Add runc symlink for rancher rke2 #2764
Conversation
pkg/runcfanotify/runcfanotify.go
Outdated
| "/usr/bin/conmon", | ||
| "/var/lib/rancher/k3s/data/current/bin/runc", |
There was a problem hiding this comment.
These changes should belong to a specific commit, as I think we forgot them in previous modifications?
There was a problem hiding this comment.
I am also wondering if we should not unify these two arrays into one which would be used by these two files.
There was a problem hiding this comment.
waiting for @alban and if OK will refactor
There was a problem hiding this comment.
I already opened this PR with regard to refactoring:
#2766
In any case, we have several levels of refactoring and the code itself can be shared between the two packages, but I am not 100% sure for the arrays.
There was a problem hiding this comment.
awesome, so I just close this one and you add the new symlinked path to your PR?
There was a problem hiding this comment.
thanks for being reactive Francis!
There was a problem hiding this comment.
awesome, so I just close this one and you add the new symlinked path to your PR?
Please, leave yours open for now as I cannot give you any ETA for when mine will be merged.
thanks for being reactive Francis!
You are welcome.
There was a problem hiding this comment.
Hi!
I tested it locally but rke2 seems not able to use container-hook and/or runc-fanotify:
$ ./rke2
...
INFO[0131] Tunnel authorizer set Kubelet Port 10250
# No events are reported with latest:
$ kubectl logs -n gadget gadget-ktwf6
time="2024-04-26T09:30:03Z" level=info msg="OS detected: Ubuntu 22.04.4 LTS"
time="2024-04-26T09:30:03Z" level=info msg="Kernel detected: 6.5.0-28-generic"
time="2024-04-26T09:30:03Z" level=info msg="Gadget Image: ghcr.io/inspektor-gadget/inspektor-gadget:latest"
...
time="2024-04-26T09:30:05Z" level=warning msg="Skip pod kube-system/rke2-snapshot-validation-webhook-54c5989b65-sg2jp: cannot find container (ID: containerd://0b7c4bb1015db08aef1943e3b136bd364663964bc1e14835fbfe19a058566bfc): loading container with id \"0b7c4bb1015db08aef1943e3b136bd364663964bc1e14835fbfe19a058566bfc\": container \"0b7c4bb1015db08aef1943e3b136bd364663964bc1e14835fbfe19a058566bfc\" in namespace \"k8s.io\": not found"
$ ./kubectl-gadget trace exec -A (remotes/matthyx/patch-2) *%
K8S.NODE K8S.NAMESPACE K8S.POD K8S.CONTAINER PID PPID COMM PCOMM RET ARGS
^C%
# Same with your patch:
$ kubectl logs -n gadget gadget-tndjt (remotes/matthyx/patch-2) %
time="2024-04-26T09:49:10Z" level=info msg="OS detected: Ubuntu 22.04.4 LTS"
time="2024-04-26T09:49:10Z" level=info msg="Kernel detected: 6.5.0-28-generic"
time="2024-04-26T09:49:10Z" level=info msg="Gadget Image: francisrkeregistry.azurecr.io/gadget:HEAD"
...
time="2024-04-26T09:49:11Z" level=warning msg="Skip pod kube-system/rke2-snapshot-validation-webhook-54c5989b65-sg2jp: cannot find container (ID: containerd://0b7c4bb1015db08aef1943e3b136bd364663964bc1e14835fbfe19a058566bfc): loading container with id \"0b7c4bb1015db08aef1943e3b136bd364663964bc1e14835fbfe19a058566bfc\": container \"0b7c4bb1015db08aef1943e3b136bd364663964bc1e14835fbfe19a058566bfc\" in namespace \"k8s.io\": not found"
$ ./kubectl-gadget trace exec -A (remotes/matthyx/patch-2) %
K8S.NODE K8S.NAMESPACE K8S.POD K8S.CONTAINER PID PPID COMM PCOMM RET ARGS
^C%Am I missing something?
Best regards.
can you log in debug and make sure we pick the right |
Nevermind! We indeed pick it: I can trace newly added pod with your changes: $ kubectl run --restart=Never -ti --image=busybox mypod -- sh -c 'while /bin/true ; do whoami ; sleep 3 ; done'
If you don't see a command prompt, try pressing enter.
root
root
root
...
$ ./kubectl-gadget trace exec (remotes/matthyx/patch-2) %
K8S.NODE K8S.NAMESPACE K8S.POD K8S.CONTAINER PID PPID COMM PCOMM RET ARGS
pwmachine default mypod mypod 129879 129434 true sh 0 /bin/true
pwmachine default mypod mypod 129880 129434 whoami sh 0 /bin/whoami
pwmachine default mypod mypod 129942 129434 true sh 0 /bin/true
pwmachine default mypod mypod 129943 129434 whoami sh 0 /bin/whoamiBut not previous one: $ ./kubectl-gadget trace exec -n kube-system
K8S.NODE K8S.NAMESPACE K8S.POD K8S.CONTAINER PID PPID COMM PCOMM RET ARGS
# Nothing is printed |
I wonder if the system pods are running from a different |
Maybe,
Maybe, but I am rather wondering if this is a not a timing problem. |
pkg/runcfanotify/runcfanotify.go
Outdated
| runcPath, err := securejoin.SecureJoin(host.HostRoot, r) | ||
| if err != nil { | ||
| log.Debugf("Runcfanotify: securejoin failed: %s", err) |
There was a problem hiding this comment.
In some cases, the error will already contain "SecureJoin":
https://github.com/cyphar/filepath-securejoin/blob/v0.2.4/join.go#L58
https://cs.opensource.google/go/go/+/refs/tags/go1.22.2:src/io/fs/fs.go;l=256
But not in all cases. So I wonder if we should repeat "securejoin" here. What do you think?
There was a problem hiding this comment.
this is matching what we have in pkg/container-hook/tracer.go
|
@alban can we have a look at merging this, please? |
|
Hi! I just merged #2766, can you please rebase? inspektor-gadget/pkg/container-hook/runtime-finder/finder.go Lines 34 to 44 in 54fe2ac Best regards. |
Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
|
thanks @eiffel-fl done! |
There was a problem hiding this comment.
I tested it again and it works fine:
$ ./kubectl-gadget trace exec (remotes/matthyx/patch-2) *%
K8S.NODE K8S.NAMESPACE K8S.POD K8S.CONTAINER PID PPID COMM PCOMM RET ARGS
pwmachine default test-pod test-pod 212820 51797 ls bash 0 /usr/bin/ls
$ ../kubectl get node | awk '{ print $5 }' (remotes/matthyx/patch-2) *%
VERSION
v1.29.2+rke2r1Thank you for this contribution!
Add runc symlink for rancher rke2
Now that we support symlink resolution in runtime path, we can support Rancher rke2 out of the box (similar to what we have for k3s).
How to use
Install rancher https://docs.rke2.io/install/quickstart and try tracing without specifying any runc path.
Testing done
Compiled
igand successfully ran some tracers on rke2.