kong icon indicating copy to clipboard operation
kong copied to clipboard

Published 20 hours ago verified publisher icon Kong

file-log plugin fails to log to `/dev/stdout` with `Permission Denied` error

Open gsadhani opened this issue 2 years ago • 8 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Kong version ($ kong version)

3.4

Current Behavior

file-log plugin fails to log to /dev/stdout with Permission Denied error when running in a container.

kong-gateway-6d98fccc96-pzzvv proxy 2023/11/29 12:17:09 [error] 1263#0: *1315 [kong] handler.lua:56 [file-log] 
failed to open the file: Permission denied while logging request, client: xxx.18.82.100, server: kong,
request: "GET /v1/xxxxx/xxx HTTP/2.0", upstream: "http://100.64.92.168:9002/v1/xxxxx/xxx", host: "dev14.xxxxxxx.io"

I have tried the following:

  1. Changing permissions of /dev/stdout to 777
  2. Creating a link from /var/log/kong/kong.log to /dev/stdout and log to /var/log/kong/kong.log
ln -sf /dev/stdout /var/log/kong/kong.log

But the issue persists.

Expected Behavior

The file-log plugin should be able to log to /dev/stdout as indicated in the documentation.

Steps To Reproduce

  1. Configure file-log plugin as below:
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: file-log
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: "true"
config:
  path: "/dev/stdout"
plugin: file-log
  1. Make API calls routed through the gateway

Anything else?

No response

gsadhani avatar Nov 30 '23 08:11 gsadhani

Could you use some other methods, not using kong. to open this file to check if this file could be opened normally?

For example, echo "some messages blah blah..." > /dev/stdout, and make sure that the new command has the same user/group of your kong server.

chobits avatar Dec 04 '23 03:12 chobits

Sure @chobits.

See output below:

kubectl exec kong-gateway-7b5c4f9c5-jkznp -n kong -it -- sh
# echo "hello" > /dev/stdout
hello
# su - kong
su: warning: cannot change directory to /home/kong: No such file or directory
$
$ echo "hello as kong" > /dev/stdout
-sh: 1: cannot create /dev/stdout: Permission denied
$ whoami
kong
$ ls -lt /dev/stdout
lrwxrwxrwx 1 root root 15 Dec  6 05:51 /dev/stdout -> /proc/self/fd/1
$ ls -lt /proc/self/fd/1
lrwx------ 1 kong kong 64 Dec  6 11:56 /proc/self/fd/1 -> /dev/pts/0
$ su -
# 
# ls -lt /dev/stdout
lrwxrwxrwx 1 root root 15 Dec  6 05:51 /dev/stdout -> /proc/self/fd/1
# ls -lt /proc/self/fd/1
lrwx------ 1 root root 64 Dec  6 12:00 /proc/self/fd/1 -> /dev/pts/0

gsadhani avatar Dec 06 '23 11:12 gsadhani

$ echo "hello as kong" > /dev/stdout -sh: 1: cannot create /dev/stdout: Permission denied $ whoami kong

I'm not very familiar with the permission control under linux system, but it seems that your kong user/group could not modify the stdout file with irght permission

chobits avatar Dec 07 '23 03:12 chobits

It seems a known issue, i search it and find some questions associated to it, but not find a good solution for k8s container.

https://discuss.konghq.com/t/file-log-plugin-not-able-to-log-to-dev-stdout/9347

https://github.com/Kong/kong/issues/8067

chobits avatar Dec 07 '23 03:12 chobits

@chobits thanks for taking a look. Yes, this is the same issue as #8067. I created this issue as that issue was closed without resolution.

Do you recommend opening another issue in https://github.com/Kong/docker-kong.

gsadhani avatar Dec 07 '23 04:12 gsadhani

hi @gsadhani

keep your question here, discussion is more lively. And most kong developers and fans will see it.

chobits avatar Dec 07 '23 05:12 chobits

I created an internal ticket (KAG-3501) to track this issue.

ADD-SP avatar Jan 08 '24 02:01 ADD-SP

@ADD-SP , could you add the ticket number here?

chronolaw avatar Jan 17 '24 02:01 chronolaw