add fluentd logging driver config check

[juanvallejo]

Related trello card: https://trello.com/c/t6H0D8Ox

Checks to see if the fluentd pod is configured to aggregate logs from journald or json-file and verifies that the host's Docker config matches the expected logging driver.

TODO

• add tests

cc @sosiouxme @rhcarvalho @brenton

[juanvallejo]

@sosiouxme I decided to read the value of the env var rather than the ansible variable (openshift_logging_fluentd_use_journal) since I believe the ansible variable is not set by default (https://github.com/openshift/openshift-ansible/blob/master/inventory/byo/hosts.origin.example).

[sosiouxme]

We have one extra problem here that just occurred to me. This check only runs against one master. It will correctly check whether the docker there has a matching journal driver, but it won't check any of the other hosts. This may be tricky to accomplish.

[juanvallejo]

Hm, we may have to have a separate fluentd check that does not inherit from LoggingCheck

[juanvallejo]

aos-ci-test

[juanvallejo]

@sosiouxme went ahead and moved the fluentd config check to its own file. PTAL

[sosiouxme]

This and other oc calls will only work on master, though. That's what makes this tricky. We could say to just look at the logging var to see what fluentd is supposed to have and not check what it actually has. Otherwise we're gonna have to do some really weird delegation to run oc against master while we're looking at everything else.

[juanvallejo]

I was hesitant to rely on the logging var since its value is not set by default, but I guess for now it might be the easiest starting point for this. Will update

[juanvallejo]

@sosiouxme removed use of ocutil in favor of using the value of the ansible variable. Defaulted value to True, making the check assume journalctl as the default logging driver, unless explicitly set by a user to False. Not entirely sure about this, however.

[sosiouxme]

This is correct

[rhcarvalho]

May or may not have any consequence to this PR, but in any case, FWIW I see this variable was deprecated 14 days ago:

• roles/openshift_logging/README.md#L55
• roles/openshift_logging_fluentd/tasks/main.yaml#L18-L20

[sosiouxme]

It's not just deprecated, it's obviated... with 3.6 fluentd looks at docker config to use the same driver. That makes this whole check kind of pointless for 3.6. And I'm not sure what we plan to tell customers about running checks against earlier versions?

[juanvallejo]

aos-ci-test

[openshift-bot]

error: aos-ci-jenkins/OS_3.5_NOT_containerized for 0d803ad (logs)

[openshift-bot]

success: "aos-ci-jenkins/OS_3.6_NOT_containerized, aos-ci-jenkins/OS_3.6_NOT_containerized_e2e_tests" for 0d803ad (logs)

[openshift-bot]

success: "aos-ci-jenkins/OS_3.5_containerized, aos-ci-jenkins/OS_3.5_containerized_e2e_tests" for 0d803ad (logs)

[openshift-bot]

success: "aos-ci-jenkins/OS_3.6_containerized, aos-ci-jenkins/OS_3.6_containerized_e2e_tests" for 0d803ad (logs)

[juanvallejo]

@sosiouxme switched back to using ocutil if check is running on a master. PTAL

[sosiouxme]

Ran into this while testing:

     Task:     openshift_health_check
     Message:  One or more checks failed
     Details:  check "fluentd_config":
               Invalid value received from command exec logging-fluentd-nfwxp /bin/printenv USE_JOURNAL: Unexpected error using `oc` to validate the logging stack components.
               Error executing `oc exec logging-fluentd-nfwxp /bin/printenv USE_JOURNAL`:
               [rc 1] /usr/local/bin/oc --config /etc/origin/master/admin.kubeconfig -n logging exec logging-fluentd-nfwxp /bin/printenv USE_JOURNAL

Unfortunately there doesn't seem to be any more helpful debug output.

[sosiouxme]

But speaking of the above, why try to exec into the pod? You should have the pod definition right there to look at what the env vars are.

[juanvallejo]

@sosiouxme

But speaking of the above, why try to exec into the pod? You should have the pod definition right there to look at what the env vars are.

Thanks, updated check / tests to do this instead

[sosiouxme]

Tiny nits; but this is going to take me a bit longer to review properly

[sosiouxme]

s/an/a/

[sosiouxme]

needs a space after the period

[sosiouxme]

This is correct

[rhcarvalho]

Hmm, I just found some old comments I forgot to submit, maybe something is still applicable?

[rhcarvalho]

I'm noticing this is perhaps unnecessarily different than the approach in https://github.com/openshift/openshift-ansible/pull/4682/files#diff-a2a36e6105b8e46e1282819c771393beR22

Better choose a single way of doing it.

[juanvallejo]

Thanks, will stick to a default class field

[rhcarvalho]

Why a separator? We don't seem to include it in any other error message.

[juanvallejo]

Right now, we seem to use it for similarly-worded error messages in the logging stack checks.

[sosiouxme]

I think that's a legacy from when the logging check was monolithic and you could get a bunch of different msgs for the different components under one check. Dividers probably don't make sense with them all split out in separate checks.

[juanvallejo]

I think that's a legacy from when the logging check was monolithic and you could get a bunch of different msgs for the different components under one check. Dividers probably don't make sense with them all split out in separate checks.

ack, will go ahead and remove them from existing checks as well

[rhcarvalho]

How is the "msg" used when "failed": False?

