Bug 1498398 - Incomplete default configuration for secure-forward
Summary: Incomplete default configuration for secure-forward
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: 3.9.0
Assignee: Ruben Romero Montes
QA Contact: Anping Li
URL:
Whiteboard:
Depends On:
Blocks: 1617921
TreeView+ depends on / blocked
 
Reported: 2017-10-04 08:41 UTC by Ruben Romero Montes
Modified: 2018-08-16 07:20 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The secure-forward template generated in the configMap does not include the <store> tag as mentioned in the documentation. Consequence: The configuration fails when more stores are defined Fix: Add enclosing <store> tag for the template Result: Removing the comments provides a syntactically valid configuration
Clone Of:
: 1617921 (view as bug list)
Environment:
Last Closed: 2018-06-27 18:01:30 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift openshift-ansible pull 5652 None None None 2017-10-04 08:56:24 UTC
Github openshift origin-aggregated-logging pull 740 None None None 2017-10-23 21:05:51 UTC
Red Hat Product Errata RHSA-2018:2013 None None None 2018-06-27 18:01:53 UTC

Description Ruben Romero Montes 2017-10-04 08:41:56 UTC
Description of problem:
The provided template for the secure-forward.conf file does not include the <store> tag which might lead to users having problems during its configuration.

the main problem is that it doesn't match the documentation

Version-Release number of selected component (if applicable):
Any version

Additional info:

Documentation snippet found in:
https://docs.openshift.com/container-platform/3.6/install_config/aggregate_logging.html#aggregated-fluentd

Conf file missing the store tag:
https://github.com/openshift/openshift-ansible/blob/release-3.6/roles/openshift_logging_fluentd/files/secure-forward.conf

Comment 1 Ruben Romero Montes 2017-10-20 08:44:06 UTC
Can the PR be merged? Is there something missing?

Comment 2 Noriko Hosoi 2017-10-20 18:35:51 UTC
(In reply to Ruben Romero Montes from comment #0)
> Additional info:
> Documentation snippet found in:
> https://docs.openshift.com/container-platform/3.6/install_config/
> aggregate_logging.html#aggregated-fluentd

It looks like a Doc bug.  Please take a look at this Fluentd doc, where <store> i s not needed.  (Instead, it needs to be in <match TAG>)

https://docs.fluentd.org/v0.12/articles/out_secure_forward

You could see how we enable secure forward in the secure forward CI test.
1) Enabling secure-forward.conf in the main fluentd config file in <match **>:
https://github.com/openshift/origin-aggregated-logging/blob/master/test/fluentd-forward.sh#L22-L25
2) Updating the content of secure-forward.conf:
https://github.com/openshift/origin-aggregated-logging/blob/master/test/fluentd-forward.sh#L31-L41

Can we change this to a Doc bug?

Comment 3 Ruben Romero Montes 2017-10-23 20:43:30 UTC
In both cases the <match **> tag only has one @include but if you see in the documentation when you use the @type copy you need to put the others under <store> tag. Check how the configuration should be expanded.

<match **>
   @type copy
   @include output-es-config.conf
   @include ../user/output-extra-*.conf
   @include ../dynamic/es-copy-config.conf
   <store>
     @type secure_forward
     ...
   </store>
</match>

Compare with the output-es-config.conf file, for example:
    <store>
      @type elasticsearch_dynamic
      host "#{ENV['ES_HOST']}"
      port "#{ENV['ES_PORT']}"
      ...
    </store>

But it is true I should add a unit test for that.

Comment 5 openshift-github-bot 2017-11-18 09:27:41 UTC
Commit pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/4b2b0a0b5d5df89c98332a3ae24de336a65c0332
bug 1498398. Enclose content between store tag

Comment 6 Rich Megginson 2018-01-04 03:04:43 UTC
How can we verify if we have an openshift-ansible build which includes this fix?

Comment 7 Scott Dodson 2018-01-04 14:27:08 UTC
It should be in both 3.8 and 3.9 builds.

~/git/Openshift/openshift-ansible (master)$ git tag --contains 4b2b0a0b5d5df89c98332a3ae24de336a65c0332
openshift-ansible-3.8.0-0.10.0
openshift-ansible-3.9.0-0.1.0

Comment 11 Anping Li 2018-01-10 10:27:08 UTC
No sure if we neend to fix in v3.6 and v3.7.
Get the following error when use td-agent as an external fluent td-agent-3.1.1-0.el7.x86_64.  Will the same version fluentd again.


2018-01-10 04:00:03 -0500 [warn]: #0 incoming chunk is broken: host="192.168.1.218" msg=46
2018-01-10 04:00:03 -0500 [error]: #0 unexpected error on reading data host="192.168.1.218" port=54510 error_class=MessagePack::UnknownExtTypeError error="unexpected extension type"
  2018-01-10 04:00:03 -0500 [error]: #0 suppressed same stacktrace

Comment 13 Anping Li 2018-01-17 12:42:09 UTC
The secure-forward.conf are in place of store. so move bug to verified. 

  secure-forward.conf: |
    # <store>
    # @type secure_forward

    # self_hostname ${HOSTNAME}
    # shared_key <SECRET_STRING>

    # secure yes
    # enable_strict_verification yes

    # ca_cert_path /etc/fluent/keys/your_ca_cert
    # ca_private_key_path /etc/fluent/keys/your_private_key
      # for private CA secret key
    # ca_private_key_passphrase passphrase

    # <server>
      # or IP
    #   host server.fqdn.example.com
    #   port 24284
    # </server>
    # <server>
      # ip address to connect
    #   host 203.0.113.8
      # specify hostlabel for FQDN verification if ipaddress is used for host
    #   hostlabel server.fqdn.example.com
    # </server>
    # </store>

Comment 16 errata-xmlrpc 2018-06-27 18:01:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2013


Note You need to log in before you can comment on or make changes to this bug.