Add support for stracing containers #1253
Conversation
k8s-ci-robot
added
size/S
oci/oci.go
Outdated
|
|
||
| if enableStrace { | ||
| go func() { | ||
| straceCmd := exec.Command("strace", "-f", "-o", fmt.Sprintf("/tmp/%v", c.id), "-p", fmt.Sprintf("%d", c.state.Pid)) |
There was a problem hiding this comment.
This will have to be added as a requirement for CRI-O.
oci/oci.go
Outdated
| straceCmd := exec.Command("strace", "-f", "-o", fmt.Sprintf("/tmp/%v", c.id), "-p", fmt.Sprintf("%d", c.state.Pid)) | ||
| _, err := straceCmd.CombinedOutput() | ||
| if err != nil { | ||
| logrus.Infof("Failed to execute strace: %v", err) |
k8s-ci-robot
added
size/M
mrunalp
changed the title
|
Updated and added a commit to allow this when daemon has enabled it explicitly. |
Signed-off-by: Mrunal Patel <[email protected]>
|
/test all |
|
@mrunalp: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
lib/config.go
Outdated
| @@ -168,6 +168,10 @@ type RuntimeConfig struct { | |||
| // ContainerExitsDir is the directory in which container exit files are | |||
| // written to by conmon. | |||
| ContainerExitsDir string `toml:"container_exits_dir"` | |||
|
|
|||
| // AllowStrace determinates whether the cri-o strace annotation takes effect | |||
| // or not. | |||
There was a problem hiding this comment.
I think the “not” case could use more specifics. Perhaps “or not” → “or is silently ignored”? We'll also want similar text in a docs/crio.8.md entry.
server/container_create.go
Outdated
| @@ -737,6 +737,11 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, | |||
| } | |||
| } | |||
|
|
|||
| // Only allow strace annotation if cri-o daemon allows it | |||
| if !s.config.Config.AllowStrace { | |||
| specgen.RemoveAnnotation(annotations.Strace) | |||
There was a problem hiding this comment.
I'm not sure if the server config is available in CreateContainer or not. But this approach only covers annotations and does not guard against the setting coming in through labels. It would be nice if we could move this guard into CreateContainer somehow to cover both injection paths. As a side benefit, it would allow us to guard against unwanted strace invocations without having to adjust user-supplied annotations (more on leaving annotations alone in opencontainers/runtime-spec#946).
This flag controls whether strace is started for containers with the cri-o strace annotation/label "io.kubernetes.cri-o.Strace". Signed-off-by: Mrunal Patel <[email protected]>
Signed-off-by: Mrunal Patel <[email protected]>
|
Updated. |
| @@ -120,6 +120,8 @@ crio [GLOBAL OPTIONS] config [OPTIONS] | |||
|
|
|||
| **--cpu-profile**: Set the CPU profile file path | |||
|
|
|||
| **--allow-strace**: Allow strace for containers when the strace annotation/label "io.kubernetes.cri-o.Strace=true" is set | |||
There was a problem hiding this comment.
Except for the last few of these, the options in this man page seem to be ordered alphabetically. There are a number of them, so I think we may want to continue with that alphabetization to keep them easy to find.
| @@ -36,6 +36,7 @@ type Container struct { | |||
| stdinOnce bool | |||
| privileged bool | |||
| trusted bool | |||
| allowStrace bool | |||
There was a problem hiding this comment.
Do we want to poke these holes one at a time? Or do we want to poke a big hole and add:
server *server.Configso the container can use c.server.AllowStrace? A bigger hole would make the NewContainer interface more stable if we need additional server configs passed through later on.
|
Closing as we need to chase down issues in runc to support this effectively. |
Signed-off-by: Mrunal Patel [email protected]
- What I did
Added support to enable strace on containers.
- How I did it
Added an annotation which when passed over the API is taken as a signal to start a strace on the container.
- How to verify it
Set the annotation/label on a container and check that strace process is started for it.
- Description for the changelog