当docker处于分离状态或前台状态时,日志未发送到AWS Cloudwatch [英] Logs not getting sent to AWS Cloudwatch when docker in detached or foreground
问题描述
当我以交互模式运行docker脚本时,它可以工作.我可以在控制台和AWS CloudWatch Logs中查看日志.下面的docker脚本以交互模式运行,我添加了awslogs配置,因此日志进入cloudwatch. docker awslogs配置
When I run the docker script in interactive mode it works. I can see the logs in the console and also in AWS CloudWatch Logs. The below docker script runs in interactive mode and I have added the awslogs configuration so the logs go into cloudwatch. docker awslogs configuration
docker run --rm -i -t --log-driver awslogs \
--log-opt awslogs-region=us-east-1 \
--log-opt awslogs-group=falcoint \
--log-opt awslogs-create-group=true \
--privileged \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco:latest
但是一旦我在 -d 分离模式下运行,所有日志都不会进入AWS cloudwatch
But once I run in -d detached mode none of the logs go to aws cloudwatch
docker run --rm -d --log-driver awslogs \
--log-opt awslogs-region=us-east-1 \
--log-opt awslogs-group=falcoint \
--log-opt awslogs-create-group=true \
--privileged \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco:latest
当我在前台模式下运行相同的脚本时,即-it或-d,则也没有日志发送到cloudwatch.但是当falco docker停止时,所有数据都会被缓冲并发送.
When I run the same script in foreground mode i.e. no -it or -d then also no logs are sent to the cloudwatch. But all the data is buffered and sent when the falco docker is stopped.
docker run --rm --log-driver awslogs \
--log-opt awslogs-region=us-east-1 \
--log-opt awslogs-group=falcoint \
--log-opt awslogs-create-group=true \
--privileged \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco:latest
当falco码头工人停止时,它将以下内容转储到日志中.理想情况下,带有在下面创建了错误文件..."的日志应该已经出现在CloudWatch Logs中,而不必停止容器.
When the falco docker is stopped it dumps the following to the log. Ideally the logs with "Error File created below..." should have come to CloudWatch Logs without having to stop the container.
2020-06-04T02:33:44+0000: SIGINT received, exiting...
Syscall event drop monitoring:
- event drop detected: 0 occurrences
- num times actions taken: 0
2020-06-04T02:32:32.495581404+0000: Notice A shell was spawned in a container with an attached terminal (user=root <NA> (id=01ca7b2306b5) shell=sh parent=runc cmdline=sh terminal=34816 container_id=01ca7b2306b5 image=<NA>)
2020-06-04T02:33:00.014981252+0000: Error File created below /dev by untrusted program (user=root command=touch /dev/rootkit2 file=/dev/rootkit2 container_id=01ca7b2306b5 image=<NA>)
2020-06-04T02:33:30.226554205+0000: Error File created below /dev by untrusted program (user=root command=touch /dev/rootkit3 file=/dev/rootkit3 container_id=01ca7b2306b5 image=<NA>)
Events detected: 3
Rule counts by severity:
ERROR: 2
NOTICE: 1
Triggered rules by rule name:
Terminal shell in container: 1
Create files below dev: 2
要解决此问题,请运行上述方法之一,并运行另一个终端机
To repoduce the issues run one of the above and another terminal run
docker run -it node:8-alpine sh
然后登录到容器并运行
touch /dev/rootkit
更新:
我注意到,当我使用 -d -t 日志运行docker进入AWS Cloudwatch日志时.知道为什么会这样吗?
I noticed that when I run the docker with -d -t Logs to go to aws Cloudwatch logs. Any idea why this is happening?
推荐答案
默认情况下,Docker使用json文件驱动程序,该文件将JSON格式的日志写入运行容器的主机上特定于容器的文件. 请参考 docker日志记录
By default, Docker uses a json-file driver, which writes JSON-formatted logs to a container-specific file on the host where the container is running. Refer this docker logging
Giving -t选项分配伪tty,docker的主要进程通过该伪tty输出日志到虚拟终端.而且aws日志驱动程序会寻找tty来捕获日志. 查看此 -t选项的工作原理并具体回答这篇文章中的3号.
Giving -t option assigns pseudo tty through which main process of docker outputs logs to the virtual terminal. And aws log-driver looks for tty to capture logs. Look at this how -t option works and specifically answer number 3 in this post.
这篇关于当docker处于分离状态或前台状态时,日志未发送到AWS Cloudwatch的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
