Distroless image and debugging
1,950 views
Skip to first unread message
Tom Stark
Jan 16, 2019, 9:36:28 AM1/16/19
to Fluent-Bit
I use fluentbit for kubernetes and deployed via daemonset. For debugging purposes, I write a default output to a file on root. With the distroless image, I see no chance to cat, tail this output. Anybody an idea, how to achieve this?
(for the moment, deploy to 0.14 covers my requirement)
output-elasticsearch.conf: |
...
[OUTPUT]
Name file
Match *
Path output.txt
Don Bowman
Jan 16, 2019, 10:03:39 AM1/16/19
to Tom Stark, Fluent-Bit
option a) write it back to the /var/log/... directory that the other logs are in
option b) use the 'stdout' plugin, and then kubectl logs, rather than write to a file.
option c) write to the same destiantion as the other logs (e.g. elastic)
option d) below. Maybe I should get a build going to dockerhub which is fluent:ver-debug as wel as fluent:ver that has the busybox in it? I guess i haven't seen the need to 'login' to the container.
$ cat Dockerfile.debug
FROM debian:stretch as builder
ADD https://busybox.net/downloads/binaries/1.30.0-i686/busybox /bin/busybox
RUN chmod 555 /bin/busybox \
&& /bin/busybox --install
FROM fluent/fluent-bit:latest
COPY --from=builder /bin/ /bin/
$ docker build -t fluent/fluent-bit:debug -f Dockerfile.debug .
$ docker run --rm -it fluent/fluent-bit:debug /bin/sh
$ kubectl ... run ... /bin/sh
option d) below. Maybe I should get a build going to dockerhub which is fluent:ver-debug as wel as fluent:ver that has the busybox in it? I guess i haven't seen the need to 'login' to the container.
$ cat Dockerfile.debug
FROM debian:stretch as builder
ADD https://busybox.net/downloads/binaries/1.30.0-i686/busybox /bin/busybox
RUN chmod 555 /bin/busybox \
&& /bin/busybox --install
FROM fluent/fluent-bit:latest
COPY --from=builder /bin/ /bin/
$ docker build -t fluent/fluent-bit:debug -f Dockerfile.debug .
$ docker run --rm -it fluent/fluent-bit:debug /bin/sh
$ kubectl ... run ... /bin/sh
--
You received this message because you are subscribed to the Google Groups "Fluent-Bit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fluent-bit+...@googlegroups.com.
To post to this group, send email to fluen...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/fluent-bit/02a8f31a-9b78-42aa-a0bc-6de5185c8285%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Don Bowman
Jan 16, 2019, 10:19:50 AM1/16/19
to Tom Stark, Fluent-Bit
I added a PR https://github.com/fluent/fluent-bit/pull/1034 for the debug image, but am not sure how this gets built or into dockerhub... its not automatic.
tjhis repo https://github.com/fluent/fluent-bit-docker-image exists, but i'm not sure why.
Eduardo Silva
Jan 16, 2019, 11:56:36 AM1/16/19
to Don Bowman, Tom Stark, Fluent-Bit
PR 1034 merged.
that repo exists from the beginning to isolate Docker related work from the source code. Note that Docker Hub does not allow to switch repos once it has been created.
To view this discussion on the web visit https://groups.google.com/d/msgid/fluent-bit/CAM8ZkJgmi3cbCbiNTcB5VTttD_f0b3aYUSnGPwF4KZbra%2BzWNQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Don Bowman
Jan 16, 2019, 11:58:36 AM1/16/19
to Eduardo Silva, Tom Stark, Fluent-Bit
@Eduardo Silva how would we get it so that
docker build -t fluent/fluent-bit:version -f Dockerfile
docker build -t fluent/fluent-bit:debug-version -f Dockerfile.debug
are both pushed to dockerhub? E.g. I'm not sure what to change, what builds the docker image since its not automatic in pipeline.
Eduardo Silva
Jan 16, 2019, 1:13:42 PM1/16/19
to Don Bowman, Tom Stark, Fluent-Bit
pushing fluent/fluent-bit:version-[debug|shell|sh] should work, not sure about "debug" since that image can work in production without problems, there is no overhead, so it just save a couple of MB in the filesystem, maybe -shell or similar ?
Don Bowman
Jan 16, 2019, 1:16:33 PM1/16/19
to Eduardo Silva, Tom Stark, Fluent-Bit
debug is consistent w/ how the other distroless things work [see https://github.com/GoogleContainerTools/distroless]
its meant for security, to prevent escapes. fluent-bit is a *very* high risk thing to run in k8s since it runs as a daemonset, privileged, root, with node filesystem access.
To view this discussion on the web visit https://groups.google.com/d/msgid/fluent-bit/CAMkvTKPPJEiUGisApVmy6npYcbn%3D9ToKECvPH9cQ4kifc2k5yg%40mail.gmail.com.
Eduardo Silva
Jan 22, 2019, 11:45:13 AM1/22/19
to Don Bowman, Tom Stark, Fluent-Bit
Don,
I am preparing the -debug image. is there any reason because of the preference of Busybox over Bash for debugging purposes?
Eduardo Silva
Principal Engineer | Arm
.
. . . . . . . . . . . . . . . . . . . . . . . . . .
m. +506 70138007
Arm.com
Treasuredata.com
Don Bowman
Jan 22, 2019, 12:19:51 PM1/22/19
to Eduardo Silva, Tom Stark, Fluent-Bit
a) its how the other distroless ones work
b) busybox gets you ls/grep/..., where bash doesn't.
c) it would be inline w/ how e.g. alpine works
To view this discussion on the web visit https://groups.google.com/d/msgid/fluent-bit/CAMkvTKPQEX8EZcS_Dt2%3DgcTN%3Dcb5XrVzruq1Etvk7DJ-_mPUfQ%40mail.gmail.com.
Eduardo Silva
Jan 22, 2019, 12:22:49 PM1/22/19
to Don Bowman, Tom Stark, Fluent-Bit
thanks. -debug images are being built now...
Reply all
Reply to author
Forward
0 new messages