Did you know these facts about sos?

Posted by jlrueda@reddit | linuxadmin | View on Reddit | 4 comments

Did you know that the Linux sos command is available in most Linux distributions and that in 53 seconds it generates a compressed and encrypted tar file of less than 15MB containing over 10,000 text files, including logs, output from more than 500 diagnostic commands, and over 1,800 configuration files? This file can then be transferred to a secure server so that the information can be analyzed by your team (or by an AI) making it easy to be integrated into your existing CI/CD pipeline.

In less than a minute, you have all the information needed to detect problems, find root causes (RCA), take inventory, review system security, or measure system performance without needing to establish a single server session. This translates to greater security and less exposure, and the ability to analyze the same information simultaneously by different teams (SRE, NetTeam, DBA, DevOps, SecOps, QA, etc.).

This compressed and encrypted tar file is known as a sosreport. And if you maintain a history of sosreports for each server, you can compare them or the same server over time to identify discrepancies in behavior, configuration changes, and keep an inventory of hardware and software.

sos is not a monitoring system or a SIEM. It's a diagnostic tool. And it's completely open-source.

I write articles about the sos command because there is much more to say about it. Visit my blog https://sos-vault.com/blog/sos-command

Do you use the sos command?

[-]

kai_ekael@reddit

So, on an impacted system that may be overloaded, short on resources or who knows what, run a big utility to gather and copy a bunch of stuff over the network.

Pass.

[-]

DJ_Patron@reddit

Never heard of it. I think it's because of this thing will never collect docker logs or logs of a things which spins on production server, so it is useless

[-]

jlrueda@reddit (OP)

sos has around 300 plugins for all kind of "specific things" here is a list of the first 100: https://sos-vault.com/blog/sos-command/15-sos-report-available-plugins

[-]

jlrueda@reddit (OP)

The sos report (formerly sosreport) tool uses a modular system where the Docker plugin is responsible for collecting diagnostic information from your Docker environment. [1, 2]

This plugin automatically gathers critical data such as container lists, image details, network configurations, and volume information to help troubleshoot issues. [1]

Common Commands for the Docker Plugin

To manage or run the Docker plugin specifically, you can use the following sos report flags:

List plugin options: View all available settings for the Docker plugin. bashsos report -l | grep docker Use code with caution.
Enable only the Docker plugin: Run a report that only collects Docker-related data. bashsos report -o docker Use code with caution.
Enable container logs: By default, full logs might be skipped. You can enable them using plugin-specific options. bashsos report -k docker.logs=on Use code with caution.
Skip the Docker plugin: If Docker is causing the report to hang or if you don't need its data, you can disable it. bashsos report -n docker Use code with caution. [1, 2, 3, 4]

Data Collected by the Plugin [1]

When enabled, the plugin typically captures the output of various Docker commands and stores them within the sos_commands/docker/ directory of the final archive: [1, 2]

docker info and docker version.
docker ps -a (all containers).
docker images (available images).
docker network ls and docker volume ls.
docker inspect for containers, networks, and volumes. [1, 2, 3, 4, 5]