Description of problem: Enable audit log in master-config.yaml, then restart master service, and found that the log created in master-api pod, the audit log be created on special dir on master server in ocp3.9, is there risk for big size log created on master pod? openshift v3.10.0-0.16.0 kubernetes v1.9.1+a0ce1bc657 etcd 3.2.16 How reproducible: Always Steps to Reproduce: 0.Setup audit in master-config file, and restart master api service auditConfig: auditFilePath: "/var/log/audit-ocp.log" enabled: true maximumFileRetentionDays: 10 maximumFileSizeMegabytes: 10 maximumRetainedFiles: 10 logFormat: json policyConfiguration: null policyFile: /etc/origin/master/audit-policy.yaml webHookKubeConfig: "" webHookMode: "" 1. Verify that the log be created in master pod # oc rsh -n kube-system master-api-qe-geliu-privatemaster-etcd-1 sh-4.2# ls -rlt /var/lo local/ lock/ log/ sh-4.2# ls -rlt /var/lo local/ lock/ log/ sh-4.2# ls -rlt /var/log/ total 4068 drwxr-xr-x. 2 root root 6 Jun 28 2017 ceph -rw-------. 1 root root 0 Jan 18 16:39 tallylog drwxr-xr-x. 1 root root 22 Jan 18 16:40 rhsm drwxr-xr-x. 2 root root 257 Jan 18 16:40 anaconda -rw-rw-r--. 1 root utmp 0 Mar 27 02:21 wtmp -rw-------. 1 root utmp 0 Mar 27 02:21 btmp -rw-r--r--. 1 root root 26280 Mar 27 02:21 lastlog -rw-------. 1 root root 7028 Mar 27 03:18 yum.log -rw-r--r--. 1 root root 3864348 Apr 10 09:41 audit-ocp.log Actual results: audit log created in master-api pod but not on master srv in ocp 3.10 Expected results: audit log created on master srv
Expected resutls: audit log should located on the host instead of the pod I think
Scott, is there a way the installer can bind mount a directory from the master to store the audit log on the host?
The location and mounting is not related to the audit functionality which is working just fine. I'm re-assigining this to Scott, since he's dealing with the installer bits.
We're going to mount up /var/log and release note that you must configure the audit log to live in /var/log somewhere.
Due to the move to static pods there are only certain paths that are mounted in the master pods. These are /etc/origin/master, /etc/origin/cloudprovider and /var/lib/origin. Bug 1570935 adds a pre-upgraed check to ensure that all paths defined in /etc/origin/master/master-config.yaml fall into those locations. If there's a path that doens't we'll require that the admin reconfigure their environment to move items to those paths. Closing this as a dupe of 1570935 *** This bug has been marked as a duplicate of bug 1570935 ***
David Eads has pointed out that other apiservers are also affected by the audit config. I think the master team needs to more thoroughly consider audit logging. If all we really need to do is mount up /var/log in the apiserver static pod then move it back. It sounds like that isn't sufficient however.
*** Bug 1619453 has been marked as a duplicate of this bug. ***
*** Bug 1623700 has been marked as a duplicate of this bug. ***
*** Bug 1630759 has been marked as a duplicate of this bug. ***
This was fixed in https://github.com/openshift/openshift-ansible/pull/8189 as mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1570935. Also doc bugzilla is here: https://bugzilla.redhat.com/show_bug.cgi?id=1622044. Closing this as a duplicate. *** This bug has been marked as a duplicate of bug 1622044 ***