LOG-545: Cluster logging Elasticsearch rollover data design

[jcantrill]

Ref: https://jira.coreos.com/browse/LOG-545

cc @bparees @ewolinetz @richm @lukas-vlcek @igor-karpukhin @portante @pavolloffay @billmvt

[abhinavdahiya]

/uncc @abhinavdahiya

[portante]

Nice work!

[portante]

At least should we mention that Document Level Security will be required to do this?

[jcantrill]

/hold

[ewolinetz]

s/utilized/utilize/

[ewolinetz]

i think we should abstract this slightly... this is a lot of knobs. maybe we can tuck this under something similar to what you have for retentionPolicy in the ClusterLogging api

[jcantrill]

i think we should abstract this slightly... this is a lot of knobs. maybe we can tuck this under something similar to what you have for retentionPolicy in the ClusterLogging api

We should have a larger discussion here with respect to who is defining what? I understand the desire to hide this behind API but the general logic from the beginning has been: CLO provides abstract, EO allows more fine tuning. Given there is an opportunity to apply these performance improvents to any ES deployment we likely do not want to have CLO and Jaeger have to specify the same thing. We do however, at a minimum need a way for the parent operator to tell the child to which indices we apply these changes. This will allow a more flexible use of Elasticsearch by cluster logging and jaeger which is where we desire to go.

I'm open to suggestions but I don't think there is anyway for EO and CLO to share the same retention policy API

[jcantrill]

Simplified the api with the assumption the EO will infer the templates and indices to create

[ewolinetz]

EO will be responsible for this now?

[ewolinetz]

We probably can get away with a single curator cronjob, not sure we need one per entry

[jcantrill]

We probably can get away with a single curator cronjob, not sure we need one per entry

I believe we can greatly simplify our curation needs. Do we really need the actual curator python code to perform this function? We should be able to reduce it to something like a curl statement which has a singular responsibility of rolling a specific index which means one per. Doesn't seem the "load" is significant

[richm]

Do we really need the actual curator python code to perform this function?

no

We should be able to reduce it to something like a curl statement

or the golang elasticsearch api, or even a generic REST api

[ewolinetz]

is this because we currently co-locate our node and container infra logs? e.g. we just are trying to prevent losing logs with this (given we will be writing to a node. or container. for infra)

[jcantrill]

Correct so we do not lose existing logs. It's possible we could actually spin through the .operations index and split out the journal and container logs but I imagine it is easier to move the index whole sale instead of trying to split it. Opinions?

[portante]

Why have the distinction of container vs journal logs to start?

[jcantrill]

Only reason it exists because node logs come from journal. My original thought was to call it node.XXXX... would that be better?

[portante]

Perhaps so that it is not tied to a name referring to the implementation of how logs from the node are collected.

[jcantrill]

replaced 'journal' with 'node'

[ewolinetz]

maybe specifically call out it'll remove ones that it previously owned only.

[bparees]

is it a goal or non-goal to migrate existing customer log data to this new design?

[portante]

Seems like if this is implemented with the v7 rollout of Elasticsearch (okay, v6), then migrating from v5 to v6 could take care of moving old to new.

[bparees]

it was a bit of a leading question but yes i expect data migration to be a goal. but it should be stated clearly (or indicated that it is not)

[portante]

If we don't migrate from 5 to 7 now, then we'll have to have another release real soon that will migrate from 6 to 7 since 6 is going to be EOL "soon".

We have to solve the data migration no matter what, one way or another. It would be great if this plan laid out how that migration is going to be handled.

[jcantrill]

Added migration goal with additional details in the implementation section that follows

[bparees]

where do audit logs go?

[jcantrill]

Is it reasonable that audit logs should be separated from infra?

[bparees]

i think so.....we're treating them separately for forwarding, right?

[JAORMX]

It certainly is reasonable. They tend to have different usage and even data retention policy than infra logs.

[jcantrill]

added audit logs to data model

[portante]

How does the migration process handle the situation where the retention policy is changed along with the upgrade?

[jcantrill]

How does the migration process handle the situation where the retention policy is changed along with the upgrade?

The data will be subject to the new retention policy. It's possible we could infer their policy from the previous curator deployment but I don't know how that manifests itself into the CL instance since the operator is not supposed to modify the spec. @bparees ?

[bparees]

reducing their retention on upgrade(and thus immediately throwing away some set of logs) seems like a non-starter.

[portante]

So, if I have a lower retention policy in the new cluster, when the data is migrated, is it immediately deleted? If it is not, is that a problem?

[jcantrill]

We could additionally handle old data retention and curation by simply doing nothing, including not migrating data to the new schema. We would leave the existing cronjob and ES would be optimized over time as old data is curated away to the point where data in the old schema is no longer present. This would be an easier path for us to follow and addresses @portante concerns. This will work as long as curator does not match any indices from the new schema which I believe it does not.

