Implement an API and CLI to retrieve the log entries from network ACLs.
When using LXD with network ACLs combined with OVN, it’s possible to set the state of an ACL as
logged which then causes a log entry to be made when the rule is hit.
As it stands, there is no way for the user to access that log, so they end up having to ask an administrator to look at the OVN log on every system (if clustered).
Since LXD clusters are becoming more and more common and so is providing unprivileged access to LXD, it makes sense to expose such ACL log information to a user that is allowed to add ACLs but isn’t otherwise allowed access to the servers that run OVN (or to its logs).
This is far from ideal and we should have LXD handle the log parsing and aggregation, providing a user-readable log over the API.
This one is reasonably straightforward. We need an API which on each ACL endpoint which will cause
/var/log/ovn-controller.log to be parsed on every system in the cluster, the log will be scanned for any hit for the particular ACL based on database id and the matching records be returned.
This parsing step will also re-format the log entry to something more readable and standardize the timestamps (should they be on different timezones).
The server handling the user request will aggregate the data and sort it based on timestamp before returning it as plain-text data to the user.
For this one, we should just need one extra API route.
Accessing that endpoint will cause the log aggregation and the data to be sent to the user as plain-text data.
I think this deserves its own sub-command, so I’d introduce a:
lxc network acl show-log <ACL>
None required, we’ll parse things on demand.
Not applicable. Worth noting though that this will work on historical data as LXD isn’t the one doing the log collection, OVN is.
None at this time.