Skip to content

Commit

Permalink
Replace Docker's gcplogs driver with the GCP COS logging agent
Browse files Browse the repository at this point in the history
  • Loading branch information
kunzese committed Nov 15, 2022
1 parent ad483e3 commit de229d9
Show file tree
Hide file tree
Showing 32 changed files with 113 additions and 179 deletions.
13 changes: 7 additions & 6 deletions blueprints/networking/filtering-proxy-psc/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -135,12 +135,13 @@ module "cos-squid" {
}

module "squid-vm" {
source = "../../../modules/compute-vm"
project_id = module.project.project_id
zone = "${var.region}-b"
name = "squid-vm"
instance_type = "e2-medium"
create_template = true
source = "../../../modules/compute-vm"
project_id = module.project.project_id
zone = "${var.region}-b"
name = "squid-vm"
instance_type = "e2-medium"
create_template = true
enable_google_logging = true
network_interfaces = [{
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["${var.region}/proxy"]
Expand Down
14 changes: 7 additions & 7 deletions blueprints/networking/nginx-reverse-proxy-cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ locals {
Environment="HOME=/home/opsagent"
ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
ExecStart=/usr/bin/docker run --rm --name=monitoring-agent \
--log-driver=gcplogs \
--network host \
-v /etc/google-cloud-ops-agent/config.yaml:/etc/google-cloud-ops-agent/config.yaml \
${var.ops_agent_image}
Expand Down Expand Up @@ -290,12 +289,13 @@ module "mig-proxy" {
}

module "proxy-vm" {
source = "../../../modules/compute-vm"
project_id = module.project.project_id
zone = format("%s-c", var.region)
name = "nginx-test-vm"
instance_type = "e2-standard-2"
tags = ["proxy-cluster"]
source = "../../../modules/compute-vm"
project_id = module.project.project_id
zone = format("%s-c", var.region)
name = "nginx-test-vm"
instance_type = "e2-standard-2"
tags = ["proxy-cluster"]
enable_google_logging = true
network_interfaces = [{
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links[format("%s/%s", var.region, var.subnetwork)]
Expand Down
2 changes: 0 additions & 2 deletions modules/cloud-config-container/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@ These modules are designed for several use cases:

All modules are designed to be as lightweight as possible, so that specialized modules like [compute-vm](../compute-vm) can be leveraged to manage instances or instance templates, and to allow simple forking to create custom derivatives.

Modules use Docker's [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) by default, so projects need to have the logging API enabled. If that's not desirable simply remove `--log-driver=gcplogs` from the relevant systemd unit in `cloud-config.yaml`.

To use the modules with instances or instance templates, simply set use their `cloud_config` output for the `user-data` metadata. When updating the metadata after a variable change remember to manually restart the instances that use a module's output, or the changes won't effect the running system.

For convenience when developing or prototyping infrastructure, an optional test instance is included in all modules. If it's not needed, the linked `*instance.tf` files can be removed from the modules without harm.
Expand Down
12 changes: 7 additions & 5 deletions modules/cloud-config-container/coredns/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ The resulting `cloud-config` can be customized in a number of ways:

The default instance configuration inserts iptables rules to allow traffic on the DNS TCP and UDP ports, and the 8080 port for the optional HTTP health check that can be enabled via the CoreDNS [health plugin](https://coredns.io/plugins/health/).

Logging and monitoring are enabled via the [Google Cloud Logging driver](https://docs.docker.com/config/containers/logging/gcplogs/) configured for the CoreDNS container, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service is started by default on boot.
Logging and monitoring are enabled via the [Google Cloud Logging agent](https://cloud.google.com/container-optimized-os/docs/how-to/logging) configured for the instance via the `google-logging-enabled` metadata property, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service is started by default on boot.

The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.

