Rancher EFK 建置

# Rancher EFK 建置 ## EFK 介紹 :::info Elasticsearch : 是一套分散式的 Log 訊息搜尋引擎。基於 Apache Lucene(TM) 所開發的搜尋引擎，可以透過全文搜尋、結構化搜尋和分析這三種功能組合再一起搜尋 Log 訊息，此外 Elasticsearch 具有高擴展性、高可用性、易管理等特點。 Fluentd ：是一個 Log 訊息收集的工具。支援各種不同的資料來源如：Application Logs 、 Network Protocols 、 IOT Devices Logs 等等，並有豐富的 Plugins 可以對資料進行過濾、分析、統一格式一系列的操作，最後可以將資料輸出到各式各樣的後端儲存平台上如 AWS S3 、 MySQL 、 Hadoop DFS 等儲存平台。 Kibana ：提供一個資料視覺化的操作平台。使用者能夠透過 Kibana 快速的將 Elasticsearch 中所查詢到的資料生成圖表、表格、地圖以較為圖像式的方式呈現。 ::: ## 架構圖 ![image](https://hackmd.io/_uploads/S1aA_YA6T.png) ## 環境需求 1. 需要一個 Rancher 環境，可以用 quickstart 或透過 k3s、k3d 啟動一個小環境使用。 2. 建立好 rke2 Downstream Cluster(1m3w) ## 透過 Rancher app 商店安裝 ### 安裝 Logging * 在 Cluster tools 選擇 Logging ![image](https://hackmd.io/_uploads/HJUmsydRp.png) * 安裝 103.0.0 版本 ![image](https://hackmd.io/_uploads/ryLEoyO06.png) * 點選 Edit YAML 修改 `fluentbit` 記憶體的暫存空間大小 ![image](https://hackmd.io/_uploads/ryz3UgE10.png) ``` inputTail: Buffer_Chunk_Size: '1MB' Buffer_Max_Size: '5MB' ``` * 在 fluentbit 與 fluentd 底下修改 resource 大小，以避免 fluentd 資源不足導致 crash ![image](https://hackmd.io/_uploads/HyPnA_xf0.png) ``` resources: limits: cpu: "2" memory: 2Gi requests: cpu: "1" memory: 1Gi ``` ![image](https://hackmd.io/_uploads/SyZjcIfyR.png) ``` resources: limits: cpu: "2" memory: 2Gi requests: cpu: "1" memory: 1Gi ``` ### 安裝 elasticsearch * 選擇 elasticsearch ![image](https://hackmd.io/_uploads/B1bcG11A6.png) * 安裝 8.5.1 版本 ![image](https://hackmd.io/_uploads/rJ1AskuAT.png) * 選擇 `cattle-logging-system` namespace ![image](https://hackmd.io/_uploads/Sy5J21uCT.png) ### 安裝 Kibana * 選擇 Kibana ![image](https://hackmd.io/_uploads/ByhnIkyR6.png) * 安裝 8.5.1 版本 ![image](https://hackmd.io/_uploads/BJUzFZdR6.png) * 選擇 `cattle-logging-system` namespace ![image](https://hackmd.io/_uploads/rJTVK-dR6.png) ### 安裝完成檢查 * 在 Installed Apps 檢查 ![image](https://hackmd.io/_uploads/rJ_U9Zu0T.png) * `rancher-logging-root-fluentbit` daemonset 透過 label 負責收集各自 node 上 pod 的 log，並且將 log 丟給 `rancher-logging-root-fluentd-0` * `rancher-logging-root-fluentd-0` 在負責將所有 log 丟到 `elasticsearch` ``` $ kubectl -n cattle-logging-system get all NAME READY STATUS RESTARTS AGE pod/elasticsearch-master-0 1/1 Running 0 8h pod/elasticsearch-master-1 1/1 Running 0 5h48m pod/elasticsearch-master-2 1/1 Running 0 8h pod/kibana-kibana-b46d9c6df-xsdqw 1/1 Running 0 8h pod/rancher-logging-787c5fdbbc-mfp89 1/1 Running 0 5h7m pod/rancher-logging-rke2-journald-aggregator-fhpqw 1/1 Running 0 5h7m pod/rancher-logging-rke2-journald-aggregator-rn4d6 1/1 Running 0 5h7m pod/rancher-logging-rke2-journald-aggregator-t4wzc 1/1 Running 0 5h7m pod/rancher-logging-rke2-journald-aggregator-x7bgt 1/1 Running 0 5h7m pod/rancher-logging-root-fluentbit-2dmvj 1/1 Running 0 34m pod/rancher-logging-root-fluentbit-7jxvn 1/1 Running 0 35m pod/rancher-logging-root-fluentbit-bm9jf 1/1 Running 0 35m pod/rancher-logging-root-fluentbit-svspb 1/1 Running 0 35m pod/rancher-logging-root-fluentd-0 2/2 Running 0 29m pod/rancher-logging-root-fluentd-configcheck-d27b0fa0 0/1 Completed 0 21m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/elasticsearch-master ClusterIP 10.43.162.0 <none> 9200/TCP,9300/TCP 8h service/elasticsearch-master-headless ClusterIP None <none> 9200/TCP,9300/TCP 8h service/kibana-kibana NodePort 10.43.39.124 <none> 5601:30059/TCP 8h service/rancher-logging ClusterIP None <none> 8080/TCP 5h7m service/rancher-logging-root-fluentd