-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Excessive logging from shim into containerd logs (with containerd 1.6.8+) including all ENV vars #1532
Comments
/cc @dcantah Hey Danny, I had discussed with Mark about the issue last week. Can you please take a look and advice about it? |
@ibabou The log level is configurable for our shim luckily, we accept a string value denoting the logrus log level much like containerd does. This would be under our shims configuration in containrds toml config file. Now if there's much benefit from some of the info level logs, but there's simply just too many of them that don't provide value we should try and take a look at how to cut down on some of these or move them to debug level etc. which will be a fairly manual process. Couple things on the logs posted however, all of the below are logs from the CNI plugin being invoked, not from the shim:
For the secrets being logged I'll semi-proxy to @helsaawy as he set this up, but we expose an option now on the shim to scrub sensitive info from our logs, this just wasn't in the 0.9.x line of tags here but is present in main here at the moment: https://github.com/microsoft/hcsshim/blob/main/cmd/containerd-shim-runhcs-v1/options/runhcs.proto#L110. A sample containerd.toml setting a log level for our shim is below: [plugins."io.containerd.grpc.v1.cri".containerd]
default_runtime_name = "runhcs-wcow-process"
disable_snapshot_annotations = false
discard_unpacked_layers = false
ignore_rdt_not_enabled_errors = false
no_pivot = false
snapshotter = "windows"
[plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
base_runtime_spec = ""
cni_conf_dir = ""
cni_max_conf_num = 0
container_annotations = []
pod_annotations = []
privileged_without_host_devices = false
runtime_engine = ""
runtime_path = ""
runtime_root = ""
runtime_type = ""
[plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options]
LogLevel = "warn" |
Thanks a lot @dcantah for the information! Just to make sure I understand correctly, is the default being higher than "info" (I mean it logs more than info-level). Or, you're suggesting we set to "warn" to avoid having all "info" logs logged at all including the ones shown above? It's great that there is change in 0.10.0 to scrub the logs though! Re CNI, does everything by default is logged? |
@ibabou Right, it'll only log Warning level or above in the example given. We just call logrus.SetLevel with whatever was passed https://pkg.go.dev/github.com/sirupsen/logrus#SetLevel For the CNI bit, I'm not sure so I'd have to look into this more. I assume from how they're invoked that containerd just takes any stderr/out output from the plugin and prints it. |
To summarize:
Thanks again Danny for all the inputs! |
I just tried out the "warn" level configuration, but this doesn't seem to take an effect with regards to the above case (to filter the info level logs from shim). Updating configuration for example to:
Then, restarting (stop & then start containerd service): time="2022-10-01T00:30:03.995917000Z" level=info msg="Start cri plugin with config I can still see similar log with newly created pod:
@dcantah any thoughts? |
@dcantah Given containerd 1.6 is now LTS, I think it'd definitely be a good idea to backport once you've got the 0.10.0 tag. |
Issue:
With the fix in containerd for (containerd/containerd#6990), where shim logs was being redirected incorrectly to panic.log. All shim logs now on 1.6.8+ get redirected and goes correctly into containerd.log. But with just info level, all shim calls are being called with operation and detailed trace of parameters. This now caused the containerd.log to increase. and also with some operations like HcsCreateProcess, it prints all ENV vars which might include secrets.
Test (containerd 1.6.8 + shim v0.9.4):
Use normal log level for containerd, and test with a sample spec like the following:
Also, many repeatable debug logs are coming from the shim, like the following:
The text was updated successfully, but these errors were encountered: