Bug 1862643: UPSTREAM: 96120: kubelet: Expose a simple Get-WinEvent shim on the kubelet logs endpoint #383

LorbusChris · 2020-10-01T20:01:42Z

Provide an administrator a streaming view of event logs on Windows
machines without them having to implement a client side reader.

The kubelet API for querying the Linux journal is re-used for invoking
the Get-WinEvent cmdlet in a PowerShell.
Parameters that have no functional equivalence in Get-WinEvent are
ignored when assembling the command.

Only available to cluster admins.

What type of PR is this?

/kind feature

What this PR does / why we need it:
Enable event log collection on Windows worker nodes

kubelet: Expose a simple Get-WinEvent shim on the kubelet logs endpoint

Upstream patch reference: kubernetes#96120

openshift-ci-robot · 2020-10-01T20:01:46Z

@LorbusChris: This pull request references Bugzilla bug 1862643, which is invalid:

expected the bug to target the "4.6.0" release, but it targets "4.7.0" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

WIP: Bug 1862643: UPSTREAM: : kubelet: Expose a simple Get-WinEvent shim on the kubelet logs endpoint

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

pkg/kubelet/kubelet_server_journal.go

LorbusChris · 2020-10-06T15:24:49Z

Putting // +build !windows in pkg/kubelet/kubelet_server_journal_linux.go doesn't seem to work properly (https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_kubernetes/383/pull-ci-openshift-kubernetes-master-verify/1313465989928587264). I've create a stub file and function for darwin now.

openshift-ci-robot · 2020-10-08T15:33:16Z

@LorbusChris: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

In response to this:

UPSTREAM: : kubelet: Expose a simple Get-WinEvent shim on the kubelet logs endpoint

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

LorbusChris · 2020-10-08T15:33:27Z

/retest

LorbusChris · 2020-10-08T15:52:25Z

I've verified this works:

$ oc adm node-logs -l kubernetes.io/os=windows --path=journal -u docker -u Microsoft-Windows-LoadPerf --since "2020-10-08 15:00:07" --until "2020-10-08 15:06:00" --tail 6


   ProviderName: docker

TimeCreated          Id LevelDisplayName Message                             
-----------          -- ---------------- -------                             
10/8/2020 3:00:13 PM  1 Information      Daemon has completed initialization 
10/8/2020 3:00:13 PM  1 Information      API listen on //./pipe/docker_engine


   ProviderName: Microsoft-Windows-LoadPerf

TimeCreated            Id LevelDisplayName Message                                                                     
-----------            -- ---------------- -------                                                                     
10/8/2020 3:04:24 PM 1001 Information      Performance counters for the WmiApRpl (WmiApRpl) service were removed       
                                           successfully. The Record Data contains the new values of the system Last    
                                           Counter and Last Help registry entries.                                     
10/8/2020 3:04:24 PM 1000 Information      Performance counters for the WmiApRpl (WmiApRpl) service were loaded        
                                           successfully. The Record Data in the data section contains the new index    
                                           values assigned to this service.                                            
10/8/2020 3:05:07 PM 1001 Information      Performance counters for the WmiApRpl (WmiApRpl) service were removed       
                                           successfully. The Record Data contains the new values of the system Last    
                                           Counter and Last Help registry entries.                                     
10/8/2020 3:05:07 PM 1000 Information      Performance counters for the WmiApRpl (WmiApRpl) service were loaded        
                                           successfully. The Record Data in the data section contains the new index    
                                           values assigned to this service.

There are a few gotchas:

--since and --until only support absolute times, not relative ones.
the filtering done with --grep happens after getting the specified max number of events from the log with --tail, i.e. one may end up with a shorter tail than expected in that case
--format is not supported
--case-sensitive is not supported
only --boot 0 is supported really, but if boot != 0, the command will return true and not return any logs. This is due to the fact that the command is invoked twice if the boot flag is unspecified, once for boot=0 and once for boot=-1. I wanted to make it succeed and not error in that case.

PTAL @aravindhp

pkg/kubelet/kubelet_server_journal_test.go

openshift-ci-robot · 2020-10-08T17:34:04Z

@LorbusChris: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/k8s-e2e-gcp	84d29dbcd1e2bd86546a6839d52a9590f0e069d6	link	`/test k8s-e2e-gcp`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

sjenning · 2020-10-21T02:43:48Z

We aren't going to carry something like this. This needs to go upstream. Unless there is some reason of which I am not aware.

sjenning · 2020-10-21T02:44:00Z

/hold

LorbusChris · 2020-10-21T03:01:53Z

@sjenning this PR only extends an already downstream-only feature/API to make it usable on Windows nodes. pkg/kubelet/kubelet_server_journal.go does not exist upstream at all.

I guess upstreaming it would be good, but then 1f71fb7 also has to be upstreamed.

…belet logs endpoint Provide an administrator a streaming view of event logs on Windows machines without them having to implement a client side reader. The kubelet API for querying the Linux journal is re-used for invoking the Get-WinEvent cmdlet in a PowerShell. Parameters that have no functional equivalence in Get-WinEvent are ignored when assembling the command. Only available to cluster admins.

openshift-ci-robot · 2020-11-10T16:13:21Z

@LorbusChris: This pull request references Bugzilla bug 1862643, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.7.0) matches configured target release for branch (4.7.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1862643: UPSTREAM: 96120: kubelet: Expose a simple Get-WinEvent shim on the kubelet logs endpoint

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

derekwaynecarr · 2020-11-10T16:20:34Z

@aravindhp why is this required for windows? a change like this upstream really requires a kep.

sttts · 2020-11-10T16:32:40Z

The upstream PR won't make it into 1.21, and probably needs a KEP according to @derekwaynecarr.

Approving as a temporary carry.

/approve

sjenning · 2020-11-10T16:44:28Z

/lgtm

openshift-ci-robot · 2020-11-10T16:45:53Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: LorbusChris, sjenning, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~pkg/kubelet/OWNERS~~ [sjenning,sttts]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

LorbusChris · 2020-11-10T16:46:18Z

@derekwaynecarr we need a way to get the Container Runtime logs (Docker at this time) without SSH'into the Windows machine. Docker on Windows always logs to the WinEvent log - it's not configurable.

Please note that the client side to make this feature usable should also be upstreamed to kubectl:
openshift/origin@d9dc689

LorbusChris · 2020-11-10T16:47:00Z

/cherry-pick release-4.6

openshift-cherrypick-robot · 2020-11-10T16:47:00Z

@LorbusChris: once the present PR merges, I will cherry-pick it on top of release-4.6 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

LorbusChris · 2020-11-10T17:57:46Z

/retest

openshift-bot · 2020-11-10T18:20:05Z

/retest