Docker Logs API Format Explained

Ahmet Alp Balkan
, on

I recently wrote on a log collector that used Docker’s Container Logs API to subscribe output streams of containers. Most people don’t go this way, because they use well known logging drivers so it’s hard to find any programs consuming this API.

The stream format of this endpoint is not documented anywhere and it is rather cryptic. Docker API clients, such as written for Go, or one I wrote myself for .NET do not help you parse this output.

So here I’m going to explain the output format of the /container/<id>/logs endpoint and offer a Go library to consume it easily.

Docker Logs Format

To examine the logs format, let’s start a container that produces some output:

$ docker run --name=foo busybox sh -c "echo Roses are red violets are blue; sleep 1; echo I have a message that’s from stderr to you >&2"
Roses are red violets are blue
I have a message that’s from stderr to you

Now, let’s use curl to query the logs, and save them to a file.

$ curl -sN --unix-socket /var/run/docker.sock  \
    http://./containers/foo/logs\?stdout\=1\&stderr\=1 | tee logs.txt
Roses are red violets are blue
-I have a message that’s from stderr to you

Where did that - come from? If you look at the hex dump of the file, you will see that our messages are prefixed with some non-printable bytes:

$ hexdump -C logs.txt
00000000  01 00 00 00 00 00 00 1f  52 6f 73 65 73 20 61 72  |........Roses ar|
00000010  65 20 72 65 64 20 76 69  6f 6c 65 74 73 20 61 72  |e red violets ar|
00000020  65 20 62 6c 75 65 0a 02  00 00 00 00 00 00 2d 49  |e blue........-I|
00000030  20 68 61 76 65 20 61 20  6d 65 73 73 61 67 65 20  | have a message |
00000040  74 68 61 74 e2 80 99 73  20 66 72 6f 6d 20 73 74  |that...s from st|
00000050  64 65 72 72 20 74 6f 20  79 6f 75 0a              |derr to you.|

This prefix is called the message header and it is 8 bytes long. Its layout is as follows:

You can find the implementation of this at github.com/docker/docker/pkg/stdcopy package.

Here is the first message:

01 00 00 00 00 00 00 1f 52 6f 73 65 73 20 61 72  65 ...
│  ─────┬── ─────┬─────  R  o  s  e  s     a  r   e ...
│       │        │
└stdout │        │
        │        └─ 0x0000001f = 31 bytes (including the \n at the end)
      unused

Here is the second message:

02  00 00 00 00 00 00 2d 49 20 68 61 76 65 20 61 ...
│   ────┬─── ────┬──────  I     h  a  v  e     a ...
│       │        │
└stderr │        │
        │        └─ 0x0000002d = 45 bytes (including the \n at the end)
      unused

I must note that since it is not documented as part of the API, it may change and break your code. That said, somebody gets broken pretty much every time Docker API is revisioned, so there is that.

dlog: Go library to parse Docker logs stream

Since there are no tools are available out there to parse this log message, I decided to write a Go package called dlog. Check it out on GitHub.

It wraps an io.Reader (raw logs stream) and returns another io.Reader that serves the message entries and strips off the header, which contains stdout/stderr bit.

It is very easy to use. Here is how you print each line of output from the container:

stream := resp.Body          // raw logs stream
rr := dlog.NewReader(stream) // wrap it!

s := bufio.NewScanner(rr)

for s.Scan() {
    fmt.Printf("%q\n", s.String())
}
if err := scanner.Err(); err != nil {
    panic(err)
}

Just a couple performance notes:

This design drops the stdout/stderr byte. If you need it, I welcome contributions. We can probably design a for-loop based scanner that returns a struct that has the stream byte and the message.


If you liked this post, you can follow me on Twitter or subscribe by email to my blog (no more than an article/month).