Bug 1111012 - cri-o writes log files to /tmp
cri-o writes log files to /tmp
Status: RESOLVED WONTFIX
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Kubic
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Valentin Rothberg
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-08 08:14 UTC by Thorsten Kukuk
Modified: 2018-11-05 12:19 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thorsten Kukuk 2018-10-08 08:14:56 UTC
cri-o seems to write log files to /tmp. This should never be done, as the name seems to be guessable, it could be a security problem, too.

As cri-o is creating several files, I think best would be an own directory /var/log/cri-o
Comment 1 Valentin Rothberg 2018-10-08 08:23:04 UTC
I guess we can achieve this by changing the crio.conf in our package.

See `man crio`:
--log="": Set the log file path where internal debug information is written
Comment 2 Richard Brown 2018-10-08 08:56:37 UTC
(In reply to Valentin Rothberg from comment #1)
> I guess we can achieve this by changing the crio.conf in our package.
> 
> See `man crio`:
> --log="": Set the log file path where internal debug information is written

Does that mean the docs need updating - there's no mention of a log param in the crio.conf man page AFAICS

https://github.com/kubernetes-sigs/cri-o/blob/9246d35b40666132a27b89bfd2c5b9e3eef55a8b/docs/crio.conf.5.md
Comment 3 Valentin Rothberg 2018-10-08 09:05:56 UTC
(In reply to Richard Brown from comment #2)
> (In reply to Valentin Rothberg from comment #1)
> > I guess we can achieve this by changing the crio.conf in our package.
> > 
> > See `man crio`:
> > --log="": Set the log file path where internal debug information is written
> 
> Does that mean the docs need updating - there's no mention of a log param in
> the crio.conf man page AFAICS
> 
> https://github.com/kubernetes-sigs/cri-o/blob/
> 9246d35b40666132a27b89bfd2c5b9e3eef55a8b/docs/crio.conf.5.md

Looks like, yes. The conf manpage was quite outdated, so it seems likely that this option was forgotten. Let's check if it works with --log (and setting it in crio.conf) and open a PR upstream.
Comment 4 Richard Brown 2018-10-08 09:34:39 UTC
(In reply to Valentin Rothberg from comment #3)

> Looks like, yes. The conf manpage was quite outdated, so it seems likely
> that this option was forgotten. Let's check if it works with --log (and
> setting it in crio.conf) and open a PR upstream.

--log works when set to a full filepath. It produces a fatal error if set to a directory.

However, the contents of that log seems to have no relation to the contents of the logs produced by crio in /tmp. --log seems to record notices you'd typically expect in a journal, eg "error updating cni config: Missing CNI default network" with journal style timestamps

The logs in /tmp have a very different format, with a header that includes

"Log file created at:...
Running on machine: ...
Binary: Built with gc go1.10.3 for linux/amd64
Log line format: ...." and THEN log errors, which seem to be go specific error messages, eg. "hostport_manager.go:64] The binary conntrack is not installed, this can cause failures in network connection cleanup"

Therefore I'm convinced that --log has no impact on the logs this bug is related to

We need to find a way of getting those logs from /tmp into somewhere more sensible.

log= in crio.conf seems to have zero effect if set to a full filepath or to a directory
Comment 5 Valentin Rothberg 2018-10-30 13:25:28 UTC
I had a deeper look at the bug and found that there is no valuable information on those files as it seems to be caused by some libraries of crio that are using glog. I openened an upstream issue: https://github.com/kubernetes-sigs/cri-o/issues/1879

I don't think that it's a security issue but an undesired side-effect. `critest` from the `cri-tools` package shows similar issues. Probably, `crictl`as well.
Comment 6 Valentin Rothberg 2018-11-05 12:19:22 UTC
The issues is currently being worked on in Kubernetes. The glog library has been forked to address the mentioned issue and others. I guess it'll be fixed with CRI-O/Kubernetes v1.14.

I don't think we need to backport any patches (likely large ones) given there's no real content in the log files. I am therefore closing it as wontfix and suggest to wait.