From b19401b379ff7339b9f59b28946de42320697641 Mon Sep 17 00:00:00 2001 From: Timo Reimann Date: Tue, 30 Apr 2024 10:24:20 +0200 Subject: [PATCH 01/16] Upgrade Debian base image to bookworm As a drive-by, enforce the linux/amd64 to be safe. --- .github/workflows/release.yaml | 2 +- .github/workflows/test.yaml | 2 +- Dockerfile | 8 +++----- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5d878d1..9bf6862 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -19,7 +19,7 @@ jobs: fetch-depth: 1 - name: build image - run: docker build -t digitalocean/doks-debug:latest . + run: docker build --platform linux/amd64 -t digitalocean/doks-debug:latest . - name: Log into container registry run: echo "${{ secrets.DockerHubToken }}" | docker login --username ${DOCKER_USER} --password-stdin diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 38097ea..f6b0e5b 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -13,7 +13,7 @@ jobs: fetch-depth: 1 - name: build image - run: docker build -t doks-debug . + run: docker build --platform linux/amd64 -t doks-debug . - name: smoke test run: docker run --rm doks-debug sleep 1 diff --git a/Dockerfile b/Dockerfile index 51b3342..8979298 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # match doks-debug version with DOKS worker node image version for kernel # tooling compatibility reasons -FROM debian:10-slim +FROM debian:12-slim WORKDIR /root @@ -11,8 +11,6 @@ RUN echo 'path-exclude=/usr/share/doc/*' > /etc/dpkg/dpkg.cfg.d/excludes RUN echo 'path-include=/usr/share/doc/*/copyright' > /etc/dpkg/dpkg.cfg.d/excludes RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' > /etc/dpkg/dpkg.cfg.d/excludes -RUN echo 'deb http://deb.debian.org/debian buster-backports main' > /etc/apt/sources.list.d/backports.list - RUN apt-get update -qq && \ apt-get install -y apt-transport-https \ ca-certificates \ @@ -42,12 +40,12 @@ RUN apt-get update -qq && \ dsniff \ mtr-tiny \ conntrack \ - llvm-8 llvm-8-tools \ + llvm-13 llvm-13-tools \ bpftool RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \ add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" && \ apt-get update -qq && \ - apt-get install -y docker-ce + apt-get install -y docker CMD [ "/bin/bash" ] From 8a1c2295f05633e0dfb4d1eea05a55b9339198f8 Mon Sep 17 00:00:00 2001 From: Timo Reimann Date: Tue, 30 Apr 2024 10:04:00 +0200 Subject: [PATCH 02/16] Never block cluster-autoscaler Workloads in the kube-system namespace would block cluster-autoscaler from evicting workloads unless a PDB was defined (see also [1]). Set an annotation to disregard the constraint for doks-debug which should never block evictions and node draining. [1]: https://github.com/kubernetes/autoscaler/blob/7c86e2813d20db8a943e69e447413ca859b92f97/cluster-autoscaler/FAQ.md#how-to-set-pdbs-to-enable-ca-to-move-kube-system-pods --- k8s/daemonset.yaml | 1 + k8s/deployment.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index 6bd1527..e5f2961 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -15,6 +15,7 @@ spec: name: doks-debug annotations: clusterlint.digitalocean.com/disabled-checks: "hostpath-volume" + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: hostPID: true hostIPC: true diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml index 50816d0..35c5310 100644 --- a/k8s/deployment.yaml +++ b/k8s/deployment.yaml @@ -16,6 +16,7 @@ spec: name: doks-debug annotations: clusterlint.digitalocean.com/disabled-checks: "hostpath-volume" + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: hostPID: true hostIPC: true From 103829823f18478745f9c40f608ac7f651d4e220 Mon Sep 17 00:00:00 2001 From: Timo Reimann Date: Tue, 30 Apr 2024 10:32:11 +0200 Subject: [PATCH 03/16] Eliminate termination grace period doks-debug should always terminate immediately. --- k8s/daemonset.yaml | 1 + k8s/deployment.