What Should I Do If Excessive Docker Audit Logs Affect the Disk I/O?

Symptom

There are a large number of Docker audit logs on existing nodes in some clusters. Due to OS kernel defects, it is slightly possible that I/Os are suspended. You can optimize the audit log rules to avoid this problem.

Impact

Affected cluster versions:

• v1.15.11-r1
• v.1.17.9-r0
  

  • You only need to fix this issue for existing nodes, not for newly created nodes.
  • The auditd component needs to be restarted during the upgrade.

Check Method

1. Log in to the worker node as user root.
2. Run the following command to check whether the problem exists on the current node:

   auditctl -l | grep "/var/lib/docker -p rwxa -k docker"

   If information similar to the following is displayed, the problem exists and needs to be rectified. If no command output is displayed, the node is not affected.

   

Solution

1. Log in to the worker node as user root.
2. Run the following commands:

   sed -i "/\/var\/lib\/docker -k docker/d" /etc/audit/rules.d/docker.rules

   service auditd restart

Verification Method

Run the following command to check whether the fault is rectified:

auditctl -l | grep "/var/lib/docker -p rwxa -k docker"

If no command output is displayed, the problem has been resolved.