Expand All @@ -28,10 +28,13 @@ module "cos-coredns" {
}
# use it as metadata in a compute instance or template
resource "google_compute_instance" "default" {
module "vm-coredns" {
source = "./fabric/modules/compute-vm"
enable_google_logging = true
metadata = {
user-data = module.cos-coredns.cloud_config
}
}
```

### Custom CoreDNS configuration
Expand Down Expand Up @@ -77,9 +80,8 @@ module "cos-coredns" {
| [cloud_config](variables.tf#L17) | Cloud config template path. If null default will be used. | <code>string</code> | | <code>null</code> |
| [config_variables](variables.tf#L23) | Additional variables used to render the cloud-config and CoreDNS templates. | <code>map&#40;any&#41;</code> | | <code>&#123;&#125;</code> |
| [coredns_config](variables.tf#L29) | CoreDNS configuration path, if null default will be used. | <code>string</code> | | <code>null</code> |
| [docker_logging](variables.tf#L35) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> |
| [file_defaults](variables.tf#L41) | Default owner and permissions for files. | <code title="object&#40;&#123;&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; owner &#61; &#34;root&#34;&#10; permissions &#61; &#34;0644&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [files](variables.tf#L53) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10; content &#61; string&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [file_defaults](variables.tf#L35) | Default owner and permissions for files. | <code title="object&#40;&#123;&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; owner &#61; &#34;root&#34;&#10; permissions &#61; &#34;0644&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [files](variables.tf#L47) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10; content &#61; string&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [test_instance](variables-instance.tf#L17) | Test/development instance attributes, leave null to skip creation. | <code title="object&#40;&#123;&#10; project_id &#61; string&#10; zone &#61; string&#10; name &#61; string&#10; type &#61; string&#10; network &#61; string&#10; subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [test_instance_defaults](variables-instance.tf#L30) | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object&#40;&#123;&#10; disks &#61; map&#40;object&#40;&#123;&#10; read_only &#61; bool&#10; size &#61; number&#10; &#125;&#41;&#41;&#10; image &#61; string&#10; metadata &#61; map&#40;string&#41;&#10; nat &#61; bool&#10; service_account_roles &#61; list&#40;string&#41;&#10; tags &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; disks &#61; &#123;&#125;&#10; image &#61; null&#10; metadata &#61; &#123;&#125;&#10; nat &#61; false&#10; service_account_roles &#61; &#91;&#10; &#34;roles&#47;logging.logWriter&#34;,&#10; &#34;roles&#47;monitoring.metricWriter&#34;&#10; &#93;&#10; tags &#61; &#91;&#34;ssh&#34;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |

Expand Down
7 changes: 1 addition & 6 deletions modules/cloud-config-container/coredns/cloud-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@
# https://hub.docker.com/r/coredns/coredns/
# https://coredns.io/manual/toc/#installation

# TODO: switch to the gcplogs logging driver, and set driver labels

write_files:
- path: /var/lib/docker/daemon.json
permissions: 0644
Expand Down Expand Up @@ -58,9 +56,6 @@ write_files:
Wants=gcr-online.target docker.socket docker-events-collector.service
[Service]
ExecStart=/usr/bin/docker run --rm --name=coredns \
%{~ if docker_logging ~}
--log-driver=gcplogs \
%{~ endif ~}
--network host \
-v /etc/coredns:/etc/coredns \
coredns/coredns -conf /etc/coredns/Corefile
Expand All @@ -83,4 +78,4 @@ runcmd:
- iptables -I INPUT 1 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
- systemctl daemon-reload
- systemctl restart systemd-resolved.service
- systemctl start coredns
- systemctl start coredns
5 changes: 2 additions & 3 deletions modules/cloud-config-container/coredns/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,8 @@

locals {
cloud_config = templatefile(local.template, merge(var.config_variables, {
corefile = templatefile(local.corefile, var.config_variables)
docker_logging = var.docker_logging
files = local.files
corefile = templatefile(local.corefile, var.config_variables)
files = local.files
}))
corefile = (
var.coredns_config == null ? "${path.module}/Corefile" : var.coredns_config
Expand Down
6 changes: 0 additions & 6 deletions modules/cloud-config-container/coredns/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -32,12 +32,6 @@ variable "coredns_config" {
default = null
}

variable "docker_logging" {
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
type = bool
default = true
}

variable "file_defaults" {
description = "Default owner and permissions for files."
type = object({
Expand Down
16 changes: 6 additions & 10 deletions modules/cloud-config-container/cos-generic-metadata/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@

This helper module manages a `cloud-config` configuration that can start a container on [Container Optimized OS](https://cloud.google.com/container-optimized-os/docs) (COS). Either a complete `cloud-config` template can be provided via the `cloud_config` variable with optional template variables via the `config_variables`, or a generic `cloud-config` can be generated based on typical parameters needed to start a container.

Logging can be enabled via the [Google Cloud Logging docker driver](https://docs.docker.com/config/containers/logging/gcplogs/) using the `gcp_logging` variable. This is enabled by default, but requires that the service account running the COS instance have the `roles/logging.logWriter` IAM role or equivalent permissions on the project. If it doesn't, the container will fail to start unless this is disabled.

The module renders the generated cloud config in the `cloud_config` output, which can be directly used in instances or instance templates via the `user-data` metadata attribute.

## Examples
Expand Down Expand Up @@ -64,21 +62,19 @@ module "cos-envoy" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [container_image](variables.tf#L42) | Container image. | <code>string</code> || |
| [authenticate_gcr](variables.tf#L124) | Setup docker to pull images from private GCR. Requires at least one user since the token is stored in the home of the first user defined. | <code>bool</code> | | <code>false</code> |
