Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOC Update: Log collection and running the container in non-root user mode #887

Merged
merged 3 commits into from
Aug 17, 2023
Merged

DOC Update: Log collection and running the container in non-root user mode #887

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ee6868a
Updated documentation for log collection and running the container in…
jvoravong Aug 15, 2023
59aa2f2
patch
jvoravong Aug 17, 2023
44150c4
Merge branch 'main' into crio-doc
jvoravong Aug 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions docs/advanced-configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -514,10 +514,18 @@ Here is the summary of performance benchmarks run internally.
The data pipelines for these test runs involved reading container logs as they are being written, then parsing filename for metadata, enriching it with kubernetes metadata, reformatting data structure, and sending them (without compression) to Splunk HEC endpoint.

## Running the container in non-root user mode
Collecting logs often requires reading log files that are owned by the root user. By default, the container runs with `securityContext.runAsUser = 0` which gives the `root` user permission to read those files.
To run the container in `non-root` user mode, set `.agent.securityContext`. The log data permissions will be adjusted to match the securityContext configurations. For instance:
```yaml
agent:
securityContext:
runAsUser: 20000
runAsGroup: 20000
```

Collecting logs often requires reading log files that are owned by the root user. By default, the container runs with `securityContext.runAsUser = 0` which gives the `root` user permission to read those files. To run the container in `non-root` user mode, set `.agent.securityContext` to `20000` to cause the container to run the required file system operations as UID and GID `20000`. (it can be any other UID & GUI)

Note: `cri-o` container runtime did not work during internal testing.
Note: Running the collector agent for log collection in non-root mode is currently unsupported in CRI-O and OpenShift environments due to platform limitations, for more details see the related
jvoravong marked this conversation as resolved.
Show resolved Hide resolved
[OpenShift Container Platform Documentation - InitContainers won't help resolve permission issues](https://developers.redhat.com/blog/2020/10/26/adapting-docker-and-kubernetes-containers-to-run-on-red-hat-openshift-container-platform)
documentation.

## Network explorer
[Network explorer](network-explorer-architecture.md) allows you to collect network telemetry for ingest and analysis. This telemetry is sent to the Open Telemetry Collector Gateway.
Expand Down