From b19401b379ff7339b9f59b28946de42320697641 Mon Sep 17 00:00:00 2001 From: Timo Reimann Date: Tue, 30 Apr 2024 10:24:20 +0200 Subject: [PATCH 01/41] Upgrade Debian base image to bookworm As a drive-by, enforce the linux/amd64 to be safe. --- .github/workflows/release.yaml | 2 +- .github/workflows/test.yaml | 2 +- Dockerfile | 8 +++----- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5d878d1..9bf6862 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -19,7 +19,7 @@ jobs: fetch-depth: 1 - name: build image - run: docker build -t digitalocean/doks-debug:latest . + run: docker build --platform linux/amd64 -t digitalocean/doks-debug:latest . - name: Log into container registry run: echo "${{ secrets.DockerHubToken }}" | docker login --username ${DOCKER_USER} --password-stdin diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 38097ea..f6b0e5b 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -13,7 +13,7 @@ jobs: fetch-depth: 1 - name: build image - run: docker build -t doks-debug . + run: docker build --platform linux/amd64 -t doks-debug . - name: smoke test run: docker run --rm doks-debug sleep 1 diff --git a/Dockerfile b/Dockerfile index 51b3342..8979298 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # match doks-debug version with DOKS worker node image version for kernel # tooling compatibility reasons -FROM debian:10-slim +FROM debian:12-slim WORKDIR /root @@ -11,8 +11,6 @@ RUN echo 'path-exclude=/usr/share/doc/*' > /etc/dpkg/dpkg.cfg.d/excludes RUN echo 'path-include=/usr/share/doc/*/copyright' > /etc/dpkg/dpkg.cfg.d/excludes RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' > /etc/dpkg/dpkg.cfg.d/excludes -RUN echo 'deb http://deb.debian.org/debian buster-backports main' > /etc/apt/sources.list.d/backports.list - RUN apt-get update -qq && \ apt-get install -y apt-transport-https \ ca-certificates \ @@ -42,12 +40,12 @@ RUN apt-get update -qq && \ dsniff \ mtr-tiny \ conntrack \ - llvm-8 llvm-8-tools \ + llvm-13 llvm-13-tools \ bpftool RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \ add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" && \ apt-get update -qq && \ - apt-get install -y docker-ce + apt-get install -y docker CMD [ "/bin/bash" ] From 8a1c2295f05633e0dfb4d1eea05a55b9339198f8 Mon Sep 17 00:00:00 2001 From: Timo Reimann Date: Tue, 30 Apr 2024 10:04:00 +0200 Subject: [PATCH 02/41] Never block cluster-autoscaler Workloads in the kube-system namespace would block cluster-autoscaler from evicting workloads unless a PDB was defined (see also [1]). Set an annotation to disregard the constraint for doks-debug which should never block evictions and node draining. [1]: https://github.com/kubernetes/autoscaler/blob/7c86e2813d20db8a943e69e447413ca859b92f97/cluster-autoscaler/FAQ.md#how-to-set-pdbs-to-enable-ca-to-move-kube-system-pods --- k8s/daemonset.yaml | 1 + k8s/deployment.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index 6bd1527..e5f2961 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -15,6 +15,7 @@ spec: name: doks-debug annotations: clusterlint.digitalocean.com/disabled-checks: "hostpath-volume" + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: hostPID: true hostIPC: true diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml index 50816d0..35c5310 100644 --- a/k8s/deployment.yaml +++ b/k8s/deployment.yaml @@ -16,6 +16,7 @@ spec: name: doks-debug annotations: clusterlint.digitalocean.com/disabled-checks: "hostpath-volume" + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: hostPID: true hostIPC: true From 103829823f18478745f9c40f608ac7f651d4e220 Mon Sep 17 00:00:00 2001 From: Timo Reimann Date: Tue, 30 Apr 2024 10:32:11 +0200 Subject: [PATCH 03/41] Eliminate termination grace period doks-debug should always terminate immediately. --- k8s/daemonset.yaml | 1 + k8s/deployment.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index 6bd1527..0d202a6 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -39,6 +39,7 @@ spec: mountPath: /host - name: docker mountPath: /var/run/docker.sock + terminationGracePeriodSeconds: 0 volumes: - name: host hostPath: diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml index 50816d0..6748128 100644 --- a/k8s/deployment.yaml +++ b/k8s/deployment.yaml @@ -40,6 +40,7 @@ spec: mountPath: /host - name: docker mountPath: /var/run/docker.sock + terminationGracePeriodSeconds: 0 volumes: - name: host hostPath: From 61af11ad2f8910e9b10a6668cb830ebf0b80c7ab Mon Sep 17 00:00:00 2001 From: Ingo Gottwald Date: Tue, 30 Apr 2024 13:46:37 +0200 Subject: [PATCH 04/41] re-add iptables binaries These are important for node debugging. --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 8979298..c486dfd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,6 +30,7 @@ RUN apt-get update -qq && \ tcpdump \ traceroute \ iputils-ping \ + iptables \ net-tools \ ncat \ iproute2 \ From eb3e1252628608093ab26abf5b2f45b0dd08e36b Mon Sep 17 00:00:00 2001 From: Timo Reimann Date: Wed, 3 Jul 2024 12:51:07 +0200 Subject: [PATCH 05/41] Use ClusterFirstWithHostNet DNS policy Simplifies testing in-cluster DNS as the policy enables to query CoreDNS for such requests. --- k8s/daemonset.yaml | 1 + k8s/deployment.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index 337a503..ae9e56e 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -17,6 +17,7 @@ spec: clusterlint.digitalocean.com/disabled-checks: "hostpath-volume" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: + dnsPolicy: ClusterFirstWithHostNet hostPID: true hostIPC: true hostNetwork: true diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml index 6ea2b48..8ea98c7 100644 --- a/k8s/deployment.yaml +++ b/k8s/deployment.yaml @@ -18,6 +18,7 @@ spec: clusterlint.digitalocean.com/disabled-checks: "hostpath-volume" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: + dnsPolicy: ClusterFirstWithHostNet hostPID: true hostIPC: true hostNetwork: true From 66ce3f5af37d8709a3e44c03df8659559a11ef1b Mon Sep 17 00:00:00 2001 From: Dasha Komsa Date: Thu, 22 Aug 2024 09:59:07 -0400 Subject: [PATCH 06/41] remove docker socket mounts and cli doks switched to containerd container runtime a while ago (https://docs.digitalocean.com/products/kubernetes/details/changelog/#1.20.2-do.0), so while docker is still installed on the nodes it's not useful for debugging k8s containers anymore --- Dockerfile | 5 ----- README.md | 2 -- k8s/daemonset.yaml | 6 ------ k8s/deployment.yaml | 6 ------ 4 files changed, 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index c486dfd..71bfb67 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,9 +44,4 @@ RUN apt-get update -qq && \ llvm-13 llvm-13-tools \ bpftool -RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \ - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" && \ - apt-get update -qq && \ - apt-get install -y docker - CMD [ "/bin/bash" ] diff --git a/README.md b/README.md index 9485b02..8b75afd 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,6 @@ This DaemonSet manifest will: 1. Ensure a pod with our Docker image is running indefinitely on every node. 2. Use `hostPID`, `hostIPC`, and `hostNetwork`. 3. Mount the entire host filesystem to `/host` in the containers. - 4. Mount `/var/run/docker.sock` from the host. In order to make use of these workloads, you can exec into a pod of choice by name: @@ -47,7 +46,6 @@ Once you're in, you have access to the set of tools listed in the `Dockerfile`. - [`netcat`](https://linux.die.net/man/1/nc) - is a multi-tool for interacting with TCP and UDP; it can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. - [`iproute2`](https://wiki.linuxfoundation.org/networking/iproute2) - is a collection of utilities for controlling TCP / IP networking and traffic control in Linux. - [`strace`](https://github.com/strace/strace) - is a diagnostic, debugging and instructional userspace utility with a traditional command-line interface for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state. - - [`docker`](https://docs.docker.com/engine/reference/commandline/cli/) - is the CLI tool used for interacting with Docker containers on the system. - [`dstat`](http://dag.wiee.rs/home-made/dstat/) - is a versatile replacement for vmstat, iostat, netstat and ifstat. Dstat overcomes some of their limitations and adds some extra features, more counters and flexibility. Dstat is handy for monitoring systems during performance tuning tests, benchmarks or troubleshooting. - [`htop`](https://hisham.hm/htop/) - is interactive process viewer for Unix systems. - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level. diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index ae9e56e..8f8a9d1 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -39,17 +39,11 @@ spec: volumeMounts: - name: host mountPath: /host - - name: docker - mountPath: /var/run/docker.sock terminationGracePeriodSeconds: 0 volumes: - name: host hostPath: path: / - - name: docker - hostPath: - path: /var/run/docker.sock - type: Socket updateStrategy: rollingUpdate: maxSurge: 0 diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml index 8ea98c7..c61d2a1 100644 --- a/k8s/deployment.yaml +++ b/k8s/deployment.yaml @@ -40,17 +40,11 @@ spec: volumeMounts: - name: host mountPath: /host - - name: docker - mountPath: /var/run/docker.sock terminationGracePeriodSeconds: 0 volumes: - name: host hostPath: path: / - - name: docker - hostPath: - path: /var/run/docker.sock - type: Socket strategy: rollingUpdate: maxSurge: 0 From 2cc0c8cc22f11c8d2ef6c8c644a917c4d8558688 Mon Sep 17 00:00:00 2001 From: okami <43506079+okamidash@users.noreply.github.com> Date: Fri, 23 Aug 2024 12:36:41 +0100 Subject: [PATCH 07/41] Add second '>' for correct output redirection in Dockerfile --- Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 71bfb67..02db265 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,10 +6,10 @@ WORKDIR /root # use same dpkg path-exclude settings that come by default with ubuntu:focal # image that we previously used -RUN echo 'path-exclude=/usr/share/locale/*/LC_MESSAGES/*.mo' > /etc/dpkg/dpkg.cfg.d/excludes -RUN echo 'path-exclude=/usr/share/doc/*' > /etc/dpkg/dpkg.cfg.d/excludes -RUN echo 'path-include=/usr/share/doc/*/copyright' > /etc/dpkg/dpkg.cfg.d/excludes -RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' > /etc/dpkg/dpkg.cfg.d/excludes +RUN echo 'path-exclude=/usr/share/locale/*/LC_MESSAGES/*.mo' >> /etc/dpkg/dpkg.cfg.d/excludes +RUN echo 'path-exclude=/usr/share/doc/*' >> /etc/dpkg/dpkg.cfg.d/excludes +RUN echo 'path-include=/usr/share/doc/*/copyright' ≥> /etc/dpkg/dpkg.cfg.d/excludes +RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' ≥> /etc/dpkg/dpkg.cfg.d/excludes RUN apt-get update -qq && \ apt-get install -y apt-transport-https \ From 1a41ee1f0af0dfc53fbd8926e535a48610262f48 Mon Sep 17 00:00:00 2001 From: okami <43506079+okamidash@users.noreply.github.com> Date: Fri, 23 Aug 2024 14:31:53 +0100 Subject: [PATCH 08/41] Update Dockerfile to include crictl addn: fix the > as for some reason it was incorrect --- Dockerfile | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 02db265..8e11884 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,14 +2,17 @@ # tooling compatibility reasons FROM debian:12-slim +# Specify the version of crictl to install +ARG CRICTL_VERSION="v1.31.1" + WORKDIR /root # use same dpkg path-exclude settings that come by default with ubuntu:focal # image that we previously used RUN echo 'path-exclude=/usr/share/locale/*/LC_MESSAGES/*.mo' >> /etc/dpkg/dpkg.cfg.d/excludes RUN echo 'path-exclude=/usr/share/doc/*' >> /etc/dpkg/dpkg.cfg.d/excludes -RUN echo 'path-include=/usr/share/doc/*/copyright' ≥> /etc/dpkg/dpkg.cfg.d/excludes -RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' ≥> /etc/dpkg/dpkg.cfg.d/excludes +RUN echo 'path-include=/usr/share/doc/*/copyright' >> /etc/dpkg/dpkg.cfg.d/excludes +RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' >> /etc/dpkg/dpkg.cfg.d/excludes RUN apt-get update -qq && \ apt-get install -y apt-transport-https \ @@ -42,6 +45,17 @@ RUN apt-get update -qq && \ mtr-tiny \ conntrack \ llvm-13 llvm-13-tools \ + wget \ bpftool +# Install crictl +RUN wget https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz && \ + tar zxvf crictl-${CRICTL_VERSION}-linux-amd64.tar.gz -C /usr/local/bin && \ + rm -f crictl-${CRICTL_VERSION}-linux-amd64.tar.gz + +# Specify the default image endpoint for crictl +RUN echo 'runtime-endpoint: unix:///run/containerd/containerd.sock' >> /etc/crictl.yaml +RUN echo 'image-endpoint: unix:///run/containerd/containerd.sock' >> /etc/crictl.yaml +RUN echo 'timeout: 2' >> /etc/crictl.yaml + CMD [ "/bin/bash" ] From 176c0d607e67d129b64ea56cbf1ace5a5f80560e Mon Sep 17 00:00:00 2001 From: okami <43506079+okamidash@users.noreply.github.com> Date: Fri, 23 Aug 2024 14:37:26 +0100 Subject: [PATCH 09/41] Add containerd mounts to daemonset --- k8s/daemonset.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index 8f8a9d1..740c52f 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -39,11 +39,17 @@ spec: volumeMounts: - name: host mountPath: /host + - name: containerd + mountPath: /run/containerd/containerd.sock terminationGracePeriodSeconds: 0 volumes: - name: host hostPath: path: / + - name: containerd + hostPath: + path: /run/containerd/containerd.sock + type: Socket updateStrategy: rollingUpdate: maxSurge: 0 From c3c7a3a5d131aec86a8056f6256a16308502b835 Mon Sep 17 00:00:00 2001 From: okami <43506079+okamidash@users.noreply.github.com> Date: Fri, 23 Aug 2024 14:41:18 +0100 Subject: [PATCH 10/41] update deployment to include containerd mounts --- k8s/deployment.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml index c61d2a1..9454c45 100644 --- a/k8s/deployment.yaml +++ b/k8s/deployment.yaml @@ -40,11 +40,17 @@ spec: volumeMounts: - name: host mountPath: /host + - name: containerd + mountPath: /run/containerd/containerd.sock terminationGracePeriodSeconds: 0 volumes: - name: host hostPath: path: / + - name: containerd + hostPath: + path: /run/containerd/containerd.sock + type: Socket strategy: rollingUpdate: maxSurge: 0 From 62239053e30e9ec38d80a885210ddd086cb01f05 Mon Sep 17 00:00:00 2001 From: okami <43506079+okamidash@users.noreply.github.com> Date: Fri, 23 Aug 2024 14:50:07 +0100 Subject: [PATCH 11/41] Update README.md to clarify on wget and crictl --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8b75afd..8649a43 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ This DaemonSet manifest will: 1. Ensure a pod with our Docker image is running indefinitely on every node. 2. Use `hostPID`, `hostIPC`, and `hostNetwork`. 3. Mount the entire host filesystem to `/host` in the containers. + 4. Mount the `containerd` socket at `/run/containerd/containerd.sock` from the host into the container. In order to make use of these workloads, you can exec into a pod of choice by name: @@ -49,7 +50,9 @@ Once you're in, you have access to the set of tools listed in the `Dockerfile`. - [`dstat`](http://dag.wiee.rs/home-made/dstat/) - is a versatile replacement for vmstat, iostat, netstat and ifstat. Dstat overcomes some of their limitations and adds some extra features, more counters and flexibility. Dstat is handy for monitoring systems during performance tuning tests, benchmarks or troubleshooting. - [`htop`](https://hisham.hm/htop/) - is interactive process viewer for Unix systems. - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level. - + - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level. + - [`wget`](https://www.gnu.org/software/wget/) - for retrieving files using HTTP, HTTPS, FTP and FTPS. + - [`crictl`](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md) - A CLI for CRI endpoints. Configured to use `/run/containerd/containerd.sock` as a default endpoint. # Tips and Tricks ## chroot + systemctl From 9dd15eec18c9e081f913969f34bd37045a0c58d5 Mon Sep 17 00:00:00 2001 From: okami <43506079+okamidash@users.noreply.github.com> Date: Fri, 23 Aug 2024 14:51:50 +0100 Subject: [PATCH 12/41] Update README.md to remove duplicate 'atop' line --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 8649a43..cd732ff 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,6 @@ Once you're in, you have access to the set of tools listed in the `Dockerfile`. - [`dstat`](http://dag.wiee.rs/home-made/dstat/) - is a versatile replacement for vmstat, iostat, netstat and ifstat. Dstat overcomes some of their limitations and adds some extra features, more counters and flexibility. Dstat is handy for monitoring systems during performance tuning tests, benchmarks or troubleshooting. - [`htop`](https://hisham.hm/htop/) - is interactive process viewer for Unix systems. - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level. - - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level. - [`wget`](https://www.gnu.org/software/wget/) - for retrieving files using HTTP, HTTPS, FTP and FTPS. - [`crictl`](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md) - A CLI for CRI endpoints. Configured to use `/run/containerd/containerd.sock` as a default endpoint. # Tips and Tricks From d4d08bf6b62f6d2f1e312627d464df81351f4482 Mon Sep 17 00:00:00 2001 From: Ingo Gottwald Date: Tue, 8 Apr 2025 11:44:02 +0200 Subject: [PATCH 13/41] Move image to ghcr (#30) --- .github/workflows/release.yaml | 11 ++++------- k8s/daemonset.yaml | 2 +- k8s/deployment.yaml | 2 +- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9bf6862..88c6c43 