Conversation
As a drive-by, enforce the linux/amd64 to be safe.
Workloads in the kube-system namespace would block cluster-autoscaler from evicting workloads unless a PDB was defined (see also [1]). Set an annotation to disregard the constraint for doks-debug which should never block evictions and node draining. [1]: https://github.com/kubernetes/autoscaler/blob/7c86e2813d20db8a943e69e447413ca859b92f97/cluster-autoscaler/FAQ.md#how-to-set-pdbs-to-enable-ca-to-move-kube-system-pods
doks-debug should always terminate immediately.
Upgrade Debian base image to bookworm
Never block cluster-autoscaler
Eliminate termination grace period
These are important for node debugging.
re-add iptables binaries
Simplifies testing in-cluster DNS as the policy enables to query CoreDNS for such requests.
…dnspolicy Use ClusterFirstWithHostNet DNS policy
doks switched to containerd container runtime a while ago (https://docs.digitalocean.com/products/kubernetes/details/changelog/#1.20.2-do.0), so while docker is still installed on the nodes it's not useful for debugging k8s containers anymore
remove docker socket mounts and cli
addn: fix the > as for some reason it was incorrect
Add support for crictl into the base images
moving to PAT auth
This adds termshark, lsof and the watch command.
There was a problem hiding this comment.
Pull request overview
Syncs this repo with upstream changes to improve node-debug compatibility by moving from Docker to containerd, updating build/release workflows, and refreshing the base image/tooling.
Changes:
- Switch runtime integration from Docker socket to containerd socket (manifests + docs) and add
crictl. - Update build/release workflows to target
linux/amd64and publish to GHCR. - Refresh
Dockerfilebase image to Debian 12 and update/install additional debugging tools.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| k8s/deployment.yaml | Mounts containerd socket, updates image registry, and adjusts pod settings for host networking/eviction. |
| k8s/daemonset.yaml | Same containerd socket + image registry updates for DaemonSet-based deployment. |
| README.md | Updates usage/docs to reflect containerd + crictl tooling. |
| Dockerfile | Moves to Debian 12, adds more tools, and installs/configures crictl for containerd. |
| .github/workflows/test.yaml | Builds test image explicitly for linux/amd64. |
| .github/workflows/release.yaml | Builds/pushes linux/amd64 image to GHCR and updates login flow. |
Comments suppressed due to low confidence (1)
Dockerfile:1
- The
apt-getinstall step doesn’t clean up apt lists, which can significantly increase image size (and slow pulls). Consider adding cleanup (e.g., removing/var/lib/apt/lists/*) and optionally--no-install-recommendsto keep the debug image leaner and reduce CI/network overhead.
# match doks-debug version with DOKS worker node image version for kernel
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| RUN wget https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz && \ | ||
| tar zxvf crictl-${CRICTL_VERSION}-linux-amd64.tar.gz -C /usr/local/bin && \ | ||
| rm -f crictl-${CRICTL_VERSION}-linux-amd64.tar.gz |
There was a problem hiding this comment.
Installing crictl via a direct download without integrity verification introduces supply-chain risk. Consider verifying the tarball with a pinned SHA256 (or signature, if available) before extracting, and fail the build if validation doesn’t match.
| securityContext: | ||
| privileged: true | ||
| image: digitalocean/doks-debug:latest | ||
| image: ghcr.io/digitalocean-packages/doks-debug:latest |
There was a problem hiding this comment.
Using the latest tag makes rollouts non-reproducible and can lead to unexpected changes when the image updates. Consider pinning to an immutable tag (version) and/or digest (e.g., @sha256:...) so cluster state is deterministic.
| image: ghcr.io/digitalocean-packages/doks-debug:latest | |
| image: ghcr.io/digitalocean-packages/doks-debug:1.0.0 |
| - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level. | ||
|
|
||
| - [`wget`](https://www.gnu.org/software/wget/) - for retrieving files using HTTP, HTTPS, FTP and FTPS. | ||
| - [`crictl`](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md) - A CLI for CRI endpoints. Configured to use `/run/containerd/containerd.sock` as a default endpoint. |
There was a problem hiding this comment.
There’s trailing whitespace at the end of this line, which can cause noisy diffs and fail markdown linting in some pipelines. Consider removing the trailing space and keeping the bullet description formatting consistent (e.g., sentence-casing after the dash). NOS Coding Agent 🤖- Small steps, big learning
We were some commits behind upstream, this PR syncs the upstream with our own.
This pull request includes several updates to improve compatibility and functionality by transitioning from Docker to containerd, updating the base Docker image, and adding new tools. The most important changes include modifications to the Dockerfiles, workflow files, and Kubernetes manifests.
Transition from Docker to containerd:
Dockerfile: Changed the base image fromdebian:10-slimtodebian:12-slim, added installation steps forcrictl, and updated the default image endpoint configuration. [1] [2]README.md: Updated instructions to reflect the switch from Docker to containerd, including mounting thecontainerdsocket and addingcrictlto the list of tools. [1] [2]k8s/daemonset.yamlandk8s/deployment.yaml: Replaced Docker socket mounts with containerd socket mounts and added annotations for safe eviction and DNS policy. [1] [2] [3] [4]Workflow updates:
.github/workflows/release.yamland.github/workflows/test.yaml: Added the--platform linux/amd64flag to thedocker buildcommands to ensure compatibility with the target platform. [1] [2]Tooling updates:
Dockerfile: Addediptables,wget, and upgradedllvmfrom version 8 to 13. [1] [2]