Bug 1523470

Summary: Lack container identification code in the save docker event logs
Product: OpenShift Container Platform Reporter: Anping Li <anli>
Component: LoggingAssignee: Josef Karasek <jkarasek>
Status: CLOSED ERRATA QA Contact: Anping Li <anli>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.7.1CC: aos-bugs, jcantril, jkarasek, rmeggins
Target Milestone: ---   
Target Release: 3.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-05 09:33:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1496176    
Bug Blocks:    
Attachments:
Description Flags
Docker Event Documents in ES none

Description Anping Li 2017-12-08 04:22:40 UTC 
Description of problem:

For further analysis, the saved docker event log (documents) should include identification code, for example the container ID, container IP, Container Name, Container Image and etc.  but fluentd couldn't scratch such data from audit logs.

Version-Release number of selected component (if applicable):
openshift3/logging-fluentd/images/v3.7.14-1


How reproducible:
always

Steps to Reproduce:
1. deploy logging to collect docker event logs

openshift_logging_install_logging=true
openshift_logging_fluentd_audit_container_engine=true
openshift_logging_fluentd_audit_file=/var/log/audit/audit.log
openshift_logging_fluentd_audit_pos_file=/var/log/audit/audit.log.pos

2. run a docker container
   docker run --rm centos:7 sleep 200

3)  docker inspect $dockerID in another tty
    docker inspect 8423f82e1ec9

4)  gather all record ES stack
   oc rsh -c elasticsearch logging-es-ops-data-master-9mdj6t21-1-2ktkm curl -XGET --cacert /etc/elasticsearch/secret/admin-ca --cert /etc/elasticsearch/secret/admin-cert --key /etc/elasticsearch/secret/admin-key 'https://localhost:9200/_search?pretty&size=5000&q=docker.user:*' --insecure |tee dockerEvent.json

5)  Search the container identification code  in the saved dockerEnvent Documents
   For example, Search container ID, container IP, Container Name, Container Image in dockerEvent.json

Actual results:
No container identification code in the saved docker event documents


Expected results:
For further analysis,  It is better to gather the container identification code  in  docker event log (documents).


Additional info:

For bug https://bugzilla.redhat.com/show_bug.cgi?id=1496176 have been closed. I open this to address it in Openshift
Comment 1 Anping Li 2017-12-08 12:44:46 UTC 
Created attachment 1364830 [details]
Docker Event Documents in ES
Comment 2 Jeff Cantrill 2017-12-08 19:27:07 UTC 
@Joseph please evaluate and comment
Comment 3 Josef Karasek 2017-12-11 12:06:15 UTC 
Still waiting for a fix in docker
Comment 4 Anping Li 2018-03-23 08:34:53 UTC 
@Josef, the bug 1496176 have been fixed . The docker id and docker image id can be gathered. Can you verify the bug 1496176 and move this bug to ON_QA?

{
  "_index": ".operations.2018.03.23",
  "_type": "com.redhat.viaq.common",
  "_id": "ZmRhMTJjMzQtMTUxMC00NmRjLWExZTgtYTBiY2E1MzEwMjA5",
  "_score": null,
  "_source": {
    "hostname": "172.16.120.9",
    "systemd": {
      "t": {
        "PID": "20135",
        "UID": "0",
        "AUDIT_LOGINUID": "4294967295",
        "AUDIT_SESSION": "4294967295",
        "SELINUX_CONTEXT": "system_u:system_r:container_runtime_t:s0",
        "EXE": "\"/usr/bin/dockerd-current\""
      }
    },
    "docker": {
      "sauid": "0",
      "container_id_short": "95849ae758f0",
      "container_image": "e66c511efd84",
      "pid": "1874",
      "user": "root",
      "reason": "api",
      "operation": "resize",
      "result": "success",
      "command": "/home/appliance/starter.sh"
    },
    "pipeline_metadata": {
      "collector": {
        "ipaddr4": "10.130.0.27",
        "ipaddr6": "fe80::28a6:17ff:febe:940e",
        "inputname": "fluent-plugin-systemd",
        "name": "fluentd",
        "received_at": "2018-03-23T08:22:56.404335+00:00",
        "version": "0.12.42 1.6.0"
      }
    },
    "@timestamp": "2018-03-23T08:22:56.402000+00:00",
    "viaq_msg_id": "ZmRhMTJjMzQtMTUxMC00NmRjLWExZTgtYTBiY2E1MzEwMjA5"
  },
  "fields": {
    "@timestamp": [
      1521793376402
    ],
    "pipeline_metadata.collector.received_at": [
      1521793376404
    ]
  },
  "highlight": {
    "docker.container_id_short": [
      "@kibana-highlighted-field@95849ae758f0@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1521793376402
  ]
}
Comment 5 Anping Li 2018-03-23 09:00:16 UTC 
It Works fine, It can recognize the container_id and container_image.

"docker": {
      "sauid": "0",
      "container_id_short": "f94f3240202a",
      "container_image": "centos",
      "pid": "0",
      "user": "root",
      "reason": "api",
      "operation": "start",
      "result": "success",
      "command": "bash"
     }
Comment 6 Josef Karasek 2018-03-23 10:56:00 UTC 
Yes, it was fixed in atomic/moby 1.13.
Comment 7 Anping Li 2018-03-23 11:04:37 UTC 
Verified with docker-1.13.1-53.git774336d.el7.x86_64
Comment 11 errata-xmlrpc 2018-04-05 09:33:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0636