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,7 +1,7 @@ name: release env: - DOCKER_USER: ${{ secrets.DockerHubUser }} + GITHUB_TOKEN: ${{ secrets.GHCRTOKEN }} on: push: @@ -14,15 +14,12 @@ jobs: steps: - name: checkout - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 with: fetch-depth: 1 - name: build image - run: docker build --platform linux/amd64 -t digitalocean/doks-debug:latest . - - - name: Log into container registry - run: echo "${{ secrets.DockerHubToken }}" | docker login --username ${DOCKER_USER} --password-stdin + run: docker build --platform linux/amd64 -t ghcr.io/digitalocean-packages/doks-debug:latest . - name: push image - run: docker push digitalocean/doks-debug:latest + run: docker push ghcr.io/digitalocean-packages/doks-debug:latest diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index 740c52f..55506ac 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -27,7 +27,7 @@ spec: - name: doks-debug securityContext: privileged: true - image: digitalocean/doks-debug:latest + image: ghcr.io/digitalocean-packages/doks-debug:latest command: [ "sleep", "infinity" ] resources: requests: diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml index 9454c45..18d0aca 100644 --- a/k8s/deployment.yaml +++ b/k8s/deployment.yaml @@ -28,7 +28,7 @@ spec: - name: doks-debug securityContext: privileged: true - image: digitalocean/doks-debug:latest + image: ghcr.io/digitalocean-packages/doks-debug:latest command: [ "sleep", "infinity" ] resources: requests: From 13191310f35f3656305d7b03f5d3443623ba4ea7 Mon Sep 17 00:00:00 2001 From: Ingo Gottwald Date: Tue, 8 Apr 2025 12:04:27 +0200 Subject: [PATCH 14/41] ci: fix ghcr auth (#31) moving to PAT auth --- .github/workflows/release.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 88c6c43..aec66ed 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,8 +1,5 @@ name: release -env: - GITHUB_TOKEN: ${{ secrets.GHCRTOKEN }} - on: push: branches: @@ -21,5 +18,8 @@ jobs: - name: build image run: docker build --platform linux/amd64 -t ghcr.io/digitalocean-packages/doks-debug:latest . + - name: log into container registry + run: echo "${{ secrets.GHCRTOKEN }}" | docker login --username "${{ secrets.GHCRUSER }}" --password-stdin + - name: push image run: docker push ghcr.io/digitalocean-packages/doks-debug:latest From 6877edf225d70146dccee329cda31ceedfe1ef02 Mon Sep 17 00:00:00 2001 From: Ingo Gottwald Date: Tue, 8 Apr 2025 12:12:12 +0200 Subject: [PATCH 15/41] ci: login to the correct registry (#32) --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index aec66ed..4c93258 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -19,7 +19,7 @@ jobs: run: docker build --platform linux/amd64 -t ghcr.io/digitalocean-packages/doks-debug:latest . - name: log into container registry - run: echo "${{ secrets.GHCRTOKEN }}" | docker login --username "${{ secrets.GHCRUSER }}" --password-stdin + run: echo "${{ secrets.GHCRTOKEN }}" | docker login ghcr.io --username "${{ secrets.GHCRUSER }}" --password-stdin - name: push image run: docker push ghcr.io/digitalocean-packages/doks-debug:latest From ee309311320b5c8ac02226901e64c7e372397f94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 30 May 2023 11:38:46 +0100 Subject: [PATCH 16/41] added nmap and publish to ghcr.io --- .github/workflows/release.yaml | 80 +++++++++++++++++++++++++++++----- Dockerfile | 5 ++- 2 files changed, 74 insertions(+), 11 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4c93258..32c2a8a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -5,21 +5,81 @@ on: branches: - master +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + jobs: - release: + build: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write steps: - - name: checkout - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - name: Checkout repository + uses: actions/checkout@v3 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 + with: + cosign-release: 'v1.13.1' + + + # Workaround: https://github.com/docker/build-push-action/issues/461 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c with: - fetch-depth: 1 + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: build image - run: docker build --platform linux/amd64 -t ghcr.io/digitalocean-packages/doks-debug:latest . + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max - - name: log into container registry - run: echo "${{ secrets.GHCRTOKEN }}" | docker login ghcr.io --username "${{ secrets.GHCRUSER }}" --password-stdin - - name: push image - run: docker push ghcr.io/digitalocean-packages/doks-debug:latest + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + COSIGN_EXPERIMENTAL: "true" + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} diff --git a/Dockerfile b/Dockerfile index 8e11884..e1aaae2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,8 @@ FROM debian:12-slim # Specify the version of crictl to install ARG CRICTL_VERSION="v1.31.1" +LABEL org.opencontainers.image.source=https://github.com/nosportugal/debug-pod + WORKDIR /root # use same dpkg path-exclude settings that come by default with ubuntu:focal @@ -46,7 +48,8 @@ RUN apt-get update -qq && \ conntrack \ llvm-13 llvm-13-tools \ wget \ - bpftool + bpftool \ + nmap # Install crictl RUN wget https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz && \ From c66d4d3006e0f8bc1418ab3dd005cdaa7931256a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 30 May 2023 14:22:13 +0100 Subject: [PATCH 17/41] added two main platforms to build --- .github/workflows/release.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 32c2a8a..d6c16ba 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -64,6 +64,7 @@ jobs: uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: context: . + platforms: linux/amd64,linux/arm64 push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From 50fa6268e8ad7667f5586a227644a7122e1239bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 30 May 2023 15:48:25 +0100 Subject: [PATCH 18/41] upgrade to debian 11 and added description --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index e1aaae2..632bcad 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,6 +6,7 @@ FROM debian:12-slim ARG CRICTL_VERSION="v1.31.1" LABEL org.opencontainers.image.source=https://github.com/nosportugal/debug-pod +LABEL org.opencontainers.image.description="A debian image with some debugging tools installed." WORKDIR /root @@ -61,4 +62,4 @@ RUN echo 'runtime-endpoint: unix:///run/containerd/containerd.sock' >> /etc/cric RUN echo 'image-endpoint: unix:///run/containerd/containerd.sock' >> /etc/crictl.yaml RUN echo 'timeout: 2' >> /etc/crictl.yaml -CMD [ "/bin/bash" ] +ENTRYPOINT [ "/bin/bash" ] From d333e88bbb77ad3d2734b73f793d6756d8141540 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Thu, 1 Jun 2023 18:24:38 +0100 Subject: [PATCH 19/41] Set backports to bullseye instead of buster Buster is the current release, so we need the backports of the next one. Please check https://backports.debian.org/ for more details. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 632bcad..52dedaf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ RUN echo 'path-exclude=/usr/share/doc/*' >> /etc/dpkg/dpkg.cfg.d/excludes RUN echo 'path-include=/usr/share/doc/*/copyright' >> /etc/dpkg/dpkg.cfg.d/excludes RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' >> /etc/dpkg/dpkg.cfg.d/excludes -RUN apt-get update -qq && \ +RUN apt-get update && \ apt-get install -y apt-transport-https \ ca-certificates \ software-properties-common \ From 4e6c31d8729853b53b708d1067cd4c5da12f6b5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Thu, 1 Jun 2023 18:28:44 +0100 Subject: [PATCH 20/41] added httpie --- Dockerfile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Dockerfile b/Dockerfile index 52dedaf..4b9c7f0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -62,4 +62,10 @@ RUN echo 'runtime-endpoint: unix:///run/containerd/containerd.sock' >> /etc/cric RUN echo 'image-endpoint: unix:///run/containerd/containerd.sock' >> /etc/crictl.yaml RUN echo 'timeout: 2' >> /etc/crictl.yaml +# for httpie +RUN curl -SsL https://packages.httpie.io/deb/KEY.gpg | gpg --dearmor -o /usr/share/keyrings/httpie.gpg && \ + echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/httpie.gpg] https://packages.httpie.io/deb ./" > /etc/apt/sources.list.d/httpie.list && \ + apt-get update && \ + apt-get install -y httpie + ENTRYPOINT [ "/bin/bash" ] From 90bf4a268fd56457a92b33b5f117ffd5045d9a9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Mon, 31 Jul 2023 18:12:49 +0100 Subject: [PATCH 21/41] added hey load balancing tool --- Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Dockerfile b/Dockerfile index 4b9c7f0..5cd8bf1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -68,4 +68,8 @@ RUN curl -SsL https://packages.httpie.io/deb/KEY.gpg | gpg --dearmor -o /usr/sha apt-get update && \ apt-get install -y httpie +# for hey +RUN curl -Lv -o /usr/bin/hey https://hey-release.s3.us-east-2.amazonaws.com/hey_linux_amd64 && \ + chmod a+x /usr/bin/hey + ENTRYPOINT [ "/bin/bash" ] From ab3296f470cea2af0b1ef5de5be5adbdbb0a0b5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Thu, 8 Feb 2024 11:09:23 +0000 Subject: [PATCH 22/41] added redis-tools --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5cd8bf1..c52bc00 100644 --- a/Dockerfile +++ b/Dockerfile @@ -50,7 +50,8 @@ RUN apt-get update && \ llvm-13 llvm-13-tools \ wget \ bpftool \ - nmap + nmap \ + redis-tools # Install crictl RUN wget https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz && \ From d36fb7ad240ecf0460aa6c2f81df93f38d4fc9a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Thu, 8 Feb 2024 11:19:26 +0000 Subject: [PATCH 23/41] upgrade cosign --- .github/workflows/release.