oc create -f ds-rsyslog.yaml

Or create DaemonSet with vars to set the nodename.

$ oc create -f ds-rsyslog-nodename.yaml

Create ConfigMap

The config map contains an additional configuration file that will be placed in /etc/rsyslog.d/. This file contains the remote logging server address.

$ oc create -f cm-rsyslog.yaml

Example

root@master:~$ oadm new-project rsyslog --node-selector=""
Created project rsyslog

root@master:~$ oc project rsyslog
Already on project "rsyslog" on server "https://master.manage.bm.chmouel.com:8443".

root@master:~$ oadm policy add-scc-to-user privileged system:serviceaccount:rsyslog:default

root@master:~$ oc create -f ds-rsyslog.yaml
daemonset "rsyslog" created

root@master:~$ oc create -f cm-rsyslog.yaml
configmap "rsyslog-config-cm" created

root@master:~$ oc get po
NAME            READY     STATUS    RESTARTS   AGE
rsyslog-acuhj   1/1       Running   0          1m
rsyslog-mvqkc   1/1       Running   0          1m
rsyslog-o2fmf   1/1       Running   0          1m

root@master:~$ oc rsh rsyslog-acuhj ls -la /etc/rsyslog.d
total 4
drwxrwxrwx.  3 root root   78 Sep 14 08:13 .
drwxr-xr-x. 49 root root 4096 Sep 14 08:13 ..
drwxr-xr-x.  2 root root   27 Sep 14 08:13 ..9989_14_09_08_13_25.009400751
lrwxrwxrwx.  1 root root   31 Sep 14 08:13 ..data -> ..9989_14_09_08_13_25.009400751
lrwxrwxrwx.  1 root root   21 Sep 14 08:13 container.conf -> ..data/container.conf

root@master:~$ oc rsh rsyslog-acuhj cat /etc/rsyslog.d/container.conf
*.* @remote-log-host.example.org

Optional

As-is the destination will receive logs as coming from the pod’s hostname. To forward logs with the actual node name you can rebuild the image using the rsyslog.sh here.

ls -l
-rwxr-xr-x root root  67 Nov 29 13:51 rsyslog.sh
-rwxr-xr-x root root 263 Nov 29 13:51 Dockerfile

# cat Dockerfile
FROM registry.access.redhat.com/rhel7/rsyslog
ADD rsyslog.sh /bin/

# docker build --rm -t registry.domain.com:5000/rsyslog:v01 .