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index 6bd1527..0d202a6 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -39,6 +39,7 @@ spec: mountPath: /host - name: docker mountPath: /var/run/docker.sock + terminationGracePeriodSeconds: 0 volumes: - name: host hostPath: diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml index 50816d0..6748128 100644 --- a/k8s/deployment.yaml +++ b/k8s/deployment.yaml @@ -40,6 +40,7 @@ spec: mountPath: /host - name: docker mountPath: /var/run/docker.sock + terminationGracePeriodSeconds: 0 volumes: - name: host hostPath: From 61af11ad2f8910e9b10a6668cb830ebf0b80c7ab Mon Sep 17 00:00:00 2001 From: Ingo Gottwald Date: Tue, 30 Apr 2024 13:46:37 +0200 Subject: [PATCH 04/16] re-add iptables binaries These are important for node debugging. --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 8979298..c486dfd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,6 +30,7 @@ RUN apt-get update -qq && \ tcpdump \ traceroute \ iputils-ping \ + iptables \ net-tools \ ncat \ iproute2 \ From eb3e1252628608093ab26abf5b2f45b0dd08e36b Mon Sep 17 00:00:00 2001 From: Timo Reimann Date: Wed, 3 Jul 2024 12:51:07 +0200 Subject: [PATCH 05/16] Use ClusterFirstWithHostNet DNS policy Simplifies testing in-cluster DNS as the policy enables to query CoreDNS for such requests. --- k8s/daemonset.yaml | 1 + k8s/deployment.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index 337a503..ae9e56e 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -17,6 +17,7 @@ spec: clusterlint.digitalocean.com/disabled-checks: "hostpath-volume" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: + dnsPolicy: ClusterFirstWithHostNet hostPID: true hostIPC: true hostNetwork: true diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml index 6ea2b48..8ea98c7 100644 --- a/k8s/deployment.yaml +++ b/k8s/deployment.yaml @@ -18,6 +18,7 @@ spec: clusterlint.digitalocean.com/disabled-checks: "hostpath-volume" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: + dnsPolicy: ClusterFirstWithHostNet hostPID: true hostIPC: true hostNetwork: true From 66ce3f5af37d8709a3e44c03df8659559a11ef1b Mon Sep 17 00:00:00 2001 From: Dasha Komsa Date: Thu, 22 Aug 2024 09:59:07 -0400 Subject: [PATCH 06/16] remove docker socket mounts and cli doks switched to containerd container runtime a while ago (https://docs.digitalocean.com/products/kubernetes/details/changelog/#1.20.2-do.0), so while docker is still installed on the nodes it's not useful for debugging k8s containers anymore --- Dockerfile | 5 ----- README.md | 2 -- k8s/daemonset.yaml | 6 ------ k8s/deployment.yaml | 6 ------ 4 files changed, 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index c486dfd..71bfb67 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,9 +44,4 @@ RUN apt-get update -qq && \ llvm-13 llvm-13-tools \ bpftool -RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \ - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" && \ - apt-get update -qq && \ - apt-get install -y docker - CMD [ "/bin/bash" ] diff --git a/README.md b/README.md index 9485b02..8b75afd 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,6 @@ This DaemonSet manifest will: 1. Ensure a pod with our Docker image is running indefinitely on every node. 2. Use `hostPID`, `hostIPC`, and `hostNetwork`. 3. Mount the entire host filesystem to `/host` in the containers. - 4. Mount `/var/run/docker.sock` from the host. In order to make use of these workloads, you can exec into a pod of choice by name: @@ -47,7 +46,6 @@ Once you're in, you have access to the set of tools listed in the `Dockerfile`. - [`netcat`](https://linux.die.net/man/1/nc) - is a multi-tool for interacting with TCP and UDP; it can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. - [`iproute2`](https://wiki.linuxfoundation.org/networking/iproute2) - is a collection of utilities for controlling TCP / IP networking and traffic control in Linux. - [`strace`](https://github.com/strace/strace) - is a diagnostic, debugging and instructional userspace utility with a traditional command-line interface for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state. - - [`docker`](https://docs.docker.com/engine/reference/commandline/cli/) - is the CLI tool used for interacting with Docker containers on the system. - [`dstat`](http://dag.wiee.rs/home-made/dstat/) - is a versatile replacement for vmstat, iostat, netstat and ifstat. Dstat overcomes some of their limitations and adds some extra features, more counters and flexibility. Dstat is handy for monitoring systems during performance tuning tests, benchmarks or troubleshooting. - [`htop`](https://hisham.hm/htop/) - is interactive process