You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Today, the only option firecracker-containerd offers to expose logs from services running in-VMs is to enable forwarding of the VM journal to the serial console via command line option systemd.journald.forward_to_console=yes. The Firecracker team has seen issues with performance for enabling logging to the serial console and does not recommend its use in production:
Without proper handling, because the guest has access to the serial device, this can lead to unbound memory or storage usage on the host side. Firecracker does not offer users the option to limit serial data transfer, nor does it impose any restrictions on stdout handling.
Furthermore, we do not recommend that users enable the serial device in production.
As firecracker-containerd depends on Firecracker and users running in production, we can harden the security of the project by moving towards a solution that eliminates the need to write to the serial console for performance and security conscious use cases of firecracker-containerd. We can disable writing to the serial console and replace log forwarding to the console with a custom logging solution that ships logs over vsock.
Describe the solution you’d like
Firecracker supports vsock devices, which firecracker-containerd is already using to transfer data between guest and host. According to Firecracker, these devices are performant and safer compared to the serial console. The proposed solution will transfer logs over vsock devices from guest to host. This will require a few new components to be implemented in firecracker-containerd:
Guest Log Exporter
process running in a VM that listens, accepts, and writes logs over a vsock connection.
agnostic to logger (e.g. journald v.s. syslog)
reference implementation will be provided by the firecracker-containerd project
Host Exporter Processes
scraping processes, each of which initiates connection with a single VM for reading logs over vsock and writing to the host destination
Managing Process (firecracker-control)
launches and reaps Host Log Reader processes as VMs are spun up and shut down
Describe alternatives you’ve considered
The main alternative considered so far is aggregating logs via the managing process, firecracker-control, and using batch writes to the configured logging destination rather than the proposed solution of each individual Host Log Exporter process writing to the host log destination.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
What problem are you trying to solve
Today, the only option firecracker-containerd offers to expose logs from services running in-VMs is to enable forwarding of the VM journal to the serial console via command line option
systemd.journald.forward_to_console=yes. The Firecracker team has seen issues with performance for enabling logging to the serial console and does not recommend its use in production:As firecracker-containerd depends on Firecracker and users running in production, we can harden the security of the project by moving towards a solution that eliminates the need to write to the serial console for performance and security conscious use cases of firecracker-containerd. We can disable writing to the serial console and replace log forwarding to the console with a custom logging solution that ships logs over vsock.
Describe the solution you’d like
Firecracker supports vsock devices, which firecracker-containerd is already using to transfer data between guest and host. According to Firecracker, these devices are performant and safer compared to the serial console. The proposed solution will transfer logs over vsock devices from guest to host. This will require a few new components to be implemented in firecracker-containerd:
Describe alternatives you’ve considered
The main alternative considered so far is aggregating logs via the managing process, firecracker-control, and using batch writes to the configured logging destination rather than the proposed solution of each individual Host Log Exporter process writing to the host log destination.
Additional context
Beta Was this translation helpful? Give feedback.
All reactions