Logging 6x - POC WIP

Author: libander

_topic_maps/_topic_map.yml

@@ -2709,6 +2709,11 @@ Topics:
       File: logging-5-8-release-notes
     - Name: Logging 5.7
       File: logging-5-7-release-notes
+  - Name: Logging 6.0
+    Dir: logging-6.0
+    Topics:
+      - Name: Introducing Logging 6.0
+        File: logging-poc
   - Name: Support
     File: cluster-logging-support
   - Name: Troubleshooting logging

modules/logging-6x-about.adoc

@@ -0,0 +1,28 @@
+// Module included in the following assemblies:
+//
+
+
+:_mod-docs-content-type: CONCEPT
+[id="logging-6x-about_{context}"]
+
+
+= What is OpenShift Logging?
+
+OpenShift Logging provides a comprehensive log management solution integrated into your OpenShift clusters. It utilizes:
+
+* **Loki:** A horizontally scalable, highly available log aggregation system optimized for efficient storage and retrieval of log data in dynamic OpenShift environments.
+* **Vector:** A lightweight, high-performance log forwarding agent that connects your application and infrastructure logs to Loki, offering a flexible and customizable way to collect, process, and route log data.
+
+== How OpenShift Logging Works
+
+1. **Log Collection:** Vector agents, deployed on each node in your cluster, collect logs from various sources, including containers, system components, and applications.
+2. **Log Processing (Optional):** Vector can filter, enrich, and transform log data before forwarding it to Loki.
+3. **Log Aggregation:** Loki receives the processed log data from Vector and stores it efficiently for later retrieval.
+4. **Log Querying & Analysis:**  Use Loki's powerful query language to search, filter, and analyze logs, gaining valuable insights into your OpenShift environment.
+
+== Visualizing Logs in OpenShift
+
+OpenShift Logging provides multiple ways to visualize and explore your log data:
+
+* **OpenShift Web Console:** The integrated Logs page offers a user-friendly interface for searching, filtering, and viewing logs directly within the OpenShift console.
+* **Grafana:** OpenShift Logging integrates seamlessly with Grafana, enabling you to create rich, customizable dashboards to visualize and correlate log data with metrics and other observability data.

