Support CoreOS?

[zhushendhh]

We tested it in our OCP4 env which is use CoreOS as the worker hosts. But always get permssion deny error for dir "/var/log/containers/*.log"

2021/02/01 08:10:44] [ warn] [input:tail:tail.0] error scanning path: /var/log/containers/*.log 
[2021/02/01 08:10:54] [error] [input:tail:tail.0] read error, check permissions: /var/log/containers/*.log;
[2021/02/01 08:10:54] [ warn] [input:tail:tail.0] error scanning path: /var/log/containers/*.log
[2021/02/01 08:11:04] [error] [input:tail:tail.0] read error, check permissions: /var/log/containers/*.log
[2021/02/01 08:11:04] [ warn] [input:tail:tail.0] error scanning path: /var/log/containers/*.log
[2021/02/01 08:11:14] [error] [input:tail:tail.0] read error, check permissions: /var/log/containers/*.log

Below is the content of the configmap:

apiVersion: v1
data:
  filter-kubernetes.conf: |
    [FILTER]
        Name                kubernetes
        Match               kube.*
        Kube_URL            https://kubernetes.default.svc:443
        Kube_CA_File        /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
        Kube_Token_File     /var/run/secrets/kubernetes.io/serviceaccount/token
        Kube_Tag_Prefix     kube.var.log.containers.
        Merge_Log           On
        Merge_Log_Key       log_processed
        K8S-Logging.Parser  On
        K8S-Logging.Exclude Off
  fluent-bit.conf: |
    [SERVICE]
        Flush         1
        Log_Level     info
        Daemon        off
        Parsers_File  parsers.conf
        HTTP_Server   On
        HTTP_Listen   0.0.0.0
        HTTP_Port     2020
    @INCLUDE input-kubernetes.conf
    @INCLUDE filter-kubernetes.conf
    @INCLUDE output-elasticsearch.conf
  input-kubernetes.conf: |
    [INPUT]
        Name          tail
        Path          /var/log/containers/*.log
        Parser        cri
        Tag           kube.*
        Mem_Buf_Limit 5MB
        Skip_Long_Lines Off
        Refresh_Interval  10
  output-elasticsearch.conf: |
    [OUTPUT]
        Name            es
        Match           *
        Host            <es host>
        Port            443
        Logstash_Format On
        Replace_Dots    On
        Retry_Limit     False
        HTTP_User       <user>
        HTTP_Passwd     <passwd>

Then $oc rsh and $oc debug cannot be used for inside troubleshooting:

$oc rsh fluent-bit-5gwn2
ERRO[0000] exec failed: container_linux.go:348: starting container process caused "exec: \"/bin/sh\": stat /bin/sh: no such file or directory"
exec failed: container_linux.go:348: starting container process caused "exec: \"/bin/sh\": stat /bin/sh: no such file or directory"
command terminated with exit code 1

Thank you.

[hsqlu]

Hi @zhushendhh , I experienced the same problem, have found the causes?

Thanks,
Qiannan

[andutt]

Same problem, any progress regarding this?

[sba-ops]

I experienced the same problem, any progress regarding this?

[alibahramian]

this can be fixed by adding securityContext to your flunetbit daemonset:

      securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          seLinuxOptions:
            type: spc_t