Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Support AWS Firelens with App Mesh #124

Open
kiranmeduri opened this issue Oct 18, 2019 · 16 comments
Open

Feature Request: Support AWS Firelens with App Mesh #124

kiranmeduri opened this issue Oct 18, 2019 · 16 comments
Assignees
@herrhound @uttarasridhar @PettitWesley
Labels
Roadmap: Accepted We are planning on doing this work.
Projects
aws-app-mesh-roadmap

Comments

@kiranmeduri
Copy link

Tell us about your request
What do you want us to build?
As a user, I want to enable access-logs in Envoy via App Mesh and have those logs be published to sinks supported by Fluentd and Fluent Bit.

AWS recently announced firelens that can be used to achieve this, but there is no documentation or recipes on how to set this up.

Which integration(s) is this request for?
Any

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Stream Envoy access-logs to fluentd supported destinations.
@kiranmeduri kiranmeduri changed the title Feature Request: describe request here Feature Request: Support AWS Firelens with App Mesh Oct 18, 2019
@kiranmeduri kiranmeduri mentioned this issue Oct 18, 2019
Closed
@dastbe
Copy link
Contributor

dastbe commented Oct 23, 2019
edited

Discussing this in our weekly triage, we've come up with an initial set of action items here

Support Firelens

  • Root cause and remediate bugs when launching an ECS task with Firelens and App Mesh
  • Make traffic from Firelens not transit through the Envoy proxy
  • Provide a reference example showing how to configure FireLens with App Mesh

Feature Improvements to make FireLens w/ App Mesh better

  • Allow customers to more dynamically configure access logs on a Virtual Node (ex. JSON or templates)
  • XDS interaction logs

@dastbe dastbe added Roadmap: Awaiting Customer Feedback We need to get more information in order understand how we will implement this feature. Phase: Researching Roadmap: Accepted We are planning on doing this work. and removed Roadmap: Awaiting Customer Feedback We need to get more information in order understand how we will implement this feature. labels Oct 23, 2019
@kiranmeduri kiranmeduri removed their assignment Jan 29, 2020
@kiranmeduri
Copy link
Author

@PettitWesley can you provide update on this issue. Thanks

@PettitWesley
Copy link

@kiranmeduri Current testing shows that the CloudWatch Fluent Bit plugin now works with App Mesh.

Root cause and remediate bugs when launching an ECS task with Firelens and App Mesh

The bugs seem to all be remediated.

Provide a reference example showing how to configure FireLens with App Mesh

@CarmenAPuccio has this piece.

@CarmenAPuccio
Copy link

@kiranmeduri - The blog went live yesterday and we have the walkthroughs for EKS and ECS on Fargate/FireLens.

I can add links to those repos and the blog in aws/aws-app-mesh-examples. Would you just want a folder under /examples called fluent-bit?

@kiranmeduri
Copy link
Author

kiranmeduri commented Mar 26, 2020
edited

There is one open question here. Is firelens traffic flowing through Envoy? If so it should not because it is actually monitoring Envoy. I would like to see if fluentbit traffic can bypass Envoy. Today it is done by setting User:1337 on container. But AFAIK, that is not allowed with Firelens container. Please confirm @PettitWesley.

@PettitWesley
Copy link

@kiranmeduri Yeah, with how things work right now, the UID for the FireLens container has to be 0.

@CarmenAPuccio
Copy link

Yep just confirmed. If you try and set the user field on the FireLens log router you get this:

An error occurred (ClientException) when calling the RegisterTaskDefinition operation: If 'user' field is specified on firelens container, then 'UID' has to be '0'.

@PettitWesley
Copy link

I think the GID can be anything though- is there a way you can set that to bypass envoy?

@bcelenza bcelenza added this to Accepted in aws-app-mesh-roadmap via automation Jun 3, 2020
@lifeofguenter
Copy link

lifeofguenter commented Dec 10, 2020
edited

We had issues with FireLens + AppMesh + using a output other than CloudwatchLogs (in our case ElasticSearch).

We tried a couple of things but the only thing that worked (thanks @PettitWesley ):

  • set IgnoredGID to 1337 in the proxyConfiguration of the task-definition
  • run envoy container with user 1337:1337
  • run logrouter/fluentbit container with user 0:1337

It would be great though to know why this was necessary. It almost seems like AppMesh was interfering with the traffic between the Fargate Host and the logrouter?

@thisismana
Copy link

@lifeofguenter We also hit this issue. The mentioned solution works only when using the Fargate platform version 1.3.0 — once we switch to 1.4.0 logging breaks without obvious reason. log_router/fluent bit does not log anything after the bootup process.

@lifeofguenter
Copy link

@thisismana our solution works for us with 1.4.0

@kamilhristov
Copy link

I confirm that the solution works. @thisismana make sure that you have only IgnoredGID in the proxy configuration.
It was not working for me at first because I had both IgnoredUID and IgnoredGID.
Thank you @lifeofguenter for this solution.

@thisismana
Copy link

@kamilhristov nicely spotted. We set both IgnoredGID and IgnoredUID and it did not work (failing silently). But setting only IgnoredGID: 1337 with uid:gid for envoy as 1337:1337 and fluentbit as 0:1337 did the trick.
I'm so grateful ❤️

thisismana added a commit to thisismana/terraform-aws-ecs-fargate that referenced this issue Jan 27, 2021
@thisismana
Fix for logging issues with Fargate 1.4.0
9c2e642 
See discussion here: aws/aws-app-mesh-roadmap#124 (comment)

This is a breaking change, since every service using this module must update the `uid:gid` accordingly:

* `envoy`: `"user": "1337:1337"`
* `fluentbit`: `"user": "0:1337"`
@thisismana thisismana mentioned this issue Jan 27, 2021
Merged
moritzzimmer pushed a commit to stroeer/terraform-aws-ecs-fargate that referenced this issue Jan 28, 2021
@thisismana
Fix for logging issues with Fargate 1.4.0 (#49)
4b55a6d 
See discussion here: aws/aws-app-mesh-roadmap#124 (comment)

This is a breaking change, since every service using this module must update the `uid:gid` accordingly:

* `envoy`: `"user": "1337:1337"`
* `fluentbit`: `"user": "0:1337"`
@herrhound herrhound assigned herrhound and unassigned shubharao Apr 30, 2021
@PettitWesley
Copy link

@thisismana @kamilhristov @lifeofguenter @thisismana What endpoints is FireLens sending data to? AWS endpoints? VPC endpoints? Public endpoints (ex datadog)?

I'm trying to figure out if setting IgnoredUID is always required with FireLens or if it depends on what endpoint FireLens needs to talk to.

@lifeofguenter
Copy link

@PettitWesley in our case we were forwarding logs to an internal alb.

@kamilhristov
Copy link

We are forwarding to AWS endpoint - Kinesis Firehose.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@herrhound herrhound

@uttarasridhar uttarasridhar

@PettitWesley PettitWesley

Labels
Roadmap: Accepted We are planning on doing this work.
Projects
aws-app-mesh-roadmap
  
Accepted
Milestone
No milestone
Development

No branches or pull requests