libpod: Implement --log-opt label=LABEL=Value#26203
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: p12tic The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
p12tic
force-pushed
the
log-labels
branch
3 times, most recently
from
13c405e to
963614b
Compare
|
Tests are failing due to As for minimum required conmon version, some code existed to check that, but it was removed in 20ad122. I think proper solution would be to resurrect part of it and disable the new code path if old conmon is detected. |
|
What is your actual end goal here? Why would you want the labels as part of every single journald message. That seems wasteful in terms of IO and storage. What does docker compose do? Also adding labels like this means you have a hard dependency on the journald logging driver while that is normally something that is configured by end users so I doubt podman-compose would want to have a hard dependency on a particular log driver? Doing version detection is generally something we avoid because it adds additional overhead to every single container start. |
|
Thanks for your comments. There are many questions, I will try to answer to each separately:
Docker/podman compose is a tool to orchestrate running multiple related local containers. It can be thought as a very simple single node kubernetes.
The end goal is to be able to understand container logs in more complex scenarios. Docker supports logging drivers which allows to ship logs from multiple hosts to a single host for processing and analysis, using tools like Grafana Loki. There's no such thing on Podman. The best what exists is to ship logs to journald and then read them using daemons such as Promtail which ship the logs to the host that does log processing. Unfortunately even in this case current capability is insufficient. A single application is composed of multiple containers most of the time and it's useful to be able to see all logs from a particular application. Unfortunately, currently only container ID and name are available in journald, so this is not possible. Having container labels allows to access labels such as
This allows messages to be associated with a particular grouping. Note that there are already 28 fields associated with each single journald message coming out of conmon already. These are all normal fields in a journald message, I already excluded the fields that are handled in a special way such as timestamps.
Journald does string interning, so repeating log labels have very small incremental cost. Note how many fields are always included already. However I agree that it probably does not make sense to include all labels. Probably it makes sense to configure that how log tag can be configured via
The logging drivers expose different data in the logs already. Journald provides most complete logging information, so adding labels to it does not make it a more hard dependency compared to how it is already.
Agreed, this is a very strong argument why this should not be enabled by default. |
|
List of journald fields coming out of conmon by default: : _EXE CONTAINER_ID _HOSTNAME MESSAGE _TRANSPORT CODE_FILE _AUDIT_SESSION _SOURCE_REALTIME_TIMESTAMP _GID _SYSTEMD_SLICE _SELINUX_CONTEXT PRIORITY _RUNTIME_SCOPE _UID CONTAINER_NAME CODE_FUNC CODE_LINE _SYSTEMD_INVOCATION_ID _CMDLINE _SYSTEMD_CGROUP _MACHINE_ID SYSLOG_IDENTIFIER _PID _SYSTEMD_UNIT _AUDIT_LOGINUID _COMM _CAP_EFFECTIVE CONTAINER_ID_FULL |
My question was about how docker labels the logs? Dumping all labels by default to each log line seems really wasteful.
Oh that was a misunderstanding on my part, I thought the log is written append only line by line basically but it seems there is quite some logic in there to link to previous entries via hash tables so I guess you are right it would not be so bad.
I think that would make the most sense, if we have
From how I understood your PR description I thought your plan was to use that in podman-compose directly and depend on the labels in journald somehow for some feature?! If that is not the case sure then it is nor a problem. |
Sorry, misunderstanding on my side. Docker itself does not need to log labels for its own purposes because it just need to know which container a log came from and then attach labels according to that. The interesting part becomes when the logs are shipped to external log systems. This is implemented by docker logging drivers. For example, Grafana Loki driver will ship the values of com.docker.swarm.service.name, com.docker.stack.namespace, com.docker.compose.service, com.docker.compose.project if present.
Sounds like a plan. I will get back with WIP implementation.
Indeed, this is correct. The only plan is to allow users to configure centralized logging. |
|
We are getting a number of complaints about Podman being overly spammy in the journal logs, so while I'm not opposed to this, I'd want a way of turning it off (the |
I am not to sure we need this a containers.conf option. I rather wait for some use case for this rather than adding any possible option in containers.conf which always complicates things. |
|
Docker supports setting a list of interesting labels to be always logged as part of their journald logging driver https://docs.docker.com/engine/logging/drivers/journald/. These are both settable from per-container and global configuration. I agree that this is out of scope of this PR. |
p12tic
changed the title
p12tic
force-pushed
the
log-labels
branch
2 times, most recently
from
82c89df to
1679ec3
Compare
|
@Luap99 @mheon I updated PR with explicit I chose exposing this as repeating |
|
Currently tests fail due to new |
p12tic
changed the title
|
In the end I also implemented containers.conf option, as the implementation was just 20 lines of code excluding tests. At least for me the use case would be to avoid setting `--log-opt 'label=COMPOSE_PROJECT={{index .Config.Labels "io.podman.compose.project"}}' in every container in every podman-compose file if I want to gather logs into centralized logging analytics service. However this is out of scope of this PR, because first common library needs to be updated. |
|
[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore. |
1 similar comment
|
[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore. |
|
A friendly reminder that this PR had no activity for 30 days. |
|
PR is waiting for review and conmon release. |
p12tic
force-pushed
the
log-labels
branch
6 times, most recently
from
db501b2 to
7d08233
Compare
p12tic
force-pushed
the
log-labels
branch
3 times, most recently
from
eecaedc to
c85990b
Compare
|
@Luap99 I think I addressed all review comments that I could address again. I apologize for needing so much hand holding.. |
p12tic
force-pushed
the
log-labels
branch
3 times, most recently
from
2cc3fac to
72f2ef4
Compare
This allows things like compose project names to be associated with log messages and later used in log processing and analysis. Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
@Luap99 This PR should be good to go now. There are failures in CI, but it seems they are caused by general instability, because unrelated tests fail. I would schedule to rerun the failing tests, but don't have enough permissions. |
|
I restarted the flakes |
|
@containers/podman-maintainers PTAL |
|
LGTM |
|
This is really awesome work and exactly what the doctor ordered. |
4 participants
Currently, Compose on Podman has a significant limitation compared to Compose on Docker: there's no way to include container labels such as the Compose project name in the logs. This issue exists regardless of the underlying Compose provider.
This PR implements support for passing container labels to conmon via new
--log-labeloption. The container labels are supported only on journald log driver and are exposed via--log-opt label=KEY=VALUEsyntax. The option can be repeated multiple times to set multiple labels.Does this PR introduce a user-facing change?