DO380 - ch07s05

Bookmark this page

Lab: OpenShift Logging

Configure OpenShift Logging for short-term and long-term log retention and aggregation.

Outcomes

Configure OpenShift Logging to forward logs to an external aggregator for long-term storage.
Configure OpenShift Logging with Loki for short-term log retention.
Configure OpenShift Logging to collect logs from specific applications.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start logging-review

Instructions

The security policy of your company requires you to send OpenShift audit logs to a dedicated syslog server for long-term storage.

The developer team asks you to provide them access to the production application logs and to the CI job logs that are running in the build-ci namespace. To limit the footprint of the log storage, the developers agree to keep only seven days of logs for the build-ci namespace.

Configure OpenShift Logging to forward only audit logs to the syslog server. The syslog server DNS name is utility.lab.example.com and the service listens on the TCP port 514. Forwarded audit logs are stored in the /var/log/openshift/audit.log file on the utility machine.

Configure Loki as the internal log store for both infrastructure logs for the cluster administrators and application logs for the developers.

An S3 bucket is available for you, in the lab environment, to configure as log storage for Loki. The bucket information and credentials are available in the ~/DO380/labs/logging-review/s3bucket.env file on the workstation machine.

Ensure that only application logs with the environment: production label or in the build-ci namespace are collected. Ensure that audit logs are not stored in the internal log store.

Configure the global log retention in Loki to 30 days. Configure the log retention for pods that are running in the build-ci namespace to seven days.

Provide access to the application logs to the ocpdevs group. You can use the developer user, which is in the ocpdevs group, to verify that the permissions are correct.

Use the following applications in the cluster to verify that the logging configuration is working as expected.

Applications that are running in the following projects have the environment: production label:

shop-prod
supportbot-prod

Applications that are running in the following projects have the environment: staging label:

shop-stg
supportbot-stg

Applications that are running in the following projects have the environment: development label:

shop-dev
supportbot-dev
build-ci

Create a secret for Loki with the object storage credentials from the ~/DO380/labs/logging-review/s3bucket.env environment file.

Connect to the OpenShift cluster as the admin user with redhatocp as the password.

[student@workstation ~]$ oc login -u admin -p redhatocp \
  https://api.ocp4.example.com:6443
Login successful.
...output omitted...

Change to the ~/DO380/labs/logging-review directory.

[student@workstation ~]$ cd ~/DO380/labs/logging-review

Change to the openshift-logging project.

[student@workstation logging-review]$ oc project openshift-logging
Now using project "openshift-logging" on server "https://api.ocp4.example.com:6443".

Use the ~/DO380/labs/logging-review/s3bucket.env environment file to create the logging-loki-odf secret in the openshift-logging namespace.

[student@workstation logging-review]$ oc create secret generic logging-loki-odf \
  -n openshift-logging --from-env-file=s3bucket.env
secret/logging-loki-odf created

Create and configure a logging-loki LokiStack instance to use the S3 bucket, and set the log retention for the build-ci namespace.

You can use the partial resource definition in the ~/DO380/labs/logging-review/lokistack.yml file.

Modify the partial resource definition in the ~/DO380/labs/logging-review/lokistack.yml file as follows:

apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
  name: logging-loki
  namespace: openshift-logging
spec:
  limits:
    global:
      retention:
        days: 30
        streams:
          - selector: '{kubernetes_namespace_name="build-ci"}'
            priority: 1
            days: 7
  size: 1x.demo
  storage:
    tls:
      caName: openshift-service-ca.crt
    secret:
      name: logging-loki-odf
      type: s3
  storageClassName: ocs-external-storagecluster-ceph-rbd
  tenants:
    mode: openshift-logging

Create the LokiStack resource.

[student@workstation logging-review]$ oc create -f lokistack.yml
lokistack.loki.grafana.com/logging-loki created

Verify that the LokiStack pods are up and running.

[student@workstation logging-review]$ oc get deployment,statefulset \
  -l app.kubernetes.io/name=lokistack
NAME                                          READY  UP-TO-DATE  AVAILABLE  AGE
deployment.apps/logging-loki-distributor      1/1    1           1          86s
deployment.apps/logging-loki-gateway          2/2    2           2          85s
deployment.apps/logging-loki-querier          1/1    1           1          85s
deployment.apps/logging-loki-query-frontend   1/1    1           1          85s

NAME                                          READY  AGE
statefulset.apps/logging-loki-compactor       1/1    85s
statefulset.apps/logging-loki-index-gateway   1/1    85s
statefulset.apps/logging-loki-ingester        1/1    86s

Configure OpenShift Logging to forward audit logs to the syslog server, and to forward the infrastructure and application logs to the internal log store.

Ensure that only application logs with the environment: production label or in the build-ci namespace are collected. Ensure that audit logs are not stored in the Loki instance.

