podman logs: read journald with passthrough

The passthrough driver is designed for use in systemd units. By default we can expect systemd to log the output on journald unless the unit sets differen StandardOutput/StandardError settings. At the moment podman logs just errors out when the passthrough driver is used. With this change we will read the journald for the unit messages. The logic is actually very similar to the existing one, we just need to change the filter. We now filter by SYSTEMD_UNIT wich equals to the contianer cgroup, this allows us the actually filter on a per contianer basis even when multiple contianers are started in the same unit, i.e. via podman-kube@.service. The only difference a user will see is that journald will merge stdout/err into one stream so we loose the separation there. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-08-06 11:32:07 +08:00 · 2023-02-14 15:59:10 +01:00
parent 37352a0c8c
commit 1590c7bf42
4 changed files with 40 additions and 8 deletions
--- a/libpod/container_log.go
+++ b/libpod/container_log.go
@ -10,6 +10,7 @@ import (
 	"github.com/containers/podman/v4/libpod/define"
 	"github.com/containers/podman/v4/libpod/events"
 	"github.com/containers/podman/v4/libpod/logs"
+	systemdDefine "github.com/containers/podman/v4/pkg/systemd/define"
 	"github.com/nxadm/tail"
 	"github.com/nxadm/tail/watch"
 	"github.com/sirupsen/logrus"
@ -36,11 +37,15 @@ func (r *Runtime) Log(ctx context.Context, containers []*Container, options *log
 func (c *Container) ReadLog(ctx context.Context, options *logs.LogOptions, logChannel chan *logs.LogLine, colorID int64) error {
 	switch c.LogDriver() {
 	case define.PassthroughLogging:
+		// if running under systemd fallback to a more native journald reading
+		if _, ok := c.config.Labels[systemdDefine.EnvVariable]; ok {
+			return c.readFromJournal(ctx, options, logChannel, colorID, true)
+		}
 		return fmt.Errorf("this container is using the 'passthrough' log driver, cannot read logs: %w", define.ErrNoLogs)
 	case define.NoLogging:
 		return fmt.Errorf("this container is using the 'none' log driver, cannot read logs: %w", define.ErrNoLogs)
 	case define.JournaldLogging:
-		return c.readFromJournal(ctx, options, logChannel, colorID)
+		return c.readFromJournal(ctx, options, logChannel, colorID, false)
 	case define.JSONLogging:
 		// TODO provide a separate implementation of this when Conmon
 		// has support.
--- a/libpod/container_log_linux.go
+++ b/libpod/container_log_linux.go
@ -31,7 +31,8 @@ func init() {
 	logDrivers = append(logDrivers, define.JournaldLogging)
 }

-func (c *Container) readFromJournal(ctx context.Context, options *logs.LogOptions, logChannel chan *logs.LogLine, colorID int64) error {
+func (c *Container) readFromJournal(ctx context.Context, options *logs.LogOptions,
+	logChannel chan *logs.LogLine, colorID int64, isPassthrough bool) error {
 	// We need the container's events in the same journal to guarantee
 	// consistency, see #10323.
 	if options.Follow && c.runtime.config.Engine.EventsLogger != "journald" {
@ -67,10 +68,28 @@ func (c *Container) readFromJournal(ctx context.Context, options *logs.LogOption
 	if err := journal.AddDisjunction(); err != nil {
 		return fmt.Errorf("adding filter disjunction to journald logger: %w", err)
 	}
+
+	if isPassthrough {
+		// Match based on systemd unit which is the container is cgroup
+		// so we get the exact logs for a single container even in the
+		// play kube case where a single unit starts more than one container.
+		unitTypeName := "_SYSTEMD_UNIT"
+		if rootless.IsRootless() {
+			unitTypeName = "_SYSTEMD_USER_UNIT"
+		}
+		// FIXME: It looks like it is hardcoded to libpod-ID.scope but I am not
+		// sure were we set this with all the different cgroup modes???
+		match = sdjournal.Match{Field: unitTypeName, Value: "libpod-" + c.ID() + ".scope"}
+		if err := journal.AddMatch(match.String()); err != nil {
+			return fmt.Errorf("adding filter to journald logger: %v: %w", match, err)
+		}
+	} else {
 		match = sdjournal.Match{Field: "CONTAINER_ID_FULL", Value: c.ID()}
 		if err := journal.AddMatch(match.String()); err != nil {
 			return fmt.Errorf("adding filter to journald logger: %v: %w", match, err)
 		}
+	}
+
 	if err := journal.AddMatch(uidMatch.String()); err != nil {
 		return fmt.Errorf("adding filter to journald logger: %v: %w", uidMatch, err)
 	}
--- a/libpod/container_log_unsupported.go
+++ b/libpod/container_log_unsupported.go
@ -11,6 +11,6 @@ import (
 	"github.com/containers/podman/v4/libpod/logs"
 )

-func (c *Container) readFromJournal(_ context.Context, _ *logs.LogOptions, _ chan *logs.LogLine, colorID int64) error {
+func (c *Container) readFromJournal(_ context.Context, _ *logs.LogOptions, _ chan *logs.LogLine, _ int64, _ bool) error {
 	return fmt.Errorf("journald logging only enabled with systemd on linux: %w", define.ErrOSNotSupported)
 }
--- a/test/system/250-systemd.bats
+++ b/test/system/250-systemd.bats
@ -383,11 +383,15 @@ metadata:
 spec:
  containers:
  - command:
-    - top
+    - sh
+    - -c
+    - echo a stdout; echo a stderr 1>&2; sleep inf
    image: $IMAGE
    name: a
  - command:
-    - top
+    - sh
+    - -c
+    - echo b stdout; echo b stderr 1>&2; sleep inf
    image: $IMAGE
    name: b
 EOF
@ -418,6 +422,10 @@ EOF
    for name in "a" "b"; do
        run_podman container inspect test_pod-${name} --format "{{.HostConfig.LogConfig.Type}}"
        assert $output != "passthrough"
+        # check that we can get the logs with passthrough when we run in a systemd unit
+        run_podman logs test_pod-$name
+        assert "$output" == "$name stdout
+$name stderr" "logs work with passthrough"
    done

    # Add a simple `auto-update --dry-run` test here to avoid too much redundancy