Debugging Tool: privileged daemonset

LionelJouin · LionelJouin · commit ca2370ca8990 · 2022-10-17T17:41:07.000+02:00
* Daemonset to have access to all worker
* Sharing host network namespace to have access to NetNs of all pods
* /run/netns and /run/contained shared
* New Dockerfile with debugging tools
diff --git a/tools/debug/Dockerfile b/tools/debug/Dockerfile
@@ -0,0 +1,21 @@
+FROM ubuntu:22.04
+
+RUN apt-get update -y --fix-missing \
+  && apt-get install -y iproute2 tcpdump net-tools iputils-ping netcat wget screen xz-utils strace nftables ipvsadm iptables bird2 ethtool conntrack dnsutils jq
+
+ADD https://github.com/Nordix/ctraffic/releases/download/v1.7.0/ctraffic.gz ctraffic.gz
+RUN gunzip ctraffic.gz \
+  && chmod a+x ctraffic
+
+ADD https://github.com/Nordix/mconnect/releases/download/v2.2.0/mconnect.xz mconnect.xz
+RUN unxz mconnect.xz \
+  && chmod a+x mconnect
+
+ADD https://github.com/Nordix/nfqueue-loadbalancer/releases/download/1.0.0/nfqlb-1.0.0.tar.xz /
+RUN tar --strip-components=1 -xf /nfqlb-1.0.0.tar.xz nfqlb-1.0.0/bin/nfqlb
+
+ADD https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.24.1/crictl-v1.24.1-linux-amd64.tar.gz /
+RUN tar zxvf crictl-v1.24.1-linux-amd64.tar.gz -C /bin
+RUN rm -f crictl-v1.24.1-linux-amd64.tar.gz
+
+CMD ["tail", "-f", "/dev/null"]
diff --git a/tools/debug/debug-daemont.yaml b/tools/debug/debug-daemont.yaml
@@ -0,0 +1,40 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: debug-meridio-daemonset
+  labels:
+    app: debug-meridio-daemonset
+spec:
+  selector:
+    matchLabels:
+      app: debug-meridio-daemonset
+  template:
+    metadata:
+      labels:
+        app: debug-meridio-daemonset
+    spec:
+      hostNetwork: true
+      containers:
+        - name: debug
+          image: registry.nordix.org/cloud-native/meridio/debug-meridio:latest
+          imagePullPolicy: Always
+          securityContext:
+            capabilities:
+              add:
+              - NET_ADMIN
+              - SYS_ADMIN
+          volumeMounts:
+          - mountPath: /run/netns
+            name: netns-volume
+          - mountPath: /run/containerd
+            name: containerd-volume
+      volumes:
+      - name: netns-volume # To access the network namespaces
+        hostPath:
+          path: /run/netns
+          type: Directory
+      - name: containerd-volume # To use crictl
+        hostPath:
+          path: /run/containerd
+          type: Directory
diff --git a/tools/debug/readme.md b/tools/debug/readme.md
@@ -0,0 +1,46 @@
+# Debugging
+
+## Deploy 
+
+```
+kubectl apply -f tools/debug/debug-daemont.yaml
+```
+
+## Build
+
+```
+docker build -t debug-meridio -f tools/debug/Dockerfile .
+docker tag debug-meridio:latest registry.nordix.org/cloud-native/meridio/debug-meridio:latest
+docker push registry.nordix.org/cloud-native/meridio/debug-meridio:latest
+```
+
+## Commands
+List netns::
+```
+ls -1i /var/run/netn
+```
+
+List netns (more details):
+```
+lsns -t net
+```
+
+Check the processes running in the network namespace:
+```
+ls -l /proc/[1-9]*/ns/net | grep <NS> | cut -f3 -d"/" | xargs ps -p
+```
+
+Find pid from container ID:
+```
+crictl inspect --output go-template --template '{{.info.pid}}' <CONTAINER-ID>
+```
+
+List containers:
+```
+crictl ps
+```
+
+Find network namespace from pod ID:
+```
+crictl inspectp <POD-ID> | jq -r '.info.runtimeSpec.linux.namespaces[] |select(.type=="network") | .path'
+```