viewer for Unix systems. - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level. diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index ae9e56e..8f8a9d1 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -39,17 +39,11 @@ spec: volumeMounts: - name: host mountPath: /host - - name: docker - mountPath: /var/run/docker.sock terminationGracePeriodSeconds: 0 volumes: - name: host hostPath: path: / - - name: docker - hostPath: - path: /var/run/docker.sock - type: Socket updateStrategy: rollingUpdate: maxSurge: 0 diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml index 8ea98c7..c61d2a1 100644 --- a/k8s/deployment.yaml +++ b/k8s/deployment.yaml @@ -40,17 +40,11 @@ spec: volumeMounts: - name: host mountPath: /host - - name: docker - mountPath: /var/run/docker.sock terminationGracePeriodSeconds: 0 volumes: - name: host hostPath: path: / - - name: docker - hostPath: - path: /var/run/docker.sock - type: Socket strategy: rollingUpdate: maxSurge: 0 From 2cc0c8cc22f11c8d2ef6c8c644a917c4d8558688 Mon Sep 17 00:00:00 2001 From: okami <43506079+okamidash@users.noreply.github.com> Date: Fri, 23 Aug 2024 12:36:41 +0100 Subject: [PATCH 07/16] Add second '>' for correct output redirection in Dockerfile --- Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 71bfb67..02db265 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,10 +6,10 @@ WORKDIR /root # use same dpkg path-exclude settings that come by default with ubuntu:focal # image that we previously used -RUN echo 'path-exclude=/usr/share/locale/*/LC_MESSAGES/*.mo' > /etc/dpkg/dpkg.cfg.d/excludes -RUN echo 'path-exclude=/usr/share/doc/*' > /etc/dpkg/dpkg.cfg.d/excludes -RUN echo 'path-include=/usr/share/doc/*/copyright' > /etc/dpkg/dpkg.cfg.d/excludes -RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' > /etc/dpkg/dpkg.cfg.d/excludes +RUN echo 'path-exclude=/usr/share/locale/*/LC_MESSAGES/*.mo' >> /etc/dpkg/dpkg.cfg.d/excludes +RUN echo 'path-exclude=/usr/share/doc/*' >> /etc/dpkg/dpkg.cfg.d/excludes +RUN echo 'path-include=/usr/share/doc/*/copyright' ≥> /etc/dpkg/dpkg.cfg.d/excludes +RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' ≥> /etc/dpkg/dpkg.cfg.d/excludes RUN apt-get update -qq && \ apt-get install -y apt-transport-https \ From 1a41ee1f0af0dfc53fbd8926e535a48610262f48 Mon Sep 17 00:00:00 2001 From: okami <43506079+okamidash@users.noreply.github.com> Date: Fri, 23 Aug 2024 14:31:53 +0100 Subject: [PATCH 08/16] Update Dockerfile to include crictl addn: fix the > as for some reason it was incorrect --- Dockerfile | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 02db265..8e11884 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,14 +2,17 @@ # tooling compatibility reasons FROM debian:12-slim +# Specify the version of crictl to install +ARG CRICTL_VERSION="v1.31.1" + WORKDIR /root # use same dpkg path-exclude settings that come by default with ubuntu:focal # image that we previously used RUN echo 'path-exclude=/usr/share/locale/*/LC_MESSAGES/*.mo' >> /etc/dpkg/dpkg.cfg.d/excludes RUN echo 'path-exclude=/usr/share/doc/*' >> /etc/dpkg/dpkg.cfg.d/excludes -RUN echo 'path-include=/usr/share/doc/*/copyright' ≥> /etc/dpkg/dpkg.cfg.d/excludes -RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' ≥> /etc/dpkg/dpkg.cfg.d/excludes +RUN echo 'path-include=/usr/share/doc/*/copyright' >> /etc/dpkg/dpkg.cfg.d/excludes +RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' >> /etc/dpkg/dpkg.cfg.d/excludes RUN apt-get update -qq && \ apt-get install -y apt-transport-https \ @@ -42,6 +45,17 @@ RUN apt-get update -qq && \ mtr-tiny \ conntrack \ llvm-13 llvm-13-tools \ + wget \ bpftool +# Install crictl +RUN wget https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz && \ + tar zxvf crictl-${CRICTL_VERSION}-linux-amd64.tar.gz -C /usr/local/bin && \ + rm -f crictl-${CRICTL_VERSION}-linux-amd64.tar.gz + +# Specify the default image endpoint for crictl +RUN echo 'runtime-endpoint: unix:///run/containerd/containerd.sock' >> /etc/crictl.yaml +RUN echo 'image-endpoint: unix:///run/containerd/containerd.sock' >> /etc/crictl.yaml +RUN echo 'timeout: 2' >> /etc/crictl.yaml + CMD [ "/bin/bash" ] From 176c0d607e67d129b64ea56cbf1ace5a5f80560e Mon Sep 17 00:00:00 2001 From: okami <43506079+okamidash@users.noreply.github.com> Date: Fri, 23 Aug 2024 14:37:26 +0100 Subject: [PATCH 09/16] Add containerd mounts to daemonset --- k8s/daemonset.