You can use the partial resource definition in the ~/DO380/labs/logging-review/clusterlogforwarder.yml file.

Modify the partial resource definition in the ~/DO380/labs/logging-review/clusterlogforwarder.yml file as follows:

apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: instance
  namespace: openshift-logging
spec:
  inputs:
    - name: production-apps
      application:
        selector:
          matchLabels:
            environment: production
    - name: ci
      application:
        namespaces:
        - build-ci
  outputs:
    - name: audit-syslog
      type: syslog
      url: tcp://utility.lab.example.com:514
      syslog:
        msgID: audit
        appName: ocp-lab
        facility: user
        procID: vector
        rfc: RFC5424
        severity: informational
  pipelines:
    - name: to-syslog
      inputRefs:
        - audit
      outputRefs:
        - audit-syslog
    - name: to-loki
      inputRefs:
        - infrastructure
        - ci
        - production-apps
      outputRefs:
        - default

Apply the configuration for the cluster log forwarder.

[student@workstation logging-review]$ oc apply -f clusterlogforwarder.yml
clusterlogforwarder.logging.openshift.io/instance created

Configure OpenShift Logging to deploy Vector and the web console plug-in, and use the Loki instance that you configure in a previous step as the log store.

You can use the partial resource definition in the ~/DO380/labs/logging-review/clusterlogging.yml file.

Modify the partial resource definition in the ~/DO380/labs/logging-review/clusterlogging.yml file as follows:

apiVersion: logging.openshift.io/v1
kind: ClusterLogging
metadata:
  name: instance
  namespace: openshift-logging
spec:
  managementState: Managed
  logStore:
    type: lokistack
    lokistack:
      name: logging-loki
  collection:
    type: vector
  visualization:
    type: ocp-console

Apply the cluster logging configuration.

[student@workstation logging-review]$ oc apply -f clusterlogging.yml
clusterlogging.logging.openshift.io/instance created

Verify that the OpenShift Logging operator deploys the collector pod on each node.

[student@workstation logging-review]$ oc get daemonset -l component=collector
NAME        DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   ...
collector   6         6         6       6            6           ...

Connect to the utility server and verify that the syslog service receives the audit logs. Audit logs are stored in the /var/log/openshift/audit.log file on the utility machine.
Connect to the utility machine with SSH as the root user.
[student@workstation logging-review]$ ssh root@utility
Check that the OpenShift audit log file exists in the /var/log/openshift path.
[root@utility ~]# ls -l /var/log/openshift/ total 978112 -rw-------. 1 root root 462107806 Jan 30 10:10 audit.log
Review the content of the audit log.
[root@utility ~]# tail -1 /var/log/openshift/audit.log "2024-01-30T10:10:25.618+00:00 ...output omitted..."
Disconnect from the utility machine.
[root@utility ~]# exit logout Connection to utility closed. [student@workstation logging-review]$
Enable the web console plug-in for the OpenShift Logging operator and verify that infrastructure and application logs are available.
Open a web browser and navigate to https://console-openshift-console.apps.ocp4.example.com. Click Red Hat Identity Management and log in as the admin user with redhatocp as the password.
Click Operators → Installed Operators, and select All Projects from the drop-down menu.
Click Red Hat OpenShift Logging, click Console plugin, select Enable, and click Save.
Reload the web console, and navigate to Observe → Logs. If the Observe → Logs menu is not available, then wait until the web console shows the Web console update is available message and reload the web console.
Verify that the application logs are available.
From the drop-down menu, select infrastructure and verify that the infrastructure logs are available.
From the drop-down menu, select audit and confirm that no audit logs are stored in the log store.

Grant view access to the application logs to the ocpdevs group.

Add the cluster-logging-application-view role to the ocpdevs group.

[student@workstation logging-review]$ oc adm policy add-cluster-role-to-group \
  cluster-logging-application-view ocpdevs
clusterrole.rbac.authorization.k8s.io/cluster-logging-application-view added: "ocpdevs"

Verify that the developer user can access the application logs from the web console.
Verify that only application logs with the environment: production label or in the build-ci namespace are collected.
Open a new private browser window, and navigate to https://console-openshift-console.apps.ocp4.example.com
Click Red Hat Identity Management and log in as the developer user with developer as the password. Click Skip tour.
Navigate to Observe and select build-ci from the project drop-down menu. Change to the Logs tab. Verify that the application logs are available.
Change to the shop-prod project and verify that the application logs are available.
Change to the shop-dev project, and verify that no application logs are available, because the application does not have the required label.
Close both the web browser windows and change to the /home/student directory in the terminal window.
[student@workstation logging-review]$ cd

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade logging-review

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish logging-review

Discuss Red Hat OpenShift Administration III: Scaling Deployments in the Enterprise

Go to community

Welcome to Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise!

Syed

12 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO378.Read more about Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise here.

Revision: do380-4.14-397a507