Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Loki logger #140

Open
wneirynck opened this issue Apr 22, 2024 · 2 comments
Open

Loki logger #140

wneirynck opened this issue Apr 22, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@wneirynck
Copy link
Contributor

wneirynck commented Apr 22, 2024
edited

Currenty we are using Loki for application logging, and custom implementations for build script logging. However, it may be possible to use Loki for build logging as well. It exposes an api that we can use for pushing and for pulling.

We could mark each stream with customer, repo, build and job id, and even the specific command. The advantage is that it already provides the functionality we need. Disadvantage is that it is a third party tool where we have little control over, and there seems to be no support to use OCI buckets, except for using Minio with OCI bucket backend.
@wneirynck wneirynck added the enhancement New feature or request label Apr 22, 2024
@wneirynck
Copy link
Contributor Author

wneirynck commented Apr 22, 2024
edited

Loki does not provide security of its own, but we could add it to apache, using the mod_auth_bearer module. Build scripts should get a short-lived token (also used for the api) and use that when pushing logs.

When retrieving logs, we could either pipe it through the API (inefficient), or expose Loki directly to the client. This requires of course strict security checking: customers should only be able to see their own logs, for instance. This would also mean that the client token should be valid for the log server (which it currently is).

Loki has a concept of tenants, which may be useful to separate logs on a client basis. We should investigate how we could use this to enable Apache to block any requests going to another tenant (= customer). Possibly with header checks, or somehow use the customer id from the request as the X-Scope-OrigID token for Loki.

This was referenced Apr 26, 2024
Closed
Merged
@wneirynck
Copy link
Contributor Author

Tenant implementation ok, as well as using OCI buckets for storage. But security is not complete yet: it is possible to access Loki directly from a container, and the token check does not verify if the user has access to that specific customer (= tenant id).

For the first issue we should add network rules restricting direct access. For the second we either need to add a module to Apache (if one exists that is capable of those checks), or use another proxy (Nginx, HaProxy), should one exist that supports our requirements. If not, we will have to implement something ourselves.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wneirynck