[sosiouxme]

It's not, except for showing up in -v output.

[rhcarvalho]

I suspect on '-v' output it will appear in the middle of a big json object?
I'd rather have less noise. failed: False conveys the same info.

I have also mixed feelings about the "changed" key. I don't feel confident we use it consistently and correctly, and we don't really use it in any meaningful way. I remember I wanted to "be prepared" for supporting check-mode but thus far I feel we're only carrying extra code.

[sosiouxme]

You're right, I don't see a need for a msg here. No one will look at it. There was some place where it just made the logic cleaner to set one but there's no need most of the time.

"changed" response doesn't really have anything to do with check-mode. It's just a record that something was changed during this task, which gets summed up in the output at the end. Idempotency seems to be a big deal for Ansible users so reporting whether you actually changed something (e.g. installed a dependency) or not may matter to some. It does not seem critical to me but I'm not an admin. If we want a better way to track this we could set an instance variable and have the action plugin look at them to determine whether anything changed (even if an exception was thrown) and just keep all the "changed" response logic out of the actual checks.

[juanvallejo]

Will remove "changed" and "msg" keys

[rhcarvalho]

Suggestion: add a new line \n at the beginning of this string here, and remove it from the end of both error messages above.
From a maintenance point of view, this makes it less likely that we introduce a new error string and have it concatenated with no space or new line in between.

[rhcarvalho]

You have a flake8 error here. Not a problem in this case, but sometimes mutable containers in arguments cause hairy problems...
Seems that we never call the function without an argument, so why don't simply make it required? (s/=[]//)

[rhcarvalho]

extraneous empty line

[juanvallejo]

@rhcarvalho thanks for the review, comments addressed

[rhcarvalho]

Similar to another review today, maybe this is just Kibana() and no need for a fixture.

[rhcarvalho]

If you want to return a tuple, no need to create a list first...

components = tuple(int(x) for x in components[:2])
return components

[rhcarvalho]

Can't openshift_image_tag carry a non-numeric version component, like rcN or beta or alpha, etc?

[juanvallejo]

not sure
cc @sosiouxme

EDIT: we currently use the value of openshift_image_tag in the package_version check

[sosiouxme]

Yeah it can pretty much be anything. It's an opaque string.

[juanvallejo]

How should we handle non numeric version values; try, except? or maybe fail the check altogether

[sosiouxme]

I spoke too soon. Actually openshift_version asserts that it look like a version string. The requirements for origin vs enterprise are a little different but we should be confident that it has an optional v and two numeric components at the beginning. There can be any kind of garbage after the base version in origin though.

(Sorry; I spent too long looking at this at some point in the past, figured it all out, then forgot it. That said, should possibly revisit to see if there's something better to base it on.)

[juanvallejo]

Sounds good, I am only focusing on the first two numeric components of the string as it is. Not sure if there is a better var to base this on, but will take a look at sample inventory files

[rhcarvalho]

For origin the expression includes arbitrary letters, but the first two components should be numeric.

openshift_image_tag|match('(^v?\\d+\\.\\d+\\.\\d+(-[\\w\\-\\.]*)?$)')

We should be all set, thanks.

[rhcarvalho]

Maybe this should have a more specific name, since it strips out version information? It is returning MAJOR.MINOR and throwing away the rest.

[sosiouxme]

Some refactoring on the way that parallels some of this: #4913

[juanvallejo]

aos-ci-test

[openshift-bot]

success: "aos-ci-jenkins/OS_3.6_NOT_containerized, aos-ci-jenkins/OS_3.6_NOT_containerized_e2e_tests" for 153fbaa (logs)

[openshift-bot]

success: "aos-ci-jenkins/OS_3.6_containerized, aos-ci-jenkins/OS_3.6_containerized_e2e_tests" for 153fbaa (logs)

[rhcarvalho]

Note that this can raise OpenShiftCheckException. We should protect the action plugin call to is_active with a try... except block for cases like this, to prevent the action plugin run from blowing up. I can include that in my current work branch.

[sosiouxme]

Yeah, good idea. While you're at it, probably best to add an except Exception to catch any dumb bug we leave on one check so the others still run.

[juanvallejo]

@rhcarvalho tagging this for [merge] per scrum discussion

[openshift-bot]

[test]ing while waiting on the merge queue

[juanvallejo]

re[test]

[openshift-bot]

Evaluated for openshift ansible merge up to 04154a2

[openshift-bot]

Evaluated for openshift ansible test up to 04154a2

[sosiouxme]

[ERROR] Status 'fedora/25/atomic' is in the 'failure' state. This status must succeed for a merge.

Wait - what? That's new.

[openshift-bot]

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_openshift_ansible/391/) (Base Commit: 01e4893) (PR Branch Commit: 04154a2)

[sdodson]

aos-ci-test

[sdodson]

bot, retest this

[openshift-bot]

success: "aos-ci-jenkins/OS_3.6_NOT_containerized, aos-ci-jenkins/OS_3.6_NOT_containerized_e2e_tests" for 04154a2 (logs)

[openshift-bot]

success: "aos-ci-jenkins/OS_3.6_containerized, aos-ci-jenkins/OS_3.6_containerized_e2e_tests" for 04154a2 (logs)

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_openshift_ansible/780/) (Base Commit: beb5dea) (PR Branch Commit: 04154a2)