modules/logging-6x-loki-architecture.adoc

@@ -0,0 +1,111 @@
+// Module included in the following assemblies:
+//
+
+
+:_mod-docs-content-type: CONCEPT
+[id="logging-6x-loki-architecture_{context}"]
+= Loki Architecture: Understanding the Components
+Loki is a distributed system with several core components, each serving a specific purpose in the logging pipeline:
+
+* **Distributor:**  Receives incoming log streams, validates them, and distributes them to the appropriate ingesters.
+* **Ingester:**  Builds chunks of log data and creates an index to enable efficient querying.
+* **Querier:**  Executes queries against the log data, retrieving relevant log entries from the ingesters and storage backend.
+* **Query Frontend:**  Manages and coordinates incoming queries, distributes the workload across queriers, and returns the query results.
+* **Storage Backend:**  Persists the log data and index, typically using an object storage like Amazon S3 or Google Cloud Storage.
+* **Compactor:**  Optimizes the storage of log data by compacting older log chunks into a more efficient format.
+* **Ruler:**  Allows you to define rules for alerting and recording based on log data patterns.
+
+
+
+= LokiStack Custom Resource (CR): Mapping Fields to Components
+
+Custom Resource (CR) files are used to configure Operators. 
+
+* **`spec`:**  This is effectively the root of the CR
+
+* **Component-Specific Sections:** Within `spec`, you'll find subsections for each component (e.g., `distributor`, `ingester`, `querier`).  The fields in each section directly control that component's behavior.
+
+[source,yaml]
+----
+spec:
+  distributor:
+    replicas: 3             #<1>
+  ingester:
+    replicas: 2
+    resources:
+      limits:
+        memory: 1Gb         #<2>
+  querier:
+    replicas: 2
+  queryFrontend:
+    replicas: 1
+...
+----
+
+<1> `spec.distributor.replicas: 3` means you want 3 pods running the Distributor component.
+<2> `spec.ingester.resources.limits.memory: 1Gb` gives each Ingester pod the memory limit specified.
+
+
+== Key Points:
+
+* **Hierarchy:**  `spec` is the top level, then components, then specific settings for that component.
+* **Direct Mapping:** Each field in a component section directly affects that component's configuration in your Loki cluster.
+* **Customization:** By tweaking these values, you tailor Loki to your workload and resource constraints.
+
+
+
+== Distributor:
+
+* `spec.distributor.replicas`: Controls the number of distributor replicas.
+* `spec.distributor.resources`: Sets resource limits (CPU, memory) for the distributor pods.
+* `spec.distributor.ring`: Configures the hash ring for distributing log streams among ingesters.
+
+== Ingester:
+
+* `spec.ingester.replicas`: Controls the number of ingester replicas.
+* `spec.ingester.resources`: Sets resource limits (CPU, memory) for the ingester pods.
+* `spec.ingester.lifecycler`: Configures the ingester lifecycle, including chunk lifecycle and table manager settings.
+* `spec.ingester.persistence`: Configures the persistent storage for ingester data (e.g., volume claims, storage class).
+
+== Querier:
+
+* `spec.querier.replicas`: Controls the number of querier replicas.
+* `spec.querier.resources`: Sets resource limits (CPU, memory) for the querier pods.
+* `spec.querier.queryRange`: Configures the default query range (time duration) for queriers.
+* `spec.querier.storeGateway`: Configures the interaction between queriers and the storage backend.
+
+== Query Frontend:
+
+* `spec.queryFrontend.replicas`: Controls the number of query frontend replicas.
+* `spec.queryFrontend.resources`: Sets resource limits (CPU, memory) for the query frontend pods.
+* `spec.queryFrontend.grpcServer`: Configures the gRPC server for the query frontend.
+
+== Storage Backend:
+
+* `spec.storageConfig`:  Specifies the type of storage backend (e.g., S3, GCS, local filesystem) and its configuration parameters (e.g., bucket name, credentials).
+
+== Compactor:
+
+* `spec.compactor.replicas`: Controls the number of compactor replicas.
+* `spec.compactor.resources`: Sets resource limits (CPU, memory) for the compactor pods.
+* `spec.compactor.workingDirectory`: Specifies the working directory for the compactor.
+* `spec.compactor.sharedStore`: Configures the shared storage for compactor data.
+
+== Ruler:
+
+* `spec.ruler.replicas`: Controls the number of ruler replicas.
+* `spec.ruler.resources`: Sets resource limits (CPU, memory) for the ruler pods.
+* `spec.ruler.alertmanagerURL`: Specifies the URL of the Alertmanager instance to send alerts to.
+* `spec.ruler.ruleNamespaceSelector`: Selects the namespaces from which to load ruler rules.
+* `spec.ruler.storage`: Configures the storage for ruler data.
+
+== Other Components:
+
+The LokiStack CR also allows you to configure other aspects of the Loki deployment, such as:
+
+* `spec.limits`: Global limits for Loki components.
+* `spec.storageClassName`: Default storage class for persistent volumes.
+* `spec.serviceMonitor`: Configuration for Prometheus service monitors.
+* `spec.tenants`: Configuration for multi-tenancy.
+
+By modifying the values in the LokiStack CR, you can fine-tune the behavior and resource allocation of each Loki component to match your specific requirements and workload.

modules/logging-6x-v-5x.adoc

@@ -0,0 +1,26 @@
+// Module included in the following assemblies:
+//
+
+
+:_mod-docs-content-type: PROCEDURE
+[id="logging-6x-v-5x_{context}"]
+= OpenShift Logging 6.0: Key Differences from Previous Versions
+
+OpenShift Logging 6.0 is the culmination of efforts to modernize the underlying components of the logging solution. Over the past few releases, Loki and Vector were gradually introduced with a focus on improving performance and enhancing features while maintaining the stability required for business continuity.
+
+
+* **Horizontal Scalability:** Loki's architecture allows for seamless horizontal scaling, ensuring that the logging system can handle the growing demands of large-scale OpenShift deployments.
+
+* **Improved Query Performance:** Loki's indexing and query mechanisms are optimized for speed, enabling faster log retrieval and analysis.
+
+* **Streamlined Configuration:** The removal of Elasticsearch and Fluentd simplify setup and configuration.
+
+* **Improved Integration:** Loki and Vector offer tighter integration with OpenShift, providing a more seamless and native logging experience.
+
+* **Expanded Log Sources:** Vector's flexibility allows you to collect logs from an even wider range of sources, providing greater visibility into your OpenShift environment.
+
+* **Enhanced Log Processing:** Vector's processing capabilities have been expanded, enabling you to perform more complex log transformations and filtering.
+
+* **OpenShift Web Console:** The integrated Logs page offers a user-friendly interface for searching, filtering, and viewing logs directly within the OpenShift console.
+
+* **Grafana:** OpenShift Logging integrates seamlessly with Grafana, enabling you to create rich, customizable dashboards to visualize and correlate log data with metrics and other observability data.

modules/logging-elastic-to-loki-migration.adoc

@@ -0,0 +1,186 @@
+// Module included in the following assemblies:
+//
+
+
+:_mod-docs-content-type: PROCEDURE
+[id="logging-elastic-to-loki-migration_{context}"]
+= Migrating the Default Log Store from Elasticsearch to Loki in OpenShift
+
+This guide describes how to switch the OpenShift Logging storage service from Elasticsearch to LokiStack. It focuses on log forwarding, not data migration. After following these steps, old logs will remain in Elasticsearch (accessible via Kibana), while new logs will go to LokiStack (visible in the OpenShift Console).
+
+.Prerequisites
+
+* Red Hat OpenShift Logging Operator (v5.5.5+)
+* OpenShift Elasticsearch Operator (v5.5.5+)
+* Red Hat Loki Operator (v5.5.5+)
+* Sufficient resources on target nodes to run both Elasticsearch and LokiStack (see LokiStack Deployment Sizing Table in the documentation).
+
+== Installing LokiStack
+
+. **Install the Loki Operator:** Follow the official guide to install the Loki Operator using the OpenShift web console.
+.. **Create a Secret for Loki Object Storage:** Create a secret for Loki object storage (e.g., AWS S3). Refer to the documentation for other object storage types.
+
+[source,bash]
+----
+$ cat << EOF |oc create -f -
+apiVersion: v1
+kind: Secret
+metadata:
+  name: logging-loki-s3
+  namespace: openshift-logging
+data:
+  access_key_id: $(echo "PUT_S3_ACCESS_KEY_ID_HERE" | base64 -w0)
+  access_key_secret: $(echo "PUT_S3_ACCESS_KEY_SECRET_HERE" | base64 -w0)
+  bucketnames: $(echo "s3-bucket-name" | base64 -w0)
+  endpoint: $(echo "https://s3.eu-central-1.amazonaws.com" | base64 -w0)
+  region: $(echo "eu-central-1" | base64 -w0)
+EOF
+----
+
+
+... **Deploy LokiStack Custom Resource (CR):**
+
+[NOTE]
+====
+Change the `spec.size` if needed.
+====
+
+[source,bash]
+----
+$ cat << EOF |oc create -f -
+apiVersion: loki.grafana.com/v1
+kind: LokiStack
+metadata:
+  name: logging-loki
+  namespace: openshift-logging
+spec:
+  size: 1x.small
+  storage:
+    schemas:
+    - version: v12
+      effectiveDate: '2022-06-01'
+    secret:
+      name: logging-loki-s3
+      type: s3
+  storageClassName: gp2
+  tenants:
+    mode: openshift-logging
+EOF
+----
+
+== Disconnecting Elasticsearch and Kibana
+
+To keep Elasticsearch and Kibana running while transitioning:
+
+. **Set `ClusterLogging` to Unmanaged:**
+
+[source,bash]
+----
+oc -n openshift-logging patch clusterlogging/instance -p '{"spec":{"managementState": "Unmanaged"}}' --type=merge
+----
+
+.. **Remove Owner References:** Remove `ClusterLogging` owner references from Elasticsearch and Kibana resources:
+
+[source,bash]
+----
+$ oc -n openshift-logging patch elasticsearch/elasticsearch -p '{"metadata":{"ownerReferences": []}}' --type=merge
+----
+
+[source,bash]
+----
+$ oc -n openshift-logging patch kibana/kibana -p '{"metadata":{"ownerReferences": []}}' --type=merge
+----
+
+... **Back Up Elasticsearch and Kibana Resources:** Use `yq` to back up these resources to prevent accidental deletion: link:https://github.com/mikefarah/yq[yq utility]
+
+For Elasticsearch:
+
+[source,bash]
+----
+$ oc -n openshift-logging get elasticsearch elasticsearch -o yaml \
