K
Q

Splunk forwarder with Kubernetes in side car pattern

11/20/2018

I have created a custom Splunk forwarder image.

Image name: vrathore/splunkuniversalforwarder

I have verified that the log is pushing to the server. I am using dummy log present in my host (c/Users/var/log). If I run this Docker command:

docker run --name splunkforwarder -d -v /c/Users/var/log://var/log/messages -p 8089:8089 -p 8088:8088 -e SPLUNK_SERVER_HOST=splunk-prodtest-gsp.test.com:9997 -e
FORWARD_HOSTNAME=kubernetes vrathore/splunkuniversalforwarder

Now I wanted to use the same image in Kubernetes pod, where 2 container will share their log folder with my Splunk forwarder image.

spec:
  revisionHistoryLimit: 5
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 10%
      maxSurge: 10%
  replicas: 1
  template:
    metadata:
      name: %APP_FULL_NAME%-pod
      labels:
        appname: %APP_FULL_NAME%
        stage: %APP_ENV%
        component: app-kube-pod-object
    spec:
      containers:
      - name: %APP_FULL_NAME%-service
        image: %DOCKER_IMAGE%
        imagePullPolicy: Always
        envFrom:
        - configMapRef:
            name: %APP_CONFIG_MAP%
        command: ["catalina.sh", "run"]
        ports:
        - containerPort: 8080
      imagePullSecrets:
      - name: %DOCKER_REPO_REGKEY%
  selector:
    matchLabels:
      appname: %APP_FULL_NAME%
      stage: %APP_ENV%

Kubernetes is new to me. How can I share the log folder between the containers?

-- gamechanger17
kubernetes
splunk

Similar Questions

Running nginx web app on kubernetes but it only scales/replicas horizontally
How to transfer files from container to container within a pod in Kubernetes?
Unable to mount PVC created by OpenEBS on pods on Kubernetes bare-metal deployment
Kubernetes cluster creating issues
Delete all pods when starts for a word (uncomplete name of the pod)

1 Answer

11/20/2018

You need to define an emptyDir type volume and attach it to both containers. Assuming that the logs from the app are under /var/log/myapp/ (I have added the second container as well)

spec:
  revisionHistoryLimit: 5
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 10%
      maxSurge: 10%
  replicas: 1
  template:
    metadata:
      name: %APP_FULL_NAME%-pod
      labels:
        appname: %APP_FULL_NAME%
        stage: %APP_ENV%
        component: app-kube-pod-object
    spec:
      containers:
      - name: %APP_FULL_NAME%-service
        image: %DOCKER_IMAGE%
        imagePullPolicy: Always
        envFrom:
        - configMapRef:
            name: %APP_CONFIG_MAP%
        command: ["catalina.sh", "run"]
        ports:
        - containerPort: 8080
        volumeMounts:
        - name: logs
          mountPath: /var/log/myapp/
      - name: uf
        image: vrathore/splunkuniversalforwarder
        ...
        volumeMounts:
        - name: logs
          mountPath: /var/log/myapp/
      imagePullSecrets:
      - name: %DOCKER_REPO_REGKEY%
      volumes:
      - name: logs
        emptyDir: {}
  selector:
    matchLabels:
      appname: %APP_FULL_NAME%
      stage: %APP_ENV%

Also, I would recommend looking for an alternative solution, with Collectord and Monitoring Kubernetes/OpenShift you can tell Collectord where to look for logs and you don't need to run a sidecar container https://www.outcoldsolutions.com/docs/monitoring-kubernetes/v5/annotations/#application-logs, just one Collectord daemon will do the work.

-- outcoldman
Source: StackOverflow