[jcantrill]

@bparees @sichvoge any reason not to simply skip data migration and allow curation to curate them out. it would mean we we have to make adjustments to view the data but we would avoid the need to move data. most of our dedicated clusters restrict data to 7 days now because of scale issues

[bparees]

is curation on by default? or might some clusters not have any curation happening?

if we can tolerate both data schemas from a query/view perspective, indefinitely, then this seems like an ideal answer regardless...

[jcantrill]

Landed on leaving aliases alone and aliasing them to the new format, relying on DSL for security, and curation to roll off.

[ewolinetz]

Landed on leaving aliases alone and aliasing them to the new format, relying on DSL for security, and curation to roll off.

leaving pre-existing indicies alone and adding them to the new alias format.

[jcantrill]

cc @alanconway

[richm]

It isn't really about just rollover data design - it is about using rollover + single indices in conjunction with DLS for access control/multi-tenancy

[jcantrill]

This proposal is strictly about modifying the data design and introducing rollover. It is correct that in order for us to full-fill our multitenant requirements we will need to implement DLS but that is to be addressed in a separate proposal. I would expect we do both or neither.

[portante]

Seems like you need to explicitly link this design to be depend on the DLS design being accepted, otherwise this design is a non-starter.

[jcantrill]

@portante that is not correct. Rollover addresses our scalability and performance concerns but not multi-tenancy requirements. It's possible that we could design something that sits in front of ES to restrict access which is orthogonal to roll over.

[lukas-vlcek]

I would expect we do both or neither.

Even without DLS the roll-over would be still great improvement. If DLS is not in place we should still push for use of roll-over.

[portante]

@portante that is not correct. Rollover addresses our scalability and performance concerns but not multi-tenancy requirements. It's possible that we could design something that sits in front of ES to restrict access which is orthogonal to roll over.

If you have N namespaces, you still have N indices if the size of the data in those indices does not meet the rollover limits. The scale of the number of indices is still based on namespaces, not size/time.

So this might alleviate the issue in some cases, but without DLS, or some other implementation that addresses multi-tenancy, it is not clear how this can be a "design" that would be accepted and implemented in the product.

[pavolloffay]

I have concerns about handling or exposing rollover configuration in Elasticsearch CR. Handling rollover seems to me like application-specific (CLO) task and not elasticsearch concern.

Consider making the retention part in ES CR more generic (to include alias name) or just manage the rollover only in CLO CR.

Just for completeness, I will describe how we have implemented rollover in Jaeger. The retention policies (size, number of days) can be specified in Jaeger CR. Based on the provided configuration Jaeger operator creates a job to initialize storage (create aliases, install index template) and then two cron jobs. The first one calls rollover API and the second one removes an index from the read alias.

[jcantrill]

I have concerns about handling or exposing rollover configuration in Elasticsearch CR. Handling rollover seems to me like application-specific (CLO) task and not elasticsearch concern.

I disagree with this statement given that rollover addresses the scalability and performance of Elasticsearch. It is a management API to allow ES indices to be curated based on policy. The policy should adhere to ES scalability guidelines. The policy should be flexible enough for an application to define and the EO to manage. There is no reason for the management to be replicated by multiple higher level components. I would point out Elastic will provide this management for you if you use the licensed version. Additionally, this proposal would take advantage of the OpenDistro index management if it existed in the ES6 version of their product.

Consider making the retention part in ES CR more generic (to include alias name) or just manage the rollover only in CLO CR.

CL is an abstraction of logging and not Elasticsearch. The policy will reflect data retention regardless of the implemented technology. CLO will not be controlling rollover in order to better isolate the separation of concerns

Just for completeness, I will describe how we have implemented rollover in Jaeger. The retention policies (size, number of days) can be specified in Jaeger CR. Based on the provided configuration Jaeger operator creates a job to initialize storage (create aliases, install index template) and then two cron jobs. The first one calls rollover API and the second one removes an index from the read alias.

My understanding of Jaeger is that it is possible to use alternate storage engines which sounds like these policies don't apply to anything but ES. It's likely the proposed changes are made to EO that you can remove the same functionality in the Jaeger Operator. Implemented correctly, there is no reason you could still not use Jaeger rollover by simply not defining indexManagement on the Elasticsearch resource.

[lukas-vlcek]

I am not a fan of not having a possibility to control amount of logs per project. It is fair to say that it comes with risks.

Say some developer turns on TRACE level or makes unwise decision (or simply a mistake) and one or a few projects start generating a lot of logs. As of now it is at least possible to go and ad-hoc delete individual history indices for project. But when all logs are blend into a common index there is no such possibility and all other projects will get hit as well (even whole ES cluster can easily suffer) with no simple solution (except from curating all the common logs for projects sharing this index).