+    | yq 'del(.metadata.resourceVersion) | del(.metadata.uid)'  \
+    | yq 'del(.metadata.generation) | del(.metadata.creationTimestamp)'  \
+    | yq 'del(.metadata.selfLink) | del(.status)' > /tmp/cr-elasticsearch.yaml
+----
+
+For Kibana:
+
+[source,bash]
+----
+$ oc -n openshift-logging get kibana kibana -o yaml \
+    | yq 'del(.metadata.resourceVersion) | del(.metadata.uid)'  \
+    | yq 'del(.metadata.generation) | del(.metadata.creationTimestamp)'  \
+    | yq 'del(.metadata.selfLink) | del(.status)' > /tmp/cr-kibana.yaml
+----
+
+== Switching to LokiStack
+
+. Switch Log Storage to LokiStack
+The following manifest will apply several changes to the `ClusterLogging` resource:
+* Re-instate the management state to `Managed`.
+* Switch the `logStore` spec from `elasticsearch` to `lokistack`, restarting the collector pods to start forwarding logs to `lokistack`.
+* Remove the `visualization` spec, prompting the cluster-logging-operator to install the `logging-view-plugin` for observing `lokistack` logs in the OpenShift Console.
+* If the collection type is not `fluentd`, replace it with `vector`.
+
+[source,yaml]
+----
+$ cat << EOF |oc replace -f -
+apiVersion: logging.openshift.io/v1
+kind: ClusterLogging
+metadata:
+  name: instance
+  namespace: openshift-logging
+spec:
+  managementState: Managed
+  logStore:
+    type: lokistack
+    lokistack:
+      name: logging-loki
+  collection:
+    logs:
+      type: fluentd
+      fluentd: {}
+  visualization:
+    type: kibana
+    kibana:
+      replicas: 1
+EOF
+----
+
+. Re-instantiate Kibana Resource
+
+In the previous step, removing the `visualization` field prompted the operator to remove the `Kibana` resource. Re-instantiate the `Kibana` resource using the backup created earlier.
+
+[source,bash]
+----
+$ oc -n openshift-logging apply -f /tmp/cr-kibana.yaml
+----
+
+. Enable the Console View Plugin
+
+Enable the console view plugin to view the logs integrated from the OpenShift Console (Observe > Logs).
+
+[source,bash]
+----
+$ oc patch consoles.operator.openshift.io cluster --type=merge --patch '{ "spec": { "plugins": ["logging-view-plugin"] } }'
+----
+
+== Delete the Elasticsearch Stack
+
+Once the retention period for logs stored in Elasticsearch expires and no more logs are visible in Kibana, remove the old stack to release resources.
+
+=== Step 1: Delete Elasticsearch and Kibana Resources
+
+[source,bash]
+----
+$ oc -n openshift-logging delete kibana/kibana elasticsearch/elasticsearch
+----
+
+===
+
+ Step 2: Delete the PVCs Used by Elasticsearch Instances
+
+[source,bash]
+----
+$ oc delete -n openshift-logging pvc -l logging-cluster=elasticsearch
+----

observability/logging/logging-6.0/logging-poc.adoc

@@ -0,0 +1,15 @@
+:_mod-docs-content-type: ASSEMBLY
+include::_attributes/common-attributes.adoc[]
+[id="logging-6x"]
+= Logging 6.0
+:context: logging-6x
+
+toc::[]
+
+include::modules/logging-6x-v-5x.adoc[leveloffset=+1]
+
+//include::modules/logging-elastic-to-loki-migration.adoc[leveloffset=+1]
+
+include::modules/logging-6x-about.adoc[leveloffset=+1]
+
+include::modules/logging-6x-loki-architecture.adoc[leveloffset=+1]