| [authenticate_gcr](variables.tf#L112) | Setup docker to pull images from private GCR. Requires at least one user since the token is stored in the home of the first user defined. | <code>bool</code> | | <code>false</code> |
| [boot_commands](variables.tf#L17) | List of cloud-init `bootcmd`s. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [cloud_config](variables.tf#L23) | Cloud config template path. If provided, takes precedence over all other arguments. | <code>string</code> | | <code>null</code> |
| [config_variables](variables.tf#L29) | Additional variables used to render the template passed via `cloud_config`. | <code>map&#40;any&#41;</code> | | <code>&#123;&#125;</code> |
| [container_args](variables.tf#L35) | Arguments for container. | <code>string</code> | | <code>&#34;&#34;</code> |
| [container_name](variables.tf#L47) | Name of the container to be run. | <code>string</code> | | <code>&#34;container&#34;</code> |
| [container_volumes](variables.tf#L53) | List of volumes. | <code title="list&#40;object&#40;&#123;&#10; host &#61; string,&#10; container &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#91;&#93;</code> |
| [docker_args](variables.tf#L62) | Extra arguments to be passed for docker. | <code>string</code> | | <code>null</code> |
| [docker_logging](variables.tf#L68) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> |
| [file_defaults](variables.tf#L74) | Default owner and permissions for files. | <code title="object&#40;&#123;&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; owner &#61; &#34;root&#34;&#10; permissions &#61; &#34;0644&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [files](variables.tf#L86) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10; content &#61; string&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [gcp_logging](variables.tf#L96) | Should container logs be sent to Google Cloud Logging. | <code>bool</code> | | <code>true</code> |
| [run_as_first_user](variables.tf#L118) | Run as the first user if users are specified. | <code>bool</code> | | <code>true</code> |
| [run_commands](variables.tf#L102) | List of cloud-init `runcmd`s. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [users](variables.tf#L108) | List of usernames to be created. If provided, first user will be used to run the container. | <code title="list&#40;object&#40;&#123;&#10; username &#61; string,&#10; uid &#61; number,&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#91;&#10;&#93;">&#91;&#8230;&#93;</code> |
| [file_defaults](variables.tf#L68) | Default owner and permissions for files. | <code title="object&#40;&#123;&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; owner &#61; &#34;root&#34;&#10; permissions &#61; &#34;0644&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [files](variables.tf#L80) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10; content &#61; string&#10; owner &#61; string&#10; permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [run_as_first_user](variables.tf#L106) | Run as the first user if users are specified. | <code>bool</code> | | <code>true</code> |
| [run_commands](variables.tf#L90) | List of cloud-init `runcmd`s. | <code>list&#40;string&#41;</code> | | <code>&#91;&#93;</code> |
| [users](variables.tf#L96) | List of usernames to be created. If provided, first user will be used to run the container. | <code title="list&#40;object&#40;&#123;&#10; username &#61; string,&#10; uid &#61; number,&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#91;&#10;&#93;">&#91;&#8230;&#93;</code> |

## Outputs

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,6 @@ write_files:
%{~ if length(users) > 0 && run_as_first_user ~}
--user=${users[0].uid} \
%{~ endif ~}
%{~ if docker_logging ~}
--log-driver=gcplogs \
%{~ endif ~}
%{~ if docker_args != null ~}
${docker_args} \
%{~ endif ~}
Expand Down
2 changes: 0 additions & 2 deletions modules/cloud-config-container/cos-generic-metadata/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,7 @@ locals {
container_name = var.container_name
container_volumes = var.container_volumes
docker_args = var.docker_args
docker_logging = var.docker_logging
files = local.files
gcp_logging = var.gcp_logging
run_commands = var.run_commands
users = var.users
authenticate_gcr = var.authenticate_gcr
Expand Down
12 changes: 0 additions & 12 deletions modules/cloud-config-container/cos-generic-metadata/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -65,12 +65,6 @@ variable "docker_args" {
default = null
}

variable "docker_logging" {
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
type = bool
default = true
}

variable "file_defaults" {
description = "Default owner and permissions for files."
type = object({
Expand All @@ -93,12 +87,6 @@ variable "files" {
default = {}
}

variable "gcp_logging" {
description = "Should container logs be sent to Google Cloud Logging."
type = bool
default = true
}

variable "run_commands" {
description = "List of cloud-init `runcmd`s."
type = list(string)
Expand Down
10 changes: 5 additions & 5 deletions modules/cloud-config-container/envoy-traffic-director/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,11 @@ module "cos-envoy-td" {
# COS VM
module "vm-cos" {
source = "./fabric/modules/compute-vm"
project_id = local.project_id
zone = local.zone
name = "cos-envoy-td"
source = "./fabric/modules/compute-vm"
project_id = local.project_id
zone = local.zone
name = "cos-envoy-td"
enable_google_logging = true
network_interfaces = [{
network = local.vpc.self_link,
subnetwork = local.vpc.subnet_self_link,
Expand Down Expand Up @@ -49,7 +50,6 @@ module "vm-cos" {

| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [docker_logging](variables.tf#L23) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> |
| [envoy_image](variables.tf#L17) | Envoy Proxy container image to use. | <code>string</code> | | <code>&#34;envoyproxy&#47;envoy:v1.15.5&#34;</code> |

## Outputs
Expand Down
2 changes: 0 additions & 2 deletions modules/cloud-config-container/envoy-traffic-director/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,6 @@ module "cos-envoy-td" {
}
}

gcp_logging = var.docker_logging

run_commands = [
"iptables -t nat -N ENVOY_IN_REDIRECT",
"iptables -t nat -A ENVOY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15001",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,3 @@ variable "envoy_image" {
type = string
default = "envoyproxy/envoy:v1.15.5"
}

variable "docker_logging" {
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
type = bool
default = true
}
Loading

0 comments on commit de229d9

Please sign in to comment.