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d6c16ba..c96d897 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -30,10 +30,9 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 + uses: sigstore/cosign-installer@v3.3.0 with: - cosign-release: 'v1.13.1' - + cosign-release: 'v2.2.2' # optional # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx From 3890dfbebb00f1199095d50e1cd38c03888a70fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Thu, 8 Feb 2024 11:33:27 +0000 Subject: [PATCH 24/41] add --yes to cosign sign --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c96d897..7a0a02d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -82,4 +82,4 @@ jobs: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }} From 1ba1618052a1f19ffd201469745b2c0b7c5e03d5 Mon Sep 17 00:00:00 2001 From: jpsfalcao <125566465+jpsfalcao@users.noreply.github.com> Date: Thu, 4 Apr 2024 17:37:50 +0100 Subject: [PATCH 25/41] Update Dockerfile --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index c52bc00..5953f36 100644 --- a/Dockerfile +++ b/Dockerfile @@ -51,7 +51,8 @@ RUN apt-get update && \ wget \ bpftool \ nmap \ - redis-tools + redis-tools \ + kafkacat # Install crictl RUN wget https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz && \ From cc24f592e3680b0215b47fbafd1a47ab329b258e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Mon, 15 Apr 2024 15:49:09 +0100 Subject: [PATCH 26/41] added speedtest cli latest version --- Dockerfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Dockerfile b/Dockerfile index 5953f36..7e59be6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -74,4 +74,9 @@ RUN curl -SsL https://packages.httpie.io/deb/KEY.gpg | gpg --dearmor -o /usr/sha RUN curl -Lv -o /usr/bin/hey https://hey-release.s3.us-east-2.amazonaws.com/hey_linux_amd64 && \ chmod a+x /usr/bin/hey +# install speedtest cli from +# https://www.speedtest.net/apps/cli +RUN curl -s https://packagecloud.io/install/repositories/ookla/speedtest-cli/script.deb.sh | bash && \ + apt-get install -y speedtest + ENTRYPOINT [ "/bin/bash" ] From 8a01f5af0069920c317261dd03f11c7380f1d47c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Mon, 13 May 2024 19:00:38 +0100 Subject: [PATCH 27/41] added HTTP/3 support to cURL --- Dockerfile | 120 +++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 85 insertions(+), 35 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7e59be6..331d762 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,42 @@ +FROM debian:12 AS builder + +# this builder part is the work of Yury Muski, from https://github.com/yurymuski/curl-http3 +LABEL maintainer="Yury Muski " + +WORKDIR /opt + +ARG CURL_VERSION=curl-8_2_1 +ARG QUICHE_VERSION=0.18.0 + +RUN apt-get update && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential git autoconf libtool cmake golang-go curl libnghttp2-dev zlib1g-dev; + +# https://github.com/curl/curl/blob/master/docs/HTTP3.md#quiche-version + +# install rust & cargo +RUN curl https://sh.rustup.rs -sSf | sh -s -- -y -q; + +RUN git clone --recursive https://github.com/cloudflare/quiche + +# build quiche +RUN export PATH="$HOME/.cargo/bin:$PATH" && \ + cd quiche && \ + git checkout $QUICHE_VERSION && \ + cargo build --package quiche --release --features ffi,pkg-config-meta,qlog && \ + mkdir quiche/deps/boringssl/src/lib && \ + ln -vnf $(find target/release -name libcrypto.a -o -name libssl.a) quiche/deps/boringssl/src/lib/ + + +# add curl +RUN git clone https://github.com/curl/curl +RUN cd curl && \ + git checkout $CURL_VERSION && \ + autoreconf -fi && \ + ./configure LDFLAGS="-Wl,-rpath,/opt/quiche/target/release" --with-openssl=/opt/quiche/quiche/deps/boringssl/src --with-quiche=/opt/quiche/target/release --with-nghttp2 --with-zlib && \ + make && \ + make DESTDIR="/debian/" install + + # match doks-debug version with DOKS worker node image version for kernel # tooling compatibility reasons FROM debian:12-slim @@ -7,6 +46,7 @@ ARG CRICTL_VERSION="v1.31.1" LABEL org.opencontainers.image.source=https://github.com/nosportugal/debug-pod LABEL org.opencontainers.image.description="A debian image with some debugging tools installed." +LABEL org.opencontainers.image.authors="NOS Portugal" WORKDIR /root @@ -18,41 +58,48 @@ RUN echo 'path-include=/usr/share/doc/*/copyright' >> /etc/dpkg/dpkg.cfg.d/exclu RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' >> /etc/dpkg/dpkg.cfg.d/excludes RUN apt-get update && \ - apt-get install -y apt-transport-https \ - ca-certificates \ - software-properties-common \ - httping \ - man \ - man-db \ - vim \ - screen \ - curl \ - gnupg \ - atop \ - htop \ - dstat \ - jq \ - dnsutils \ - tcpdump \ - traceroute \ - iputils-ping \ - iptables \ - net-tools \ - ncat \ - iproute2 \ - strace \ - telnet \ - openssl \ - psmisc \ - dsniff \ - mtr-tiny \ - conntrack \ - llvm-13 llvm-13-tools \ - wget \ - bpftool \ - nmap \ - redis-tools \ - kafkacat + apt-get install -y \ + apt-transport-https \ + ca-certificates \ + software-properties-common \ + httping \ + man \ + man-db \ + vim \ + screen \ + gnupg \ + atop \ + htop \ + dstat \ + jq \ + dnsutils \ + tcpdump \ + traceroute \ + iputils-ping \ + net-tools \ + ncat \ + iproute2 \ + strace \ + telnet \ + openssl \ + psmisc \ + dsniff \ + mtr-tiny \ + conntrack \ + bpftool \ + nmap \ + redis-tools \ + kafkacat \ + nghttp2 \ + zlib1g && \ + rm -rf /var/lib/apt/lists/* + +COPY --from=builder /debian/usr/local/ /usr/local/ +COPY --from=builder /opt/quiche/target/release /opt/quiche/target/release + +# Resolve any issues of C-level lib +# location caches ("shared library cache") +RUN ldconfig # Install crictl RUN wget https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz && \ @@ -79,4 +126,7 @@ RUN curl -Lv -o /usr/bin/hey https://hey-release.s3.us-east-2.amazonaws.com/hey_ RUN curl -s https://packagecloud.io/install/repositories/ookla/speedtest-cli/script.deb.sh | bash && \ apt-get install -y speedtest +# add httpstat script +RUN curl -s https://raw.githubusercontent.com/b4b4r07/httpstat/master/httpstat.sh >httpstat.sh && chmod +x httpstat.sh + ENTRYPOINT [ "/bin/bash" ] From e7c814434162dfbf03354f4ab8bbe463a9c183a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 14 May 2024 09:22:42 +0100 Subject: [PATCH 28/41] add httpstat script to PATH and runnable by all users --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 331d762..4b85af6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -127,6 +127,6 @@ RUN curl -s https://packagecloud.io/install/repositories/ookla/speedtest-cli/scr apt-get install -y speedtest # add httpstat script -RUN curl -s https://raw.githubusercontent.com/b4b4r07/httpstat/master/httpstat.sh >httpstat.sh && chmod +x httpstat.sh +RUN curl -s https://raw.githubusercontent.com/b4b4r07/httpstat/master/httpstat.sh >/usr/bin/httpstat && chmod a+x /usr/bin/httpstat ENTRYPOINT [ "/bin/bash" ] From f09f72b5ca3869c7968ecfa32ab33291e44ac6ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Wed, 15 May 2024 15:39:07 +0100 Subject: [PATCH 29/41] add upgrade to docker image --- Dockerfile | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4b85af6..ef5bcf7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,12 +6,14 @@ LABEL maintainer="Yury Muski " WORKDIR /opt ARG CURL_VERSION=curl-8_2_1 +# https://github.com/curl/curl/blob/master/docs/HTTP3.md#quiche-version ARG QUICHE_VERSION=0.18.0 -RUN apt-get update && \ - DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential git autoconf libtool cmake golang-go curl libnghttp2-dev zlib1g-dev; +RUN export DEBIAN_FRONTEND=noninteractive && \ + apt-get update && \ + apt-get full-upgrade --auto-remove --purge -y && \ + apt-get install -y build-essential git autoconf libtool cmake golang-go curl libnghttp2-dev