Bug 1498398 - Incomplete default configuration for secure-forward
Summary: Incomplete default configuration for secure-forward
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.9.0
Assignee: Ruben Romero Montes
QA Contact: Anping Li
Depends On:
Blocks: 1617921
TreeView+ depends on / blocked
Reported: 2017-10-04 08:41 UTC by Ruben Romero Montes
Modified: 2018-08-16 07:20 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The secure-forward template generated in the configMap does not include the <store> tag as mentioned in the documentation. Consequence: The configuration fails when more stores are defined Fix: Add enclosing <store> tag for the template Result: Removing the comments provides a syntactically valid configuration
Clone Of:
: 1617921 (view as bug list)
Last Closed: 2018-06-27 18:01:30 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github openshift openshift-ansible pull 5652 None None None 2017-10-04 08:56:24 UTC
Github openshift origin-aggregated-logging pull 740 None None None 2017-10-23 21:05:51 UTC
Red Hat Product Errata RHSA-2018:2013 None None None 2018-06-27 18:01:53 UTC

Description Ruben Romero Montes 2017-10-04 08:41:56 UTC
Description of problem:
The provided template for the secure-forward.conf file does not include the <store> tag which might lead to users having problems during its configuration.

the main problem is that it doesn't match the documentation

Version-Release number of selected component (if applicable):
Any version

Additional info:

Documentation snippet found in:

Conf file missing the store tag:

Comment 1 Ruben Romero Montes 2017-10-20 08:44:06 UTC
Can the PR be merged? Is there something missing?

Comment 2 Noriko Hosoi 2017-10-20 18:35:51 UTC
(In reply to Ruben Romero Montes from comment #0)
> Additional info:
> Documentation snippet found in:
> https://docs.openshift.com/container-platform/3.6/install_config/
> aggregate_logging.html#aggregated-fluentd

It looks like a Doc bug.  Please take a look at this Fluentd doc, where <store> i s not needed.  (Instead, it needs to be in <match TAG>)


You could see how we enable secure forward in the secure forward CI test.
1) Enabling secure-forward.conf in the main fluentd config file in <match **>:
2) Updating the content of secure-forward.conf:

Can we change this to a Doc bug?

Comment 3 Ruben Romero Montes 2017-10-23 20:43:30 UTC
In both cases the <match **> tag only has one @include but if you see in the documentation when you use the @type copy you need to put the others under <store> tag. Check how the configuration should be expanded.

<match **>
   @type copy
   @include output-es-config.conf
   @include ../user/output-extra-*.conf
   @include ../dynamic/es-copy-config.conf
     @type secure_forward

Compare with the output-es-config.conf file, for example:
      @type elasticsearch_dynamic
      host "#{ENV['ES_HOST']}"
      port "#{ENV['ES_PORT']}"

But it is true I should add a unit test for that.

Comment 5 openshift-github-bot 2017-11-18 09:27:41 UTC
Commit pushed to master at https://github.com/openshift/openshift-ansible

bug 1498398. Enclose content between store tag

Comment 6 Rich Megginson 2018-01-04 03:04:43 UTC
How can we verify if we have an openshift-ansible build which includes this fix?

Comment 7 Scott Dodson 2018-01-04 14:27:08 UTC
It should be in both 3.8 and 3.9 builds.

~/git/Openshift/openshift-ansible (master)$ git tag --contains 4b2b0a0b5d5df89c98332a3ae24de336a65c0332

Comment 11 Anping Li 2018-01-10 10:27:08 UTC
No sure if we neend to fix in v3.6 and v3.7.
Get the following error when use td-agent as an external fluent td-agent-3.1.1-0.el7.x86_64.  Will the same version fluentd again.

2018-01-10 04:00:03 -0500 [warn]: #0 incoming chunk is broken: host="" msg=46
2018-01-10 04:00:03 -0500 [error]: #0 unexpected error on reading data host="" port=54510 error_class=MessagePack::UnknownExtTypeError error="unexpected extension type"
  2018-01-10 04:00:03 -0500 [error]: #0 suppressed same stacktrace

Comment 13 Anping Li 2018-01-17 12:42:09 UTC
The secure-forward.conf are in place of store. so move bug to verified. 

  secure-forward.conf: |
    # <store>
    # @type secure_forward

    # self_hostname ${HOSTNAME}
    # shared_key <SECRET_STRING>

    # secure yes
    # enable_strict_verification yes

    # ca_cert_path /etc/fluent/keys/your_ca_cert
    # ca_private_key_path /etc/fluent/keys/your_private_key
      # for private CA secret key
    # ca_private_key_passphrase passphrase

    # <server>
      # or IP
    #   host server.fqdn.example.com
    #   port 24284
    # </server>
    # <server>
      # ip address to connect
    #   host
      # specify hostlabel for FQDN verification if ipaddress is used for host
    #   hostlabel server.fqdn.example.com
    # </server>
    # </store>

Comment 16 errata-xmlrpc 2018-06-27 18:01:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.