![](/img/trans.png)
[英]Install gcsfuse in Google Cloud Container Optimized OS (COS)
[英]Google Cloud Container Optimized OS host logs to stackdriver
TL; 博士
將容器優化的操作系統主機日志(ssh 和執行的 shell 命令)發送到 Stackdriver 的最佳實踐是什么?
背景:
我正在使用 Googles Container Optimized OS,它運行良好。 將容器日志發送到 Stackdriver 非常容易,但如何將主機日志發送到 Stackdriver?
出於審計目的,我需要記錄所有 SSH 連接(接受或拒絕)以及通過 shell 執行的所有命令。 以前我只是通過 stackdriver 主機記錄器包將 rsyslogd (auth,authpriv) 發送到 stackdriver。
這適用於在托管實例組 (mig) 中運行的 Container Optimized OS VM:s,而不是在 Google Kubernetes Engine 中。
這可能非常明顯,但我似乎找不到任何關於它的文檔。
如何將主機日志發送到 Stackdriver?
以下是 COS 封裝 Stackdriver Logging 代理的一些代碼。 您可以通過sudo systemctl start stackdriver-logging
啟動它。
在高層次上,這就是您需要為任何 GCP COS 實例將操作系統審計日志發送到 Google stackdriver 所做的:
首先,您需要使用以下命令在 COS 上啟用審計日志: systemctl start cloud-audit-setup 這將允許在計算實例日志中生成和捕獲審計日志,您可以使用journalctl命令查看結果
其次,您需要在實例上安裝 Google Stackdriver 代理並配置為將審核日志從實例日志傳送到堆棧驅動程序。 這可以通過讓 docker 容器運行 fluentd-gcp google 容器映像來實現。
我正在分享下面的 cloud-init 來為你完成整個工作。 您需要做的就是擁有一個帶有鍵“user-data”的實例元數據,值是以下腳本:
#cloud-config
users:
- name: logger
uid: 2001
groups: docker
write_files:
- path: /etc/google-fluentd/fluentd.conf
permissions: 0644
owner: root
content: |
# This config comes from a heavily trimmed version of the
# container-engine-customize-fluentd project. The upstream config is here:
# https://github.com/GoogleCloudPlatform/container-engine-customize-fluentd/blob/6a46d72b29f3d8e8e495713bc3382ce28caf744e/kubernetes/fluentd-
configmap.yaml
<source>
type systemd
path /var/log/journal
pos_file /var/log/gcp-journald.pos
filters [{ "SYSLOG_IDENTIFIER": "audit" }]
tag node-journal
read_from_head true
</source>
<match **>
@type copy
<store>
@type google_cloud
# Set the buffer type to file to improve the reliability
# and reduce the memory consumption
buffer_type file
buffer_path /var/log/google-fluentd/cos-system.buffer
# Set queue_full action to block because we want to pause gracefully
# in case of the off-the-limits load instead of throwing an exception
buffer_queue_full_action block
# Set the chunk limit conservatively to avoid exceeding the GCL limit
# of 10MiB per write request.
buffer_chunk_limit 2M
# Cap the combined memory usage of this buffer and the one below to
# 2MiB/chunk * (6 + 2) chunks = 16 MiB
buffer_queue_limit 6
# Never wait more than 5 seconds before flushing logs in the non-error
# case.
flush_interval 5s
# Never wait longer than 30 seconds between retries.
max_retry_wait 30
# Disable the limit on the number of retries (retry forever).
disable_retry_limit
# Use multiple threads for processing.
num_threads 2
</store>
</match>
- path: /etc/systemd/system/logger.service
permissions: 0644
owner: root
content: |
[Unit]
Description=logging docker container
Requires=network-online.target
After=network-online.target
[Service]
Environment="HOME=/home/logger"
ExecStartPre=/usr/share/google/dockercfg_update.sh
ExecStartPre=/bin/mkdir -p /var/log/google-fluentd/
ExecStartPre=-/usr/bin/docker rm -fv logger
ExecStart=/usr/bin/docker run --rm -u 0 \
--name=logger \
-v /var/log/:/var/log/ \
-v /var/lib/docker/containers:/var/lib/docker/containers \
-v /etc/google-fluentd/:/etc/fluent/config.d/ \
--env='FLUENTD_ARGS=-q' \
gcr.io/google-containers/fluentd-gcp:2.0.17
Restart=always
RestartSec=1
runcmd:
- systemctl daemon-reload
- systemctl start logger.service
- systemctl start cloud-audit-setup
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.