zlib1g-dev; -# https://github.com/curl/curl/blob/master/docs/HTTP3.md#quiche-version # install rust & cargo RUN curl https://sh.rustup.rs -sSf | sh -s -- -y -q; @@ -26,7 +28,6 @@ RUN export PATH="$HOME/.cargo/bin:$PATH" && \ mkdir quiche/deps/boringssl/src/lib && \ ln -vnf $(find target/release -name libcrypto.a -o -name libssl.a) quiche/deps/boringssl/src/lib/ - # add curl RUN git clone https://github.com/curl/curl RUN cd curl && \ @@ -57,7 +58,9 @@ RUN echo 'path-exclude=/usr/share/doc/*' >> /etc/dpkg/dpkg.cfg.d/excludes RUN echo 'path-include=/usr/share/doc/*/copyright' >> /etc/dpkg/dpkg.cfg.d/excludes RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' >> /etc/dpkg/dpkg.cfg.d/excludes -RUN apt-get update && \ +RUN export DEBIAN_FRONTEND=noninteractive && \ + apt-get update && \ + apt-get full-upgrade --auto-remove --purge -y && \ apt-get install -y \ apt-transport-https \ ca-certificates \ From cbe78f27f5ffcd98bd8e9bb6fe72596cc1b94865 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Thu, 8 Aug 2024 14:52:15 +0100 Subject: [PATCH 30/41] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: João Trigo Soares --- README.md | 39 +++++++++++++++++---------------------- 1 file changed, 17 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index cd732ff..d989fd2 100644 --- a/README.md +++ b/README.md @@ -1,38 +1,37 @@ -A Docker image with Kubernetes manifests for investigation and troubleshooting your cluster. +# The ultimate debug pod + +A Docker image with Kubernetes toolink for investigation and troubleshooting your cluster. ![main build](https://github.com/digitalocean/doks-debug/actions/workflows/test.yaml/badge.svg) ![main release](https://github.com/digitalocean/doks-debug/actions/workflows/release.yaml/badge.svg) -# Purpose +## Purpose -The DOKS team provides this image for use as-is and for transparency as the image used when a request to "deploy a debug pod" is made to our customers, which may occur when deeper investigation is needed with direct access to a cluster. +This is an image based on the DOKS team's pod, full of tooling to make diagnostics and tests inside a container/kubernetes pod. -# Usage +This way you won't have to install a bunch of tooling on your pods. -```bash -kubectl apply -f k8s/daemonset.yaml -``` +## Usage -This DaemonSet manifest will: +The easiest way to start a pod in the current context and namespace is: - 1. Ensure a pod with our Docker image is running indefinitely on every node. - 2. Use `hostPID`, `hostIPC`, and `hostNetwork`. - 3. Mount the entire host filesystem to `/host` in the containers. - 4. Mount the `containerd` socket at `/run/containerd/containerd.sock` from the host into the container. +```bash +kubectl run --rm -it debug-pod --pod-running-timeout 300 --image=ghcr.io/nosportugal/debug-pod:master +``` -In order to make use of these workloads, you can exec into a pod of choice by name: +You can also have at hand this nice alias: ```bash -kubectl -n kube-system exec -it my-pod-name bash +alias debug-pod='kubectl run --rm -it debug-pod --pod-running-timeout 300 --image=ghcr.io/nosportugal/debug-pod:master' ``` -If you know the specific node name that you're interested in, you can exec into the debug pod on that node with: +Then you can do stuff from anywhere. The most useful example that I can think of is: ```bash -NODE_NAME="my-node-name" -POD_NAME=$(kubectl -n kube-system get pods --field-selector spec.nodeName=${NODE_NAME} -ojsonpath='{.items[0].metadata.name}') -kubectl -n kube-system exec -it ${POD_NAME} bash +debug-pod --context some-cluster -n some-namespace ``` +## Tooling + Once you're in, you have access to the set of tools listed in the `Dockerfile`. This includes: - [`vim`](https://github.com/vim/vim) - is a greatly improved version of the good old UNIX editor Vi. @@ -62,7 +61,3 @@ systemctl status kubelet journalctl -xe journalctl -u kubelet ``` - -# Contributing - - At DigitalOcean we value and love our community! If you have any issues or would like to contribute, feel free to open an issue or PR and cc any of the maintainers. From f5b35199871f19884d666a512ef2bc4fe982ace2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 10 Feb 2026 17:12:23 +0000 Subject: [PATCH 31/41] feat(docker): add wget and install Azure CLI * Added wget to the Docker image. * Installed Azure CLI using the installation script. --- Dockerfile | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ef5bcf7..e765693 100644 --- a/Dockerfile +++ b/Dockerfile @@ -94,7 +94,8 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ redis-tools \ kafkacat \ nghttp2 \ - zlib1g && \ + zlib1g \ + wget && \ rm -rf /var/lib/apt/lists/* COPY --from=builder /debian/usr/local/ /usr/local/ @@ -132,4 +133,8 @@ RUN curl -s https://packagecloud.io/install/repositories/ookla/speedtest-cli/scr # add httpstat script RUN curl -s https://raw.githubusercontent.com/b4b4r07/httpstat/master/httpstat.sh >/usr/bin/httpstat && chmod a+x /usr/bin/httpstat +# install AZ cli +RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash && \ + apt-get install -y azure-cli + ENTRYPOINT [ "/bin/bash" ] From 366dedef5f7441ace359fb9f2ad961009dfd7905 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 10 Feb 2026 18:45:10 +0000 Subject: [PATCH 32/41] feat(docker): upgrade base image to Debian 13 and enhance curl build - Upgrade base image from Debian 12 to Debian 13. - Update curl version to 8.18.0 with HTTP/3 support. - Improve installation of dependencies for building curl. - Replace deprecated tools and update package installations. - Enhance README with updated tooling information and descriptions. --- Dockerfile | 74 ++++++++++++++++++++++++++++-------------------------- README.md | 34 +++++++++++++++++-------- 2 files changed, 63 insertions(+), 45 deletions(-) diff --git a/Dockerfile b/Dockerfile index e765693..cf72340 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,49 +1,54 @@ -FROM debian:12 AS builder +FROM debian:13 AS builder -# this builder part is the work of Yury Muski, from https://github.com/yurymuski/curl-http3 -LABEL maintainer="Yury Muski " +# Build curl with HTTP/3 support using ngtcp2 (non-experimental) backend. +# Debian 13 ships OpenSSL 3.5 which has native QUIC API support for ngtcp2. +# https://github.com/curl/curl/blob/master/docs/HTTP3.md#ngtcp2-version WORKDIR /opt -ARG CURL_VERSION=curl-8_2_1 -# https://github.com/curl/curl/blob/master/docs/HTTP3.md#quiche-version -ARG QUICHE_VERSION=0.18.0 +ARG CURL_VERSION=curl-8_18_0 +ARG NGTCP2_VERSION=v1.20.0 +ARG NGHTTP3_VERSION=v1.15.0 RUN export DEBIAN_FRONTEND=noninteractive && \ apt-get update && \ apt-get full-upgrade --auto-remove --purge -y && \ - apt-get install -y build-essential git autoconf libtool cmake golang-go curl libnghttp2-dev zlib1g-dev; + apt-get install -y build-essential git autoconf libtool pkg-config \ + libssl-dev libnghttp2-dev zlib1g-dev libpsl-dev; +# Build nghttp3 +RUN git clone -b $NGHTTP3_VERSION https://github.com/ngtcp2/nghttp3 && \ + cd nghttp3 && \ + git submodule update --init && \ + autoreconf -fi && \ + ./configure --prefix=/usr/local --enable-lib-only && \ + make && \ + make install -# install rust & cargo -RUN curl https://sh.rustup.rs -sSf | sh -s -- -y -q; - -RUN git clone --recursive https://github.com/cloudflare/quiche - -# build quiche -RUN export PATH="$HOME/.cargo/bin:$PATH" && \ - cd quiche && \ - git checkout $QUICHE_VERSION && \ - cargo build --package quiche --release --features ffi,pkg-config-meta,qlog && \ - mkdir quiche/deps/boringssl/src/lib && \ - ln -vnf $(find target/release -name libcrypto.a -o -name libssl.a) quiche/deps/boringssl/src/lib/ +# Build ngtcp2 (with system OpenSSL 3.5+) +RUN git clone -b $NGTCP2_VERSION https://github.com/ngtcp2/ngtcp2 && \ + cd ngtcp2 && \ + autoreconf -fi && \ + ./configure PKG_CONFIG_PATH=/usr/local/lib/pkgconfig \ + --prefix=/usr/local --enable-lib-only --with-openssl && \ + make && \ + make install -# add curl -RUN git clone https://github.com/curl/curl -RUN cd curl && \ +# Build curl with HTTP/3 (ngtcp2 + nghttp3) + HTTP/2 (nghttp2) + TLS (OpenSSL) +RUN git clone https://github.com/curl/curl && \ + cd curl && \ git checkout $CURL_VERSION && \ autoreconf -fi && \ - ./configure LDFLAGS="-Wl,-rpath,/opt/quiche/target/release" --with-openssl=/opt/quiche/quiche/deps/boringssl/src --with-quiche=/opt/quiche/target/release --with-nghttp2 --with-zlib && \ + ./configure PKG_CONFIG_PATH=/usr/local/lib/pkgconfig \ + --with-openssl --with-nghttp3 --with-ngtcp2 --with-nghttp2 --with-zlib && \ make && \ - make DESTDIR="/debian/" install + make install -# match doks-debug version with DOKS worker node image version for kernel -# tooling compatibility reasons -FROM debian:12-slim +FROM debian:13-slim -# Specify the version of crictl to install -ARG CRICTL_VERSION="v1.31.1" +# Specify the version of crictl to install +ARG CRICTL_VERSION="v1.33.0" LABEL org.opencontainers.image.source=https://github.com/nosportugal/debug-pod LABEL org.opencontainers.image.description="A debian image with some debugging tools installed." @@ -62,9 +67,8 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ apt-get update && \ apt-get full-upgrade --auto-remove --purge -y && \ apt-get install -y \ - apt-transport-https \ ca-certificates \ - software-properties-common \ + curl \ httping \ man \ man-db \ @@ -73,7 +77,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ gnupg \ atop \ htop \ - dstat \ + sysstat \ jq \ dnsutils \ tcpdump \ @@ -92,14 +96,14 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ bpftool \ nmap \ redis-tools \ - kafkacat \ + kcat \ nghttp2 \ + libpsl5t64 \ zlib1g \ wget && \ rm -rf /var/lib/apt/lists/* -COPY --from=builder /debian/usr/local/ /usr/local/ -COPY --from=builder /opt/quiche/target/release /opt/quiche/target/release +COPY --from=builder /usr/local/ /usr/local/ # Resolve any issues of C-level lib # location caches ("shared library cache") diff --git a/README.md b/README.md index d989fd2..0a74d07 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,6 @@ # The ultimate debug pod -A Docker image with Kubernetes toolink for investigation and troubleshooting your cluster. - -![main build](https://github.com/digitalocean/doks-debug/actions/workflows/test.yaml/badge.svg) ![main release](https://github.com/digitalocean/doks-debug/actions/workflows/release.yaml/badge.svg) +A Docker image based on Debian 13 (Trixie) with Kubernetes tooling for investigation and troubleshooting your cluster. ## Purpose @@ -36,24 +34,40 @@ Once you're in, you have access to the set of tools listed in the `Dockerfile`. - [`vim`](https://github.com/vim/vim) - is a greatly improved version of the good old UNIX editor Vi. - [`screen`](https://www.gnu.org/software/screen/) - is a full-screen window manager that multiplexes a physical terminal between several processes, typically interactive shells. - - [`curl`](https://github.com/curl/curl) - is a command-line tool for transferring data specified with URL syntax. + - [`curl`](https://github.com/curl/curl) - is a command-line tool for transferring data specified with URL syntax. Built from source with **HTTP/3 (QUIC)** support via ngtcp2/nghttp3 and OpenSSL 3.5. - [`jq`](https://github.com/stedolan/jq) - is a lightweight and flexible command-line JSON processor. - [`dnsutils`](https://packages.debian.org/stretch/dnsutils) - includes various client programs related to DNS that are derived from the BIND source tree, specifically [`dig`](https://linux.die.net/man/1/dig), [`nslookup`](https://linux.die.net/man/1/nslookup), and [`nsupdate`](https://linux.die.net/man/8/nsupdate). - [`iputils-ping`](https://packages.debian.org/stretch/iputils-ping) - includes the [`ping`](https://linux.die.net/man/8/ping) tool that sends ICMP `ECHO_REQUEST` packets to a host in order to test if the host is reachable via the network. - [`tcpdump`](https://www.tcpdump.org/) - a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture. - [`traceroute`](https://linux.die.net/man/8/traceroute) - tracks the route packets taken from an IP network on their way to a given host. - [`net-tools`](https://packages.debian.org/stretch/net-tools) - includes the important tools for controlling the network subsystem of the Linux kernel, specifically [`arp`](http://man7.org/linux/man-pages/man8/arp.8.html), [`ifconfig`](https://linux.die.net/man/8/ifconfig), and [`netstat`](https://linux.die.net/man/8/netstat). - - [`netcat`](https://linux.die.net/man/1/nc) - is a multi-tool for interacting with TCP and UDP; it can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. + - [`ncat`](https://nmap.org/ncat/) - Nmap's netcat replacement. A multi-tool for interacting with TCP and UDP; it can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. - [`iproute2`](https://wiki.linuxfoundation.org/networking/iproute2) - is a collection of utilities for controlling TCP / IP networking and traffic control in Linux. - [`strace`](https://github.com/strace/strace) - is a diagnostic, debugging and instructional userspace utility with a traditional command-line interface for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state. - - [`dstat`](http://dag.wiee.rs/home-made/dstat/) - is a versatile replacement for vmstat, iostat, netstat and ifstat. Dstat overcomes some of their limitations and adds some extra features, more counters and flexibility. Dstat is handy for monitoring systems during performance tuning tests, benchmarks or troubleshooting. + - [`sysstat`](https://github.com/sysstat/sysstat) - a collection of performance monitoring tools including `sar`, `iostat`, `mpstat`, `pidstat`, and `tapestat`. Useful for monitoring CPU, memory, I/O, and network statistics. - [`htop`](https://hisham.hm/htop/) - is interactive process viewer for Unix systems. - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level. - [`wget`](https://www.gnu.org/software/wget/) - for retrieving files using HTTP, HTTPS, FTP and FTPS. - - [`crictl`](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md) - A CLI for CRI endpoints. Configured to use `/run/containerd/containerd.sock` as a default endpoint. -# Tips and Tricks - -## chroot + systemctl + - [`httping`](https://github.com/flok99/httping) - measures latency and throughput of a web server by sending HTTP(S) requests. + - [`telnet`](https://linux.die.net/man/1/telnet) - communicates with another host using the TELNET protocol. Useful for testing TCP connectivity. + - [`openssl`](https://www.openssl.org/) - a toolkit for TLS/SSL protocols and general-purpose cryptography. Useful for inspecting certificates and testing TLS connections. + - [`mtr`](https://github.com/traviscross/mtr) - combines the functionality of traceroute and ping in a single network diagnostic tool. + - [`nmap`](https://nmap.org/) - a network exploration tool and security / port scanner. + - [`conntrack`](https://conntrack-tools.netfilter.org/) - a tool for interacting with the Netfilter connection tracking system. + - [`bpftool`](https://github.com/libbpf/bpftool) - a tool for inspection and manipulation of eBPF programs and maps. + - [`dsniff`](https://www.monkey.org/~dugsong/dsniff/) - a collection of network auditing and penetration testing tools. + - [`kcat`](https://github.com/edenhill/kcat) - a generic non-JVM Apache Kafka producer and consumer (formerly kafkacat). + - [`redis-tools`](https://redis.io/docs/getting-started/) - includes `redis-cli`, the Redis command-line client. + - [`httpie`](https://httpie.io/) - a user-friendly HTTP client for the API era with JSON support, syntax highlighting, and more. + - [`hey`](https://github.com/rakyll/hey) - an HTTP load generator and benchmarking tool. + - [`speedtest`](https://www.speedtest.net/apps/cli) - Ookla's Speedtest CLI for testing internet bandwidth. + - [`httpstat`](https://github.com/b4b4r07/httpstat) - a curl statistics visualizer that shows DNS lookup, TCP connection, TLS handshake, and transfer timings. + - [`az`](https://learn.microsoft.com/en-us/cli/azure/) - the Azure CLI for managing Azure resources. + - [`crictl`](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md) - a CLI for CRI endpoints. Configured to use `/run/containerd/containerd.sock` as a default endpoint. + +## Tips and Tricks + +### chroot + systemctl ```bash chroot /host /bin/bash From 5dececb5235e372de7cc51b9a72dda25bc24d3d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 10 Feb 2026 18:54:40 +0000 Subject: [PATCH 33/41] docs(readme): enhance README with detailed usage and tooling --- README.md | 282 ++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 233 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index 0a74d07..d1c5139 100644 --- a/README.md +++ b/README.md @@ -1,77 +1,261 @@ -# The ultimate debug pod +# debug-pod -A Docker image based on Debian 13 (Trixie) with Kubernetes tooling for investigation and troubleshooting your cluster. +> The ultimate Kubernetes debugging toolkit — a single container image packed with everything you need to investigate, diagnose, and troubleshoot your clusters. -## Purpose +Built on **Debian 13 (Trixie)** with a custom **curl 8.18** compiled with **HTTP/3 (QUIC)** support. -This is an image based on the DOKS team's pod, full of tooling to make diagnostics and tests inside a container/kubernetes pod. +## What is this? -This way you won't have to install a bunch of tooling on your pods. +When something goes wrong inside a Kubernetes cluster, you often need tools that aren't