ClusterIP 10.43.93.35 <none> 24240/TCP,24240/UDP 5h6m service/rancher-logging-root-fluentd-headless ClusterIP None <none> 24240/TCP,24240/UDP 5h6m NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/rancher-logging-rke2-journald-aggregator 4 4 4 4 4 kubernetes.io/os=linux 5h7m daemonset.apps/rancher-logging-root-fluentbit 4 4 4 4 4 kubernetes.io/os=linux 5h6m NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/kibana-kibana 1/1 1 1 8h deployment.apps/rancher-logging 1/1 1 1 5h7m NAME DESIRED CURRENT READY AGE replicaset.apps/kibana-kibana-b46d9c6df 1 1 1 8h replicaset.apps/rancher-logging-787c5fdbbc 1 1 1 5h7m NAME READY AGE statefulset.apps/elasticsearch-master 3/3 8h statefulset.apps/rancher-logging-root-fluentd 1/1 5h6m ``` ### 將 kibana service 改成 nodeport ``` $ kubectl -n cattle-logging-system edit svc kibana-kibana $ kubectl -n cattle-logging-system get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE elasticsearch-master ClusterIP 10.43.162.0 <none> 9200/TCP,9300/TCP 34m elasticsearch-master-headless ClusterIP None <none> 9200/TCP,9300/TCP 34m kibana-kibana NodePort 10.43.39.124 <none> 5601:30059/TCP 3m50s rancher-logging ClusterIP None <none> 8080/TCP 133m rancher-logging-root-fluentd ClusterIP 10.43.111.244 <none> 24240/TCP,24240/UDP 133m rancher-logging-root-fluentd-headless ClusterIP None <none> 24240/TCP,24240/UDP 133m ``` * 檢視 kibana 登入帳號密碼 ``` $ kubectl -n cattle-logging-system get secret elasticsearch-master-credentials -o jsonpath='{.data.username}' | base64 --decode;echo elastic $ kubectl -n cattle-logging-system get secret elasticsearch-master-credentials -o jsonpath='{.data.password}' | base64 --decode;echo iKS6OeM0JL0jXu55 ``` * 進入 kibana service ，Integrations -> Browse integrations ![image](https://hackmd.io/_uploads/Sk426hCRT.png) * 安裝 kibana assets ![image](https://hackmd.io/_uploads/ByvDg7uC6.png) ## 設定 Log output & Flow * 建立一個測試用 nginx pod 貼上 `name=nginx` label ``` $ kubectl run nginx --image=harbor.cooloo9871.com/library/nginx -l name=nginx $ kubectl get po -l name=nginx NAME READY STATUS RESTARTS AGE nginx 1/1 Running 0 16s ``` ### 設定 ClusterOutput * output 指定 `Elasticsearch` * Target 指定 `https` `elasticsearch-master.cattle-logging-system.svc.cluster.local` `9200` port * Index name 指定 `nginx` ![image](https://hackmd.io/_uploads/S1aKFu_Rp.png) * User 指定 `elastic` * Password from Secret 指定 `elasticsearch-master-credentials` * Key 指定 `password` * 不要勾選 Verify SSL ![image](https://hackmd.io/_uploads/HJvpbzdAa.png) ### 設定 ClusterFlow * Label 指定 `name=nginx` ![image](https://hackmd.io/_uploads/Hk7vffu0T.png) * Cluster Outputs 指定 `cluster-output-nginx` ![image](https://hackmd.io/_uploads/HJu_MfdRp.png) ## 建立 kibana view data * Management -> Stack Management -> Data Views ![image](https://hackmd.io/_uploads/H1IyUGFC6.png) * Kibana -> Data Views ![image](https://hackmd.io/_uploads/rJ-NLGKA6.png) * 建立 Data Views * index pattern 填寫 `nginx*`，設定好後點選 Save data view to Kibana ![image](https://hackmd.io/_uploads/B15Ucdu0a.png) ## 查詢 log * Dev Tools -> Console * 查詢 nginx index 下的所有資料 ``` POST /nginx/_search { "query": { "match_all": {} } } ``` ![image](https://hackmd.io/_uploads/H1LOndOCp.png) ## 參考連結 https://github.com/fluent/fluentd-docker-image/blob/master/v1.16/alpine/Dockerfile https://hackmd.io/qCalUX98TP6LafSJ2mCadg https://gary840227.medium.com/elasticsearch-%E6%95%99%E5%AD%B8-fdbb9fdf3225