Classic confinement for fluent-bit

Fluent Bit is a log processor that can be configured to retrieve messages following content of log files, through TCP, UDP, Systemd, and many other sources.

Classic confinement is required to access arbitrary file system paths and any TCP port for data collection.

the log-observe interface gives you access to everything in /var/log as well as journald, the network, network-bind and network-control interfaces allow retrieving/sending logs via TCP and UDP … here is an example of a log processing tool:

if you need access to specific logs that are in non-standard locations you can use the system-files interface to allow access to them …

1 Like

Hey @edsiper,

If you read our Process for reviewing classic confinement snaps, access to arbitrary files on the system isn’t typically a justification for classic.

The interfaces suggested by @ogra should help with your needs. Otherwise, could you please post here the locations of the files Fluent bit needs to access? If you still experience issues, you can try snappy-debug while troubleshooting. It will alert you of any denials and recommend missing interfaces. Feel free to post any further question and we are happy to help.

Hi,

thanks for the update.

I gave it a try to log-observe and the other network-* stuff but still I find it’s not a straightforward solution for the end-user, we allow to process many sources of data and paths per user’s need.

If someone want’s to use Fluent Bit to receive, process and ship logs, having to connect an interface manually adds an extra unnecessary step. Fluent Bit is a tool that can run as a service and also as a standalone utility, our goal as maintainers to provide a Snap for it is to make easier it deployment and usage, otherwise using .deb package will continue being the preferred way.

Having Fluent Bit as a classic snap will help users to rapidly setup a data pipeline without any operational concerns. A bit of background about the tool:

  • Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
  • License: Apache v2.0
  • 80% of our users are in the containers space: we see > 600k pulls “per day”
  • we see a trend for it use in non-containerized environments, for hence we need a easy to deploy “Snap”

thanks again for your help,

why would a user have to connect an interface manually ? as you can ask for classic confinement, you can ask the same way for auto-connection of interfaces at install time :wink:

@edsiper As ogra says above, you can request that interfaces for a given snap are automatically connected as per Process for aliases, auto-connections and tracks - so this should allow you to provide a seamless experience for users when installing fluent-bit.

I think there is some lack of understanding of all interfaces and proper setup from my side.

Please advise what setup is required to accomplish the following:

  • open files (read/write) from “random” fs locations: ~home, /opt, /tmp, mounted volumes etc
  • the ability to listen on TCP/UDP ports, as well connect to external services through TCP/UDP
  • create and connect to unix sockets
  • read /dev/kmsg
  • read serial interfaces /dev/ttySx
  • read /proc/* info
  • read from docker unix socket
  • read thermal info
  • spawn an external process: exec(3)

note: we would like to try to avoid setting up a new interface connection for every single use case for our tool, if classic can be considered would be appreciated.

additional information:

respecting the logs (file system-based), they are not usually consumed from /var/log (for most service applications yes…), but we see many use cases where they are pre-parsed logs and placed in a random locations for certain production environments. We need to have the flexibility to read/write where the user decides. If that is a restriction they will need to stick with normal .deb,