available in your application containers. Instead of installing dozens of packages into your workloads, just drop a debug pod into any namespace and start investigating immediately. -## Usage +This image is maintained by [NOS Portugal](https://github.com/nosportugal) and originally inspired by DigitalOcean's [doks-debug](https://github.com/digitalocean/doks-debug) project. -The easiest way to start a pod in the current context and namespace is: +--- + +## Quick Start + +### One-liner + +Spin up an interactive debug shell in your current namespace: + +```bash +kubectl run --rm -it debug-pod \ + --pod-running-timeout=300s \ + --image=ghcr.io/nosportugal/debug-pod:master +``` + +### Shell alias (recommended) + +Add this to your shell profile (`~/.bashrc`, `~/.zshrc`, etc.) for one-word access: ```bash -kubectl run --rm -it debug-pod --pod-running-timeout 300 --image=ghcr.io/nosportugal/debug-pod:master +alias debug-pod='kubectl run --rm -it debug-pod --pod-running-timeout=300s --image=ghcr.io/nosportugal/debug-pod:master' ``` -You can also have at hand this nice alias: +Then you can jump into any cluster and namespace instantly: ```bash -alias debug-pod='kubectl run --rm -it debug-pod --pod-running-timeout 300 --image=ghcr.io/nosportugal/debug-pod:master' +debug-pod --context production -n my-app ``` -Then you can do stuff from anywhere. The most useful example that I can think of is: +### Using `kubectl debug` (Kubernetes 1.25+) + +Attach a debug container to a running pod without restarting it: ```bash -debug-pod --context some-cluster -n some-namespace +kubectl debug -it \ + --image=ghcr.io/nosportugal/debug-pod:master \ + --target= ``` +### Advanced: DaemonSet / Deployment + +For persistent debugging across nodes, use the provided manifests in the [`k8s/`](k8s/) directory: + +```bash +# Deploy to every node as a DaemonSet (privileged, host-networked) +kubectl apply -f k8s/daemonset.yaml + +# Or deploy a single replica +kubectl apply -f k8s/deployment.yaml +``` + +These manifests run in `kube-system` with `hostPID`, `hostNetwork`, `hostIPC`, and a host filesystem mount at `/host` — ideal for deep node-level debugging. They also mount the containerd socket for `crictl` access. + +--- + ## Tooling -Once you're in, you have access to the set of tools listed in the `Dockerfile`. This includes: - - - [`vim`](https://github.com/vim/vim) - is a greatly improved version of the good old UNIX editor Vi. - - [`screen`](https://www.gnu.org/software/screen/) - is a full-screen window manager that multiplexes a physical terminal between several processes, typically interactive shells. - - [`curl`](https://github.com/curl/curl) - is a command-line tool for transferring data specified with URL syntax. Built from source with **HTTP/3 (QUIC)** support via ngtcp2/nghttp3 and OpenSSL 3.5. - - [`jq`](https://github.com/stedolan/jq) - is a lightweight and flexible command-line JSON processor. - - [`dnsutils`](https://packages.debian.org/stretch/dnsutils) - includes various client programs related to DNS that are derived from the BIND source tree, specifically [`dig`](https://linux.die.net/man/1/dig), [`nslookup`](https://linux.die.net/man/1/nslookup), and [`nsupdate`](https://linux.die.net/man/8/nsupdate). - - [`iputils-ping`](https://packages.debian.org/stretch/iputils-ping) - includes the [`ping`](https://linux.die.net/man/8/ping) tool that sends ICMP `ECHO_REQUEST` packets to a host in order to test if the host is reachable via the network. - - [`tcpdump`](https://www.tcpdump.org/) - a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture. - - [`traceroute`](https://linux.die.net/man/8/traceroute) - tracks the route packets taken from an IP network on their way to a given host. - - [`net-tools`](https://packages.debian.org/stretch/net-tools) - includes the important tools for controlling the network subsystem of the Linux kernel, specifically [`arp`](http://man7.org/linux/man-pages/man8/arp.8.html), [`ifconfig`](https://linux.die.net/man/8/ifconfig), and [`netstat`](https://linux.die.net/man/8/netstat). - - [`ncat`](https://nmap.org/ncat/) - Nmap's netcat replacement. A multi-tool for interacting with TCP and UDP; it can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. - - [`iproute2`](https://wiki.linuxfoundation.org/networking/iproute2) - is a collection of utilities for controlling TCP / IP networking and traffic control in Linux. - - [`strace`](https://github.com/strace/strace) - is a diagnostic, debugging and instructional userspace utility with a traditional command-line interface for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state. - - [`sysstat`](https://github.com/sysstat/sysstat) - a collection of performance monitoring tools including `sar`, `iostat`, `mpstat`, `pidstat`, and `tapestat`. Useful for monitoring CPU, memory, I/O, and network statistics. - - [`htop`](https://hisham.hm/htop/) - is interactive process viewer for Unix systems. - - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level. - - [`wget`](https://www.gnu.org/software/wget/) - for retrieving files using HTTP, HTTPS, FTP and FTPS. - - [`httping`](https://github.com/flok99/httping) - measures latency and throughput of a web server by sending HTTP(S) requests. - - [`telnet`](https://linux.die.net/man/1/telnet) - communicates with another host using the TELNET protocol. Useful for testing TCP connectivity. - - [`openssl`](https://www.openssl.org/) - a toolkit for TLS/SSL protocols and general-purpose cryptography. Useful for inspecting certificates and testing TLS connections. - - [`mtr`](https://github.com/traviscross/mtr) - combines the functionality of traceroute and ping in a single network diagnostic tool. - - [`nmap`](https://nmap.org/) - a network exploration tool and security / port scanner. - - [`conntrack`](https://conntrack-tools.netfilter.org/) - a tool for interacting with the Netfilter connection tracking system. - - [`bpftool`](https://github.com/libbpf/bpftool) - a tool for inspection and manipulation of eBPF programs and maps. - - [`dsniff`](https://www.monkey.org/~dugsong/dsniff/) - a collection of network auditing and penetration testing tools. - - [`kcat`](https://github.com/edenhill/kcat) - a generic non-JVM Apache Kafka producer and consumer (formerly kafkacat). - - [`redis-tools`](https://redis.io/docs/getting-started/) - includes `redis-cli`, the Redis command-line client. - - [`httpie`](https://httpie.io/) - a user-friendly HTTP client for the API era with JSON support, syntax highlighting, and more. - - [`hey`](https://github.com/rakyll/hey) - an HTTP load generator and benchmarking tool. - - [`speedtest`](https://www.speedtest.net/apps/cli) - Ookla's Speedtest CLI for testing internet bandwidth. - - [`httpstat`](https://github.com/b4b4r07/httpstat) - a curl statistics visualizer that shows DNS lookup, TCP connection, TLS handshake, and transfer timings. - - [`az`](https://learn.microsoft.com/en-us/cli/azure/) - the Azure CLI for managing Azure resources. - - [`crictl`](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md) - a CLI for CRI endpoints. Configured to use `/run/containerd/containerd.sock` as a default endpoint. +The image ships with **40+ tools** organized by category. Everything is ready to use out of the box. + +### HTTP & API + +| Tool | Description | +|------|-------------| +| [`curl`](https://github.com/curl/curl) | HTTP client built from source with **HTTP/3 (QUIC)** support via ngtcp2/nghttp3 and OpenSSL 3.5 | +| [`httpie`](https://httpie.io/) | User-friendly HTTP client with JSON support, syntax highlighting, and intuitive CLI | +| [`wget`](https://www.gnu.org/software/wget/) | File retrieval via HTTP, HTTPS, FTP, and FTPS | +| [`httpstat`](https://github.com/b4b4r07/httpstat) | curl statistics visualizer — shows DNS, TCP, TLS, and transfer timings at a glance | +| [`httping`](https://github.com/flok99/httping) | Measures HTTP(S) latency and throughput to a web server | + +### DNS & Network Diagnostics + +| Tool | Description | +|------|-------------| +| [`dnsutils`](https://packages.debian.org/trixie/dnsutils) | DNS client tools: `dig`, `nslookup`, `nsupdate` | +| [`iputils-ping`](https://packages.debian.org/trixie/iputils-ping) | `ping` — ICMP reachability testing | +| [`traceroute`](https://linux.die.net/man/8/traceroute) | Trace the route packets take to a host | +| [`mtr`](https://github.com/traviscross/mtr) | Combines `traceroute` and `ping` in a single real-time diagnostic | +| [`nmap`](https://nmap.org/) | Network exploration and port scanning | +| [`ncat`](https://nmap.org/ncat/) | Nmap's netcat — TCP/UDP connections, port scanning, proxying | +| [`telnet`](https://linux.die.net/man/1/telnet) | Quick TCP connectivity