If we can not control this on a project level then we should at least make sure we ship appropriate alert rules to inform cluster admins that logs suddenly started growing much faster and something needs to be done about this.

[portante]

This is the reason why we need to node-level controls for logging rates, see containers/conmon#84

[jcantrill]

@lukas-vlcek This change only would deprecate namespace curation for now. We have discussed modifying LogForwarding to allow include/exclude which maybe its possible to also address throttling.

[lukas-vlcek]

I would expect we do both or neither.

Even without DLS the roll-over would be still great improvement. If DLS is not in place we should still push for use of roll-over.

[portante]

Just for completeness, I will describe how we have implemented rollover in Jaeger. The retention policies (size, number of days) can be specified in Jaeger CR. Based on the provided configuration Jaeger operator creates a job to initialize storage (create aliases, install index template) and then two cron jobs. The first one calls rollover API and the second one removes an index from the read alias.

Does the Jaeger operator work with a separate Elasticsearch operator?

[portante]

Regarding which CRs should handle roll-over: Are we building the Elasticsearch CR to some more abstract notion of storage management that allows a consumer of that abstraction to specify constraints for how it operates? If so, then that it would make sense to hide the roll-over implementation detail behind that abstraction.

But if the consumer still has to "know" it is Elasticsearch under the covers, then it seems like retention should be specified once in the CL CR since the abstraction still leaks details about its implementation.

[jcantrill]

Does the Jaeger operator work with a separate Elasticsearch operator?

It is the same operator which watches globally. There is no way to deploy multiple versions of the CRD on the cluster, or at least there was not when we originally released it.

[jcantrill]

Regarding which CRs should handle roll-over: Are we building the Elasticsearch CR to some more abstract notion of storage management that allows a consumer of that abstraction to specify constraints for how it operates? If so, then that it would make sense to hide the roll-over implementation detail behind that abstraction.

The general guiding principle is CL is abstract and ES allows us to tune more knobs

But if the consumer still has to "know" it is Elasticsearch under the covers, then it seems like retention should be specified once in the CL CR since the abstraction still leaks details about its implementation.

There is no reason a consumer of cluster logging needs to know we are using Elasticsearch and thus the separation.

[portante]

There is no reason a consumer of cluster logging needs to know we are using Elasticsearch and thus the separation.

I meant by "consumer" not the SRE team deploying cluster logging, but the difference between the CL CR and ES CR. The CL CR in a sense "depends" on the ES CR. So if the ES CR is not abstract, then the notions it offers must leak into how the CL CR is constructed. Which one could argue means it is not worth having the retention related configuration in both places.

[pavolloffay]

My understanding of Jaeger is that it is possible to use alternate storage engines which sounds like these policies don't apply to anything but ES. It's likely the proposed changes are made to EO that you can remove the same functionality in the Jaeger Operator. Implemented correctly, there is no reason you could still not use Jaeger rollover by simply not defining indexManagement on the Elasticsearch resource.

In that case the index management API in the elastic CR should allow configuring the alias name which will be used for rollover. My impression was that it will allow to rollover only aliases used by cluster logging.

Does the Jaeger operator work with a separate Elasticsearch operator?

It's tightly integrated with ECL ES operator, if one wants to use elatic.co operator all the configuration have to be provided explicitly https://www.jaegertracing.io/docs/1.15/operator/#external-elasticsearch

[jcantrill]

@ewolinetz moving our discussion here:

@jcantril i'm still not sold on it being a separate CR.. is that based on https://github.com/openshift/enhancements/pull/108/files#r346559159 ?


Eric Wolinetz  16 hours ago
we could make the elasticsearch level CR be the source of truth.. this way jaeger could specify it on their CR and then CLO could also specify it for EO to consume...

The advantages of one instance per:

• the instance explicitly defines management for one index which is specific to that index
• Index Management is not dependent on ES instance other then a ref to which specific instance (not reflected here)
• Index Management changes can be processed without needing to evaluate ES changes
  Disadvantages:
• Need to explicitly ref the Elasticsearch instance to gather secrets, and ES service
• Handle case where ES doesnt exist

@bparees @alanconway Do you have an opinion of handling in this way versus previous commits where it was added to the ES resource?

[ewolinetz]

can we clarify which "Elasticsearch" we're referring to here? I'm assuming its the elasticsearch CRD and not the component Elasticsearch...

[jcantrill]

This line "Elasticsearch rollover policy management API" I am referring to the actual Elasticsearch rollover api.

[bparees]

@jcantrill this lgtm.

[jcantrill]

/hold cancel

[ewolinetz]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ewolinetz, jcantrill

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jcantrill]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment