Add support for stracing containers #1253
Conversation
k8s-ci-robot
added
size/S
TomSweeneyRedHat
left a comment
TomSweeneyRedHat
left a comment
There was a problem hiding this comment.
Change LGTM, but Travis isn't happy.
|
|
||
| if enableStrace { | ||
| go func() { | ||
| straceCmd := exec.Command("strace", "-f", "-o", fmt.Sprintf("/tmp/%v", c.id), "-p", fmt.Sprintf("%d", c.state.Pid)) |
There was a problem hiding this comment.
This will have to be added as a requirement for CRI-O.
oci/oci.go
Outdated
| straceCmd := exec.Command("strace", "-f", "-o", fmt.Sprintf("/tmp/%v", c.id), "-p", fmt.Sprintf("%d", c.state.Pid)) | ||
| _, err := straceCmd.CombinedOutput() | ||
| if err != nil { | ||
| logrus.Infof("Failed to execute strace: %v", err) |
k8s-ci-robot
added
size/M
mrunalp
changed the title
|
Updated and added a commit to allow this when daemon has enabled it explicitly. |
Signed-off-by: Mrunal Patel <[email protected]>
|
/test all |
|
@mrunalp: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
lib/config.go
Outdated
| ContainerExitsDir string `toml:"container_exits_dir"` | ||
|
|
||
| // AllowStrace determinates whether the cri-o strace annotation takes effect | ||
| // or not. |
There was a problem hiding this comment.
I think the “not” case could use more specifics. Perhaps “or not” → “or is silently ignored”? We'll also want similar text in a docs/crio.8.md entry.
server/container_create.go
Outdated
|
|
||
| // Only allow strace annotation if cri-o daemon allows it | ||
| if !s.config.Config.AllowStrace { | ||
| specgen.RemoveAnnotation(annotations.Strace) |
There was a problem hiding this comment.
I'm not sure if the server config is available in CreateContainer or not. But this approach only covers annotations and does not guard against the setting coming in through labels. It would be nice if we could move this guard into CreateContainer somehow to cover both injection paths. As a side benefit, it would allow us to guard against unwanted strace invocations without having to adjust user-supplied annotations (more on leaving annotations alone in opencontainers/runtime-spec#946).
This flag controls whether strace is started for containers with the cri-o strace annotation/label "io.kubernetes.cri-o.Strace". Signed-off-by: Mrunal Patel <[email protected]>
Signed-off-by: Mrunal Patel <[email protected]>
|
Updated. |
|
|
||
| **--cpu-profile**: Set the CPU profile file path | ||
|
|
||
| **--allow-strace**: Allow strace for containers when the strace annotation/label "io.kubernetes.cri-o.Strace=true" is set |
There was a problem hiding this comment.
Except for the last few of these, the options in this man page seem to be ordered alphabetically. There are a number of them, so I think we may want to continue with that alphabetization to keep them easy to find.
| stdinOnce bool | ||
| privileged bool | ||
| trusted bool | ||
| allowStrace bool |
There was a problem hiding this comment.
Do we want to poke these holes one at a time? Or do we want to poke a big hole and add:
server *server.Configso the container can use c.server.AllowStrace? A bigger hole would make the NewContainer interface more stable if we need additional server configs passed through later on.
|
Closing as we need to chase down issues in runc to support this effectively. |
7 participants
Signed-off-by: Mrunal Patel [email protected]
- What I did
Added support to enable strace on containers.
- How I did it
Added an annotation which when passed over the API is taken as a signal to start a strace on the container.
- How to verify it
Set the annotation/label on a container and check that strace process is started for it.
- Description for the changelog