Skip to content

Document Journald on docker #13597

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Document Journald on docker #13597

wants to merge 4 commits into from

Conversation

belimawr
Copy link
Contributor

@belimawr belimawr commented Apr 17, 2025
edited
Loading

Proposed commit message

Document the requirements to read from Journald when using Elastic-Agent in Docker for the following integrations:

  • Custom Journald logs
  • System
  • Iptables Logs

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

## Author's Checklist

How to test this PR locally

  • Build the integration
  • Check the docs

Related issues

## Screenshots

@belimawr belimawr added Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] docs labels Apr 17, 2025
@belimawr belimawr self-assigned this Apr 17, 2025
@belimawr belimawr force-pushed the 13019-document-journald branch from 096c12c to e51a82f Compare April 17, 2025 22:45
@belimawr belimawr force-pushed the 13019-document-journald branch from e51a82f to eb5332a Compare April 17, 2025 22:48
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Apr 18, 2025
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@belimawr belimawr changed the title [WIP] Document Journald on docker Document Journald on docker Apr 23, 2025
@belimawr belimawr marked this pull request as ready for review April 23, 2025 10:10
@belimawr belimawr requested review from a team as code owners April 23, 2025 10:10
@belimawr belimawr requested a review from AndersonQ April 23, 2025 10:10
@elasticmachine
Copy link

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@belimawr belimawr requested a review from VihasMakwana April 23, 2025 10:10
@pierrehilbert pierrehilbert requested review from rdner and faec April 23, 2025 10:25
@andrewkroh andrewkroh added Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Apr 23, 2025
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

rdner
rdner reviewed Apr 23, 2025
View reviewed changes
Copy link
Member

@rdner rdner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder what would it cost us (in terms of the image size) to include journalctl in our regular Ubuntu/Ubi/Wolfi images?

Did we look into it?

I think it's not the best user experience if ask to use the complete image for such a common use-case.

@belimawr
Copy link
Contributor Author

I wonder what would it cost us (in terms of the image size) to include journalctl in our regular Ubuntu/Ubi/Wolfi images?

Did we look into it?

I think it's not the best user experience if ask to use the complete image for such a common use-case.

I don't think we (data-plane) looked into it. IIRC when the change to use journalctl was merged in Beats, some tests on this repo broke and the decision at the time was to use the complete image, there is a little bit of context here: #10998. I didn't question it at the time, however now this use case seems to be growing.

I did a quick test by just installing the systemd package in our 9.0.0 wolfi image and it only adds about 170Mb:

Dockerfile 

FROM docker.elastic.co/elastic-agent/elastic-agent-wolfi:9.0.0
USER root
RUN apk update
RUN apk add systemd
ENTRYPOINT ["/usr/bin/journalctl", "--version"]


elastic-agent-wolfi-journald                          latest           f91135ef22b0   4 minutes ago   1.84GB
docker.elastic.co/elastic-agent/elastic-agent-wolfi   9.0.0            2aad676542e0   13 days ago     1.67GB

I like the idea of adding journalctl to the wolfi images, specially because wolfi repositories contain the latest systemd, which is a huge advantage compared with the current complete image that ships an older version of journalctl.

I'd merge this PR as it is, because it documents the current state and how to use the journald input with Elastic-Agent, allowing users to already benefit from it.

Once we have a new release of Elastic-Agent with journalctl in a smaller image, we can update the docs, likely keeping version statements, so users know which image variants in which versions contain journalclt.

@belimawr belimawr requested a review from rdner April 23, 2025 18:41
@rdner
Copy link
Member

rdner commented Apr 24, 2025

So, the size increase for Wolfi is only about 10%. I'm fine with merging this PR as it is but it should be addressed by extending all of our Docker images and having journalctl there.

@belimawr
Copy link
Contributor Author

So, the size increase for Wolfi is only about 10%. I'm fine with merging this PR as it is but it should be addressed by extending all of our Docker images and having journalctl there.

I'm already working on it, you can follow this issue: elastic/beats#44040. The Beats PR is up, I'll work on Elastic-Agent soon.

shmsr
shmsr approved these changes Apr 24, 2025
View reviewed changes
Copy link
Member

@shmsr shmsr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving but I have requested a couple of changes.

@elasticmachine
Copy link

elasticmachine commented Apr 25, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @belimawr

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@rdner
Copy link
Member

rdner commented Apr 28, 2025
edited
Loading

@belimawr Do we still need to merge this since we about to solve it with elastic/elastic-agent#7995 ?

@cmacknz
Copy link
Member

cmacknz commented Apr 28, 2025

So, the size increase for Wolfi is only about 10%. I'm fine with merging this PR as it is but it should be addressed by extending all of our Docker images and having journalctl there.

Increasing the size of the elastic-agent container by 170 MB is a definite no-go right now. We are trying to slowly bring that container size down to something that isn't ludicrous and adding on 170 MB goes against that. PM would need to be OK with that size increase and I don't think they will be.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjwolf mjwolf mjwolf left review comments

@rdner rdner rdner approved these changes

@faec faec faec approved these changes

@shmsr shmsr shmsr approved these changes

@nfritts nfritts nfritts approved these changes

@AndersonQ AndersonQ Awaiting requested review from AndersonQ AndersonQ is a code owner automatically assigned from elastic/elastic-agent-data-plane

@VihasMakwana VihasMakwana Awaiting requested review from VihasMakwana VihasMakwana is a code owner automatically assigned from elastic/elastic-agent-data-plane

At least 1 approving review is required to merge this pull request.

Assignees

@belimawr belimawr

Labels
docs Integration:iptables Iptables Integration:journald Custom Journald logs Integration:system System Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]
Projects
None yet
Milestone
No milestone
9 participants
@belimawr @elasticmachine @rdner @cmacknz @mjwolf @faec @shmsr @nfritts @andrewkroh