Add a flag for --allow-strace
This flag controls whether strace is started for containers with the cri-o strace annotation/label "io.kubernetes.cri-o.Strace". Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
This commit is contained in:
Mrunal Patel
parent
effe1c4281
commit
740b28f7e9
8 changed files with 23 additions and 9 deletions
|
|
@ -147,6 +147,9 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
|
||||||
if ctx.GlobalIsSet("image-volumes") {
|
if ctx.GlobalIsSet("image-volumes") {
|
||||||
config.ImageVolumes = lib.ImageVolumesType(ctx.GlobalString("image-volumes"))
|
config.ImageVolumes = lib.ImageVolumesType(ctx.GlobalString("image-volumes"))
|
||||||
}
|
}
|
||||||
|
if ctx.GlobalIsSet("allow-strace") {
|
||||||
|
config.AllowStrace = ctx.GlobalBool("allow-strace")
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -351,6 +354,10 @@ func main() {
|
||||||
Value: 9090,
|
Value: 9090,
|
||||||
Usage: "port for the metrics endpoint",
|
Usage: "port for the metrics endpoint",
|
||||||
},
|
},
|
||||||
|
cli.BoolFlag{
|
||||||
|
Name: "allow-strace",
|
||||||
|
Usage: "allow the cri-o strace annotation/label to take effect",
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
sort.Sort(cli.FlagsByName(app.Flags))
|
sort.Sort(cli.FlagsByName(app.Flags))
|
||||||
|
|
|
||||||
|
|
@ -168,6 +168,10 @@ type RuntimeConfig struct {
|
||||||
// ContainerExitsDir is the directory in which container exit files are
|
// ContainerExitsDir is the directory in which container exit files are
|
||||||
// written to by conmon.
|
// written to by conmon.
|
||||||
ContainerExitsDir string `toml:"container_exits_dir"`
|
ContainerExitsDir string `toml:"container_exits_dir"`
|
||||||
|
|
||||||
|
// AllowStrace determinates whether strace is started for a container
|
||||||
|
// which has the CRI-O strace annotation/label "io.kubernetes.cri-o.Strace=true".
|
||||||
|
AllowStrace bool `toml:"allow_strace"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// ImageConfig represents the "crio.image" TOML config table.
|
// ImageConfig represents the "crio.image" TOML config table.
|
||||||
|
|
|
||||||
|
|
@ -389,7 +389,7 @@ func (c *ContainerServer) LoadSandbox(id string) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
scontainer, err := oci.NewContainer(m.Annotations[annotations.ContainerID], cname, sandboxPath, m.Annotations[annotations.LogPath], sb.NetNs(), labels, m.Annotations, kubeAnnotations, "", "", "", nil, id, false, false, false, privileged, trusted, sandboxDir, created, m.Annotations["org.opencontainers.image.stopSignal"])
|
scontainer, err := oci.NewContainer(m.Annotations[annotations.ContainerID], cname, sandboxPath, m.Annotations[annotations.LogPath], sb.NetNs(), labels, m.Annotations, kubeAnnotations, "", "", "", nil, id, false, false, false, privileged, trusted, c.Config().AllowStrace, sandboxDir, created, m.Annotations["org.opencontainers.image.stopSignal"])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
@ -513,7 +513,7 @@ func (c *ContainerServer) LoadContainer(id string) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
ctr, err := oci.NewContainer(id, name, containerPath, m.Annotations[annotations.LogPath], sb.NetNs(), labels, m.Annotations, kubeAnnotations, img, imgName, imgRef, &metadata, sb.ID(), tty, stdin, stdinOnce, sb.Privileged(), sb.Trusted(), containerDir, created, m.Annotations["org.opencontainers.image.stopSignal"])
|
ctr, err := oci.NewContainer(id, name, containerPath, m.Annotations[annotations.LogPath], sb.NetNs(), labels, m.Annotations, kubeAnnotations, img, imgName, imgRef, &metadata, sb.ID(), tty, stdin, stdinOnce, sb.Privileged(), sb.Trusted(), c.Config().AllowStrace, containerDir, created, m.Annotations["org.opencontainers.image.stopSignal"])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -36,6 +36,7 @@ type Container struct {
|
||||||
stdinOnce bool
|
stdinOnce bool
|
||||||
privileged bool
|
privileged bool
|
||||||
trusted bool
|
trusted bool
|
||||||
|
allowStrace bool
|
||||||
state *ContainerState
|
state *ContainerState
|
||||||
metadata *pb.ContainerMetadata
|
metadata *pb.ContainerMetadata
|
||||||
opLock sync.Locker
|
opLock sync.Locker
|
||||||
|
|
@ -71,7 +72,7 @@ type ContainerState struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewContainer creates a container object.
