cloudapi: git sha version api and journal for workers

[lzap]

Adds a runtime information similarily as in image builder and a logrus hook that is used to put git sha to every single log message. This way we can tell which version was log created with since composer and workers sometimes are running different versions.

This data is then leveraged in a new simple /version cloud API call that returns the data similarily to IB. My plan is to call this from IB too so IB reports both its and composer version info.

Finally, I noticed that workers create pretty unreadable logs, it is a string-encoded JSON:

{"message":"{\"channel\":\"staging\",\"file\":\"/opt/app-root/src/internal/common/slogger/logrus.go:29\",\"func\":\"github.com/osbuild/osbuild-composer/internal/common/slogger.(*simpleLogrus).log\",\"job_dependencies\":\"[8402b9c0-ac94-4952-8609-1ad4e575a28a e30715cd-0a59-4993-a530-fdb2189ad2bb]\",\"job_id\":\"be17e941-d8f5-4de2-9eb3-e7a1b3ee41d8\",\"job_type\":\"manifest-id-only\",\"level\":\"info\",\"msg\":\"Dequeued job\",\"time\":\"2024-11-20T12:10:37Z\"}\n","ident":"osbuild-composer","host":"composer-5dcd8bfdf9-bhrv6"}

This patch builds on top of native journald capability which I added last year and is used in on-prem mode. Instead using standard output/err worker now detects if there is a systemd-journald running and uses its native API to send logs in structured form.

This means all logs are native now, it can be inspected with journalctl and what is more important they should get into Kibana/Splunk as regular JSON improving our searching capabilities:

journalctl -o verbose
...
    BUILD_TIME=2024-11-20T11:24:49Z
    BUILD_COMMIT=ff2660
    PRIORITY=3
    MESSAGE=Requesting job failed: Post "https://0:8881/api/worker/v1/jobs": dial tcp 0.0.0.0:8881: connect: connection refused
    _PID=254883
    _COMM=__debug_bin3968
    _EXE=/home/lzap/osbuild-composer/cmd/osbuild-worker/__debug_bin396826732
    _CMDLINE=/home/lzap/osbuild-composer/cmd/osbuild-worker/__debug_bin396826732 0:8881
    _SOURCE_REALTIME_TIMESTAMP=1732108805201853
Wed 2024-11-20 14:20:05.201871 CET [s=83cfd176837d4a15b19c452be25c8593;i=1ed8;b=3d1a7f8752454afda1a56b25debf50d9;m=664c2be936;t=62758020be16c;x=299933d4e616281a]
    _SELINUX_CONTEXT=kernel
    _BOOT_ID=3d1a7f8752454afda1a56b25debf50d9
    _MACHINE_ID=90304ac7a1274d6ca3abfee98b7975c1
    _HOSTNAME=dev.home.lan
    _RUNTIME_SCOPE=system
...

I know this is sort of two features in one PR but these are tiny changes, the API endpoint is super small and I wrote a test.

[lzap]

We have the very same code in image-builder too, this is a copy-paste literally.

[mvo5]

Quick drive-by wondering inline

[mvo5]

This comment (4 chars) seems to not match the implementaion AFACIT

[mvo5]

Is bi actually defined (i.e. non-nil) if we get a !ok before (if not we would crash here)? I wonder if it wouldn't be cleaner to define the defaults directly in var BuildCommit = "N/A" and just return on if !ok { return }(?)

[schuellerf]

No major comment additionally to the already mentioned ones.
In image builder we changed the way some paths are handled so they don't need authentication, which might be neat for /version but I'd approve as this might be easier in a followup PR

[schuellerf]

I like the paths without auth 😎
But should it be

Suggested change

	e.GET("/status", func(c echo.Context) error {
	e.GET("/version", func(c echo.Context) error {

?

[lzap]

I know right, but this is what is in the image-builder :-) Do you want me to break this pattern? I am fine with that, can also create both maybe?

[schuellerf]

I think /version exists as it's in the openapi.v2.yml so this might already result in both existing (which is good)
Rather somehow assure /version not to be authenticated

[lzap]

Ok added /version with non-auth middleware and also adding status/ready as fixed paths that simply return 200 without ANY middleware because we do not this to be logged or have metrics as k8s calls this every now and then.

[lzap]

For full transparency, I sneaked this hunk in with the last amend, I realized that go linter lints also vendor directories and that slows it significantly. Can do a separate PR if requested.

[schuellerf]

I think this is good, but when thinking about it … that's the version of osbuild-composer not the worker, right? (in contrast to the PR title and commit subject :-/ )

[schuellerf]

The API is "push" in this case - so the worker would have to "push" it's version, maybe?

osbuild-composer/internal/worker/api/openapi.yml

Line 349 in 64ff0e3

properties:

[lzap]

Oh yeah I started the patch with intention to include sha git in all log messages which was done. Then the version endpoint was added, yeah, this is just for the composer.

We can definitely add workers at some point, out of scope for this patch I would say.

[schuellerf]

So this could be either split in two commits or at least the description (PR and commit) should denote that this is touching worker and composer?

[lzap]

I have split it into multiple commits, rebased.

[schuellerf]

lgtm, thanks!

[lzap]

The only test failing is edge-farm, rebasing.

[lzap]

@croissanne @ezr-ondrej @mvo5 please re-review tests are good I want to get this one merged to increase readability of logs from composer and continue further improving logs with standardized correlation thanks!