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index 8f8a9d1..740c52f 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -39,11 +39,17 @@ spec: volumeMounts: - name: host mountPath: /host + - name: containerd + mountPath: /run/containerd/containerd.sock terminationGracePeriodSeconds: 0 volumes: - name: host hostPath: path: / + - name: containerd + hostPath: + path: /run/containerd/containerd.sock + type: Socket updateStrategy: rollingUpdate: maxSurge: 0 From c3c7a3a5d131aec86a8056f6256a16308502b835 Mon Sep 17 00:00:00 2001 From: okami <43506079+okamidash@users.noreply.github.com> Date: Fri, 23 Aug 2024 14:41:18 +0100 Subject: [PATCH 10/16] update deployment to include containerd mounts --- k8s/deployment.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml index c61d2a1..9454c45 100644 --- a/k8s/deployment.yaml +++ b/k8s/deployment.yaml @@ -40,11 +40,17 @@ spec: volumeMounts: - name: host mountPath: /host + - name: containerd + mountPath: /run/containerd/containerd.sock terminationGracePeriodSeconds: 0 volumes: - name: host hostPath: path: / + - name: containerd + hostPath: + path: /run/containerd/containerd.sock + type: Socket strategy: rollingUpdate: maxSurge: 0 From 62239053e30e9ec38d80a885210ddd086cb01f05 Mon Sep 17 00:00:00 2001 From: okami <43506079+okamidash@users.noreply.github.com> Date: Fri, 23 Aug 2024 14:50:07 +0100 Subject: [PATCH 11/16] Update README.md to clarify on wget and crictl --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8b75afd..8649a43 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ This DaemonSet manifest will: 1. Ensure a pod with our Docker image is running indefinitely on every node. 2. Use `hostPID`, `hostIPC`, and `hostNetwork`. 3. Mount the entire host filesystem to `/host` in the containers. + 4. Mount the `containerd` socket at `/run/containerd/containerd.sock` from the host into the container. In order to make use of these workloads, you can exec into a pod of choice by name: @@ -49,7 +50,9 @@ Once you're in, you have access to the set of tools listed in the `Dockerfile`. - [`dstat`](http://dag.wiee.rs/home-made/dstat/) - is a versatile replacement for vmstat, iostat, netstat and ifstat. Dstat overcomes some of their limitations and adds some extra features, more counters and flexibility. Dstat is handy for monitoring systems during performance tuning tests, benchmarks or troubleshooting. - [`htop`](https://hisham.hm/htop/) - is interactive process viewer for Unix systems. - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level. - + - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level. + - [`wget`](https://www.gnu.org/software/wget/) - for retrieving files using HTTP, HTTPS, FTP and FTPS. + - [`crictl`](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md) - A CLI for CRI endpoints. Configured to use `/run/containerd/containerd.sock` as a default endpoint. # Tips and Tricks ## chroot + systemctl From 9dd15eec18c9e081f913969f34bd37045a0c58d5 Mon Sep 17 00:00:00 2001 From: okami <43506079+okamidash@users.noreply.github.com> Date: Fri, 23 Aug 2024 14:51:50 +0100 Subject: [PATCH 12/16] Update README.md to remove duplicate 'atop' line --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 8649a43..cd732ff 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,6 @@ Once you're in, you have access to the set of tools listed in the `Dockerfile`. - [`dstat`](http://dag.wiee.rs/home-made/dstat/) - is a versatile replacement for vmstat, iostat, netstat and ifstat. Dstat overcomes some of their limitations and adds some extra features, more counters and flexibility. Dstat is handy for monitoring systems during performance tuning tests, benchmarks or troubleshooting. - [`htop`](https://hisham.hm/htop/) - is interactive process viewer for Unix systems. - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level. - - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level. - [`wget`](https://www.gnu.org/software/wget/) - for retrieving files using HTTP, HTTPS, FTP and FTPS. - [`crictl`](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md) - A CLI for CRI endpoints. Configured