I am using fluent-bit version 1.4.6 and I am trying to collect logs from a tomcat/logs folder, but I receive:
[error] [input:tail:tail.0] read error, check permissions
These files inside the logs folder are all "rw-r-----" (640).
I tried to confirm whether it can read it at all by changing the permissions of a file inside the logs folder and it works, but that does not solve the overall problem.
My question is, is this something that should be set on the tomcat level or it can be done via fluent-bit? Can I start that as a different user?
Thanks in advance!
You didn't specify 👀 how you deployed fluent-bit.
But yes you can run it as a different user specifying a SecurityContext in Kubernetes.
For example:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: fluent-bit
namespace: logging
labels:
k8s-app: fluent-bit-logging
version: v1
kubernetes.io/cluster-service: "true"
spec:
selector:
matchLabels:
k8s-app: fluent-bit-logging
template:
metadata:
labels:
k8s-app: fluent-bit-logging
version: v1
kubernetes.io/cluster-service: "true"
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "2020"
prometheus.io/path: /api/v1/metrics/prometheus
spec:
securityContext:
runAsUser: 1000 👈 user id that you want to run the containers in the pod as
containers:
- name: fluent-bit
image: fluent/fluent-bit:1.3.11
imagePullPolicy: Always
ports:
- containerPort: 2020
volumeMounts:
- name: varlog
mountPath: /var/log
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
- name: fluent-bit-config
mountPath: /fluent-bit/etc/
- name: mnt
mountPath: /mnt
readOnly: true
...✌️
What was needed to be done is to set the UMASK as env variable with a value of "111" which would change permissions of the log files so they can be picked up by fluent-bit.