|
// NewContainer creates a container object.
|
||||||
func NewContainer(id string, name string, bundlePath string, logPath string, netns ns.NetNS, labels map[string]string, crioAnnotations map[string]string, annotations map[string]string, image string, imageName string, imageRef string, metadata *pb.ContainerMetadata, sandbox string, terminal bool, stdin bool, stdinOnce bool, privileged bool, trusted bool, dir string, created time.Time, stopSignal string) (*Container, error) {
|
func NewContainer(id string, name string, bundlePath string, logPath string, netns ns.NetNS, labels map[string]string, crioAnnotations map[string]string, annotations map[string]string, image string, imageName string, imageRef string, metadata *pb.ContainerMetadata, sandbox string, terminal bool, stdin bool, stdinOnce bool, privileged bool, trusted bool, allowStrace bool, dir string, created time.Time, stopSignal string) (*Container, error) {
|
||||||
state := &ContainerState{}
|
state := &ContainerState{}
|
||||||
state.Created = created
|
state.Created = created
|
||||||
c := &Container{
|
c := &Container{
|
||||||
|
|
@ -87,6 +88,7 @@ func NewContainer(id string, name string, bundlePath string, logPath string, net
|
||||||
stdinOnce: stdinOnce,
|
stdinOnce: stdinOnce,
|
||||||
privileged: privileged,
|
privileged: privileged,
|
||||||
trusted: trusted,
|
trusted: trusted,
|
||||||
|
allowStrace: allowStrace,
|
||||||
metadata: metadata,
|
metadata: metadata,
|
||||||
annotations: annotations,
|
annotations: annotations,
|
||||||
crioAnnotations: crioAnnotations,
|
crioAnnotations: crioAnnotations,
|
||||||
|
|
|
||||||
|
|
@ -312,7 +312,7 @@ func (r *Runtime) CreateContainer(c *Container, cgroupParent string) (err error)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if enableStrace {
|
if enableStrace && c.allowStrace {
|
||||||
go func() {
|
go func() {
|
||||||
straceCmd := exec.Command("strace", "-f", "-o", fmt.Sprintf("/tmp/%v", c.id), "-p", fmt.Sprintf("%d", c.state.Pid))
|
straceCmd := exec.Command("strace", "-f", "-o", fmt.Sprintf("/tmp/%v", c.id), "-p", fmt.Sprintf("%d", c.state.Pid))
|
||||||
_, err := straceCmd.CombinedOutput()
|
_, err := straceCmd.CombinedOutput()
|
||||||
|
|
@ -321,6 +321,7 @@ func (r *Runtime) CreateContainer(c *Container, cgroupParent string) (err error)
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1165,7 +1165,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
|
|
||||||
crioAnnotations := specgen.Spec().Annotations
|
crioAnnotations := specgen.Spec().Annotations
|
||||||
|
|
||||||
container, err := oci.NewContainer(containerID, containerName, containerInfo.RunDir, logPath, sb.NetNs(), labels, crioAnnotations, kubeAnnotations, image, imageName, imageRef, metadata, sb.ID(), containerConfig.Tty, containerConfig.Stdin, containerConfig.StdinOnce, sb.Privileged(), sb.Trusted(), containerInfo.Dir, created, containerImageConfig.Config.StopSignal)
|
container, err := oci.NewContainer(containerID, containerName, containerInfo.RunDir, logPath, sb.NetNs(), labels, crioAnnotations, kubeAnnotations, image, imageName, imageRef, metadata, sb.ID(), containerConfig.Tty, containerConfig.Stdin, containerConfig.StdinOnce, sb.Privileged(), sb.Trusted(), s.config.Config.AllowStrace, containerInfo.Dir, created, containerImageConfig.Config.StopSignal)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -67,7 +67,7 @@ func TestGetContainerInfo(t *testing.T) {
|
||||||
"io.kubernetes.test1": "value1",
|
"io.kubernetes.test1": "value1",
|
||||||
}
|
}
|
||||||
getContainerFunc := func(id string) *oci.Container {
|