to use `/run/containerd/containerd.sock` as a default endpoint. # Tips and Tricks From d4d08bf6b62f6d2f1e312627d464df81351f4482 Mon Sep 17 00:00:00 2001 From: Ingo Gottwald Date: Tue, 8 Apr 2025 11:44:02 +0200 Subject: [PATCH 13/16] Move image to ghcr (#30) --- .github/workflows/release.yaml | 11 ++++------- k8s/daemonset.yaml | 2 +- k8s/deployment.yaml | 2 +- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9bf6862..88c6c43 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,7 +1,7 @@ name: release env: - DOCKER_USER: ${{ secrets.DockerHubUser }} + GITHUB_TOKEN: ${{ secrets.GHCRTOKEN }} on: push: @@ -14,15 +14,12 @@ jobs: steps: - name: checkout - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 with: fetch-depth: 1 - name: build image - run: docker build --platform linux/amd64 -t digitalocean/doks-debug:latest . - - - name: Log into container registry - run: echo "${{ secrets.DockerHubToken }}" | docker login --username ${DOCKER_USER} --password-stdin + run: docker build --platform linux/amd64 -t ghcr.io/digitalocean-packages/doks-debug:latest . - name: push image - run: docker push digitalocean/doks-debug:latest + run: docker push ghcr.io/digitalocean-packages/doks-debug:latest diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index 740c52f..55506ac 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -27,7 +27,7 @@ spec: - name: doks-debug securityContext: privileged: true - image: digitalocean/doks-debug:latest + image: ghcr.io/digitalocean-packages/doks-debug:latest command: [ "sleep", "infinity" ] resources: requests: diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml index 9454c45..18d0aca 100644 --- a/k8s/deployment.yaml +++ b/k8s/deployment.yaml @@ -28,7 +28,7 @@ spec: - name: doks-debug securityContext: privileged: true - image: digitalocean/doks-debug:latest + image: ghcr.io/digitalocean-packages/doks-debug:latest command: [ "sleep", "infinity" ] resources: requests: From 13191310f35f3656305d7b03f5d3443623ba4ea7 Mon Sep 17 00:00:00 2001 From: Ingo Gottwald Date: Tue, 8 Apr 2025 12:04:27 +0200 Subject: [PATCH 14/16] ci: fix ghcr auth (#31) moving to PAT auth --- .github/workflows/release.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 88c6c43..aec66ed 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,8 +1,5 @@ name: release -env: - GITHUB_TOKEN: ${{ secrets.GHCRTOKEN }} - on: push: branches: @@ -21,5 +18,8 @@ jobs: - name: build image run: docker build --platform linux/amd64 -t ghcr.io/digitalocean-packages/doks-debug:latest . + - name: log into container registry + run: echo "${{ secrets.GHCRTOKEN }}" | docker login --username "${{ secrets.GHCRUSER }}" --password-stdin + - name: push image run: docker push ghcr.io/digitalocean-packages/doks-debug:latest From 6877edf225d70146dccee329cda31ceedfe1ef02 Mon Sep 17 00:00:00 2001 From: Ingo Gottwald Date: Tue, 8 Apr 2025 12:12:12 +0200 Subject: [PATCH 15/16] ci: login to the correct registry (#32) --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index aec66ed..4c93258 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -19,7 +19,7 @@ jobs: run: docker build --platform linux/amd64 -t ghcr.io/digitalocean-packages/doks-debug:latest . - name: log into container registry - run: echo "${{ secrets.GHCRTOKEN }}" | docker login --username "${{ secrets.GHCRUSER }}" --password-stdin + run: echo "${{ secrets.GHCRTOKEN }}" | docker login ghcr.io --username "${{ secrets.GHCRUSER }}" --password-stdin - name: push image run: docker push ghcr.io/digitalocean-packages/doks-debug:latest From c9689f3fa664830b5ed3c75ab63e9c572db1110b Mon Sep 17 00:00:00 2001 From: Ingo Gottwald Date: Mon, 9 Feb 2026 15:19:13 +0100 Subject: [PATCH 16/16] Add more debug tools (#34) This adds termshark, lsof and the watch command. --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index 8e11884..0922b33 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,6 +31,7 @@ RUN apt-get update -qq && \ jq \ dnsutils \ tcpdump \ + termshark \ traceroute \ iputils-ping \ iptables \ @@ -38,6 +39,7 @@ RUN apt-get update -qq && \ ncat \ iproute2 \ strace \ + lsof \ telnet \ openssl \ psmisc \ @@ -46,6 +48,7 @@ RUN apt-get update -qq && \ conntrack \ llvm-13 llvm-13-tools \ wget \ + watch \ bpftool # Install crictl