New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 923162 link

Starred by 1 user
Status: Untriaged
Owner: ----
Cc:
cmtm@chromium.org
andreyu@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

trimmed systemd-journald logs are unreadable on test log collection

Project Member Reported by briannorris@chromium.org, Jan 17 (5 days ago) 
With b/120686750, we're using journalctl for CrOS logging now. It seems like this is in parallel with old mechanisms, but it's already causing problems [1], so it needs to be debugged on the test server now.

The binary format that systemd-journald uses don't seem to be compatible with the log trimming that autotest does. See, for instance:

https://stainless.corp.google.com/browse/chromeos-autotest-results/276858920-chromeos-test/

The systemd.journal file:

https://storage.cloud.google.com/chromeos-autotest-results/276858920-chromeos-test/chromeos4-row9-rack10-host7/logging_UserCrash/sysinfo/var/log/journal/00000000000000000000000000000001/system.journal

starts with:

!!! This file is trimmed !!!
Original size: 33554432 bytes

and then a bunch of binary garbage which may or may not be readable. (I tried trimming the file a little and passing it to journalctl, but I still couldn't read it.)

When I try journal.gz, it seems better when I decompress it, but I still get errors when I try to get journalctl to read it:

$ journalctl --file 276858920-chromeos-test_chromeos4-row9-rack10-host7_logging_UserCrash_sysinfo_journal
Failed to open files: Bad message


Am I doing things wrong? I know plenty of people have complained about journald's non-text formats, but I'd hope there was some kind of robustness to this, and I just haven't figured it out.

If journald/journalctl can't handle this kind of trimming, then that sounds like it's going to conflict with the test/lab policies for trying to shrink logs.


[1] e.g.,  https://crbug.com/921679

Comment 1 Deleted

Comment 2 by cmtm@chromium.org, Jan 18 (5 days ago) 

I just want to preface this by noting that journald isn't ready for general usage by developers.

As discussed in person, the journal.gz is zipped journald output format. To read it you need to run the following:
apt-get install systemd-journal-remote
/lib/systemd/systemd-journal-remote --getter='zcat <path_to_journal.gz>' -o myjournal.journal
journalctl --file=myjournal.journal

Comment 3 by briannorris@chromium.org, Jan 18 (5 days ago)

Cc: andreyu@google.com
Another confusing piece here (based on talking with Christopher): sysinfo/var/log/journal/00000000000000000000000000000001/system.journal is essentially not useful for export. It's the internal representation for journald, and it should always be exported (like we do in class base_sysinfo -- 'journalctl -o export').

I wonder if this is something we should exclude from server/crashcollect.py / get_crashinfo(). That slurps up all of /var/log/.

Anyway, with the education from #2, I think I'm OK on analyzing logs. So maybe this is just WontFix. I'll let Infra folks decide though.

Comment 4 by cmtm@chromium.org, Jan 18 (5 days ago) 

I noticed that there's a list of file suffixes in shrink_file_throttler.py which can't be shrunk. We could add ".journal" there, but can we get some context on what kind of size restrictions we're running into that require this kind of shrinking?

Sign in to add a comment