getContainerFunc := func(id string) *oci.Container {
|
||||||
container, err := oci.NewContainer("testid", "testname", "", "/container/logs", mockNetNS{}, labels, annotations, annotations, "image", "imageName", "imageRef", &runtime.ContainerMetadata{}, "testsandboxid", false, false, false, false, false, "/root/for/container", created, "SIGKILL")
|
container, err := oci.NewContainer("testid", "testname", "", "/container/logs", mockNetNS{}, labels, annotations, annotations, "image", "imageName", "imageRef", &runtime.ContainerMetadata{}, "testsandboxid", false, false, false, false, false, false, "/root/for/container", created, "SIGKILL")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
@ -184,7 +184,7 @@ func TestGetContainerInfoCtrStateNil(t *testing.T) {
|
||||||
labels := map[string]string{}
|
labels := map[string]string{}
|
||||||
annotations := map[string]string{}
|
annotations := map[string]string{}
|
||||||
getContainerFunc := func(id string) *oci.Container {
|
getContainerFunc := func(id string) *oci.Container {
|
||||||
container, err := oci.NewContainer("testid", "testname", "", "/container/logs", mockNetNS{}, labels, annotations, annotations, "imageName", "imageName", "imageRef", &runtime.ContainerMetadata{}, "testsandboxid", false, false, false, false, false, "/root/for/container", created, "SIGKILL")
|
container, err := oci.NewContainer("testid", "testname", "", "/container/logs", mockNetNS{}, labels, annotations, annotations, "imageName", "imageName", "imageRef", &runtime.ContainerMetadata{}, "testsandboxid", false, false, false, false, false, false, "/root/for/container", created, "SIGKILL")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
@ -215,7 +215,7 @@ func TestGetContainerInfoSandboxNotFound(t *testing.T) {
|
||||||
labels := map[string]string{}
|
labels := map[string]string{}
|
||||||
annotations := map[string]string{}
|
annotations := map[string]string{}
|
||||||
getContainerFunc := func(id string) *oci.Container {
|
getContainerFunc := func(id string) *oci.Container {
|
||||||
container, err := oci.NewContainer("testid", "testname", "", "/container/logs", mockNetNS{}, labels, annotations, annotations, "imageName", "imageName", "imageRef", &runtime.ContainerMetadata{}, "testsandboxid", false, false, false, false, false, "/root/for/container", created, "SIGKILL")
|
container, err := oci.NewContainer("testid", "testname", "", "/container/logs", mockNetNS{}, labels, annotations, annotations, "imageName", "imageName", "imageRef", &runtime.ContainerMetadata{}, "testsandboxid", false, false, false, false, false, false, "/root/for/container", created, "SIGKILL")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -484,7 +484,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
g.AddAnnotation(annotations.HostnamePath, hostnamePath)
|
g.AddAnnotation(annotations.HostnamePath, hostnamePath)
|
||||||
sb.AddHostnamePath(hostnamePath)
|
sb.AddHostnamePath(hostnamePath)
|
||||||
|
|
||||||
container, err := oci.NewContainer(id, containerName, podContainer.RunDir, logPath, sb.NetNs(), labels, g.Spec().Annotations, kubeAnnotations, "", "", "", nil, id, false, false, false, sb.Privileged(), sb.Trusted(), podContainer.Dir, created, podContainer.Config.Config.StopSignal)
|
container, err := oci.NewContainer(id, containerName, podContainer.RunDir, logPath, sb.NetNs(), labels, g.Spec().Annotations, kubeAnnotations, "", "", "", nil, id, false, false, false, sb.Privileged(), sb.Trusted(), s.config.Config.AllowStrace, podContainer.Dir, created, podContainer.Config.Config.StopSignal)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue