file-log plugin fails to log to /dev/stdout with Permission Denied error

[gsadhani]

Is there an existing issue for this?

• I have searched the existing issues

Kong version ($ kong version)

3.4

Current Behavior

file-log plugin fails to log to /dev/stdout with Permission Denied error when running in a container.

kong-gateway-6d98fccc96-pzzvv proxy 2023/11/29 12:17:09 [error] 1263#0: *1315 [kong] handler.lua:56 [file-log] 
failed to open the file: Permission denied while logging request, client: xxx.18.82.100, server: kong,
request: "GET /v1/xxxxx/xxx HTTP/2.0", upstream: "http://100.64.92.168:9002/v1/xxxxx/xxx", host: "dev14.xxxxxxx.io"

I have tried the following:

1. Changing permissions of /dev/stdout to 777
2. Creating a link from /var/log/kong/kong.log to /dev/stdout and log to /var/log/kong/kong.log

ln -sf /dev/stdout /var/log/kong/kong.log

But the issue persists.

Expected Behavior

The file-log plugin should be able to log to /dev/stdout as indicated in the documentation.

Steps To Reproduce

1. Configure file-log plugin as below:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: file-log
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: "true"
config:
  path: "/dev/stdout"
plugin: file-log

2. Make API calls routed through the gateway

Anything else?

No response

[chobits]

Could you use some other methods, not using kong. to open this file to check if this file could be opened normally?

For example, echo "some messages blah blah..." > /dev/stdout, and make sure that the new command has the same user/group of your kong server.

[gsadhani]

Sure @chobits.

See output below:

kubectl exec kong-gateway-7b5c4f9c5-jkznp -n kong -it -- sh
# echo "hello" > /dev/stdout
hello
# su - kong
su: warning: cannot change directory to /home/kong: No such file or directory
$
$ echo "hello as kong" > /dev/stdout
-sh: 1: cannot create /dev/stdout: Permission denied
$ whoami
kong
$ ls -lt /dev/stdout
lrwxrwxrwx 1 root root 15 Dec  6 05:51 /dev/stdout -> /proc/self/fd/1
$ ls -lt /proc/self/fd/1
lrwx------ 1 kong kong 64 Dec  6 11:56 /proc/self/fd/1 -> /dev/pts/0
$ su -
# 
# ls -lt /dev/stdout
lrwxrwxrwx 1 root root 15 Dec  6 05:51 /dev/stdout -> /proc/self/fd/1
# ls -lt /proc/self/fd/1
lrwx------ 1 root root 64 Dec  6 12:00 /proc/self/fd/1 -> /dev/pts/0

[chobits]

$ echo "hello as kong" > /dev/stdout
-sh: 1: cannot create /dev/stdout: Permission denied
$ whoami
kong

I'm not very familiar with the permission control under linux system, but it seems that your kong user/group could not modify the stdout file with irght permission

[chobits]

It seems a known issue, i search it and find some questions associated to it, but not find a good solution for k8s container.

https://discuss.konghq.com/t/file-log-plugin-not-able-to-log-to-dev-stdout/9347

#8067

[gsadhani]

@chobits thanks for taking a look. Yes, this is the same issue as #8067. I created this issue as that issue was closed without resolution.

Do you recommend opening another issue in https://github.com/Kong/docker-kong.

[chobits]

hi @gsadhani

keep your question here, discussion is more lively. And most kong developers and fans will see it.

[ADD-SP]

I created an internal ticket (KAG-3501) to track this issue.

[chronolaw]

@ADD-SP , could you add the ticket number here?