checks | +| [`tcpdump`](https://www.tcpdump.org/) | Packet capture and analysis | +| [`dsniff`](https://www.monkey.org/~dugsong/dsniff/) | Network auditing and penetration testing tools | + +### Network Configuration + +| Tool | Description | +|------|-------------| +| [`iproute2`](https://wiki.linuxfoundation.org/networking/iproute2) | Modern Linux networking: `ip`, `ss`, `tc`, `bridge` | +| [`net-tools`](https://packages.debian.org/trixie/net-tools) | Classic networking: `ifconfig`, `netstat`, `arp`, `route` | +| [`conntrack`](https://conntrack-tools.netfilter.org/) | Inspect and manage Netfilter connection tracking entries | + +### TLS & Security + +| Tool | Description | +|------|-------------| +| [`openssl`](https://www.openssl.org/) | TLS/SSL toolkit — inspect certificates, test connections, generate keys | +| [`gnupg`](https://gnupg.org/) | GPG encryption and signing | + +### Performance & Monitoring + +| Tool | Description | +|------|-------------| +| [`htop`](https://htop.dev/) | Interactive process viewer | +| [`atop`](https://www.atoptool.nl/) | Advanced system and process monitor with historical data | +| [`sysstat`](https://github.com/sysstat/sysstat) | `sar`, `iostat`, `mpstat`, `pidstat` — CPU, memory, I/O, and network stats | +| [`hey`](https://github.com/rakyll/hey) | HTTP load generator and benchmarking tool | +| [`speedtest`](https://www.speedtest.net/apps/cli) | Ookla's Speedtest CLI for internet bandwidth testing | + +### System & Process Debugging + +| Tool | Description | +|------|-------------| +| [`strace`](https://github.com/strace/strace) | Trace system calls and signals between processes and the kernel | +| [`bpftool`](https://github.com/libbpf/bpftool) | Inspect and manipulate eBPF programs and maps | +| [`psmisc`](https://gitlab.com/psmisc/psmisc) | Process utilities: `pstree`, `killall`, `fuser` | + +### Data Services + +| Tool | Description | +|------|-------------| +| [`kcat`](https://github.com/edenhill/kcat) | Apache Kafka producer and consumer (formerly kafkacat) | +| [`redis-tools`](https://redis.io/docs/getting-started/) | `redis-cli` — connect and interact with Redis instances | + +### Kubernetes & Container Runtime + +| Tool | Description | +|------|-------------| +| [`crictl`](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md) | CRI-compatible container runtime CLI, pre-configured for containerd | + +### Cloud CLI + +| Tool | Description | +|------|-------------| +| [`az`](https://learn.microsoft.com/en-us/cli/azure/) | Azure CLI for managing Azure resources directly from the pod | + +### General Utilities + +| Tool | Description | +|------|-------------| +| [`vim`](https://github.com/vim/vim) | Powerful text editor | +| [`screen`](https://www.gnu.org/software/screen/) | Terminal multiplexer for managing multiple shell sessions | +| [`jq`](https://github.com/stedolan/jq) | Lightweight command-line JSON processor | +| [`man`](https://linux.die.net/man/) | Manual pages for installed tools | + +--- ## Tips and Tricks -### chroot + systemctl +### Access the host filesystem + +When running with the provided DaemonSet / Deployment manifests, the host root filesystem is mounted at `/host`. You can chroot into it to interact with the node directly: ```bash chroot /host /bin/bash +``` + +### Inspect kubelet and system services + +After chrooting into the host: + +```bash systemctl status kubelet -journalctl -xe -journalctl -u kubelet +journalctl -u kubelet --since "5 minutes ago" +journalctl -u containerd -f ``` + +### Test HTTP/3 (QUIC) connectivity + +```bash +curl --http3 -I https://cloudflare.com +curl --http3 -I https://google.com +``` + +### Inspect TLS certificates + +```bash +# Check a remote certificate +openssl s_client -connect example.com:443 -servername example.com /dev/null | openssl x509 -noout -text + +# Quick expiry check +openssl s_client -connect example.com:443 -servername example.com /dev/null | openssl x509 -noout -dates +``` + +### DNS troubleshooting + +```bash +dig example.com +dig @8.8.8.8 example.com +short +nslookup my-service.my-namespace.svc.cluster.local +``` + +### Capture and analyze traffic + +```bash +# Capture DNS traffic +tcpdump -i any port 53 -nn + +# Capture HTTP traffic to a specific host +tcpdump -i any host 10.0.0.1 and port 80 -A +``` + +### Kafka operations + +```bash +# List topics +kcat -b kafka-broker:9092 -L + +# Consume messages +kcat -b kafka-broker:9092 -t my-topic -C -o beginning -c 10 +``` + +### Container runtime inspection + +```bash +# List running containers +crictl ps + +# Get container logs +crictl logs + +# Inspect a pod sandbox +crictl inspectp +``` + +### HTTP load testing + +```bash +# Send 1000 requests with 50 concurrent workers +hey -n 1000 -c 50 https://my-service:8080/health +``` + +### Visualize HTTP timing + +```bash +httpstat https://my-service:8080/api/health +``` + +--- + +## Building locally + +```bash +docker buildx build --platform "linux/amd64" --output type=docker --tag debug-pod -f Dockerfile . +``` + +--- + +## Credits + +Originally forked from [digitalocean/doks-debug](https://github.com/digitalocean/doks-debug). Maintained by [NOS Portugal](https://github.com/nosportugal). From a9ab35f00e273bfe4b66db0b00ae322e31a98674 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 10 Feb 2026 18:54:45 +0000 Subject: [PATCH 34/41] docs(license): update copyright year for NOS Portugal --- LICENSE | 1 + 1 file changed, 1 insertion(+) diff --git a/LICENSE b/LICENSE index 9432ffc..2ce255c 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,7 @@ MIT License Copyright (c) 2021 DigitalOcean +Copyright (c) 2025-2026 NOS Portugal Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From d4d3e09ad97e8922f6c59102da2723b2394bbc51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 10 Feb 2026 18:54:51 +0000 Subject: [PATCH 35/41] feat(k8s): update image references and Docker repo * Change image in DaemonSet and Deployment to ghcr.io/nosportugal/debug-pod * Update Docker repository in env script * Remove disabled checks annotation --- k8s/daemonset.yaml | 3 +-- k8s/deployment.yaml | 3 +-- script/env | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index 55506ac..f04fad6 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -14,7 +14,6 @@ spec: labels: name: doks-debug annotations: - clusterlint.digitalocean.com/disabled-checks: "hostpath-volume" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: dnsPolicy: ClusterFirstWithHostNet @@ -27,7 +26,7 @@ spec: - name: doks-debug securityContext: privileged: true - image: ghcr.io/digitalocean-packages/doks-debug:latest + image: ghcr.io/nosportugal/debug-pod:latest command: [ "sleep", "infinity" ] resources: requests: diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml index 18d0aca..8ad9308 100644 --- a/k8s/deployment.yaml +++ b/k8s/deployment.yaml @@ -15,7 +15,6 @@ spec: labels: name: doks-debug annotations: - clusterlint.digitalocean.com/disabled-checks: "hostpath-volume" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: dnsPolicy: ClusterFirstWithHostNet @@ -28,7 +27,7 @@ spec: - name: doks-debug securityContext: privileged: true - image: ghcr.io/digitalocean-packages/doks-debug:latest + image: ghcr.io/nosportugal/debug-pod:master command: [ "sleep", "infinity" ] resources: requests: diff --git a/script/env b/script/env index 2f30365..4492b08 100755 --- a/script/env +++ b/script/env @@ -1,3 +1,3 @@ #!/usr/bin/env bash set -euo pipefail -export DOCKER_REPO="digitalocean/doks-debug" \ No newline at end of file +export DOCKER_REPO="nosportugal/debug-pod" \ No newline at end of file From 255097045049e0a760b23f3edf0b0cb45939fb7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 10 Feb 2026 19:01:54 +0000 Subject: [PATCH 36/41] fix(k8s): rename doks-debug to debug-pod in manifests * Updated DaemonSet and Deployment names and labels to debug-pod. * Ensured consistency across test workflow and container names. --- .github/workflows/test.yaml | 4 ++-- k8s/daemonset.yaml | 10 +++++----- k8s/deployment.yaml | 10 +++++----- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 8c6e931..48a72b2 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -16,7 +16,7 @@ jobs: fetch-depth: 1 - name: build image - run: docker build --platform linux/amd64 -t doks-debug . + run: docker build --platform linux/amd64 -t debug-pod . - name: smoke test - run: docker run --rm doks-debug sleep 1 + run: docker run --rm debug-pod sleep 1 diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index f04fad6..6146db5 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -1,18 +1,18 @@ apiVersion: apps/v1 kind: DaemonSet metadata: - name: doks-debug + name: debug-pod namespace: kube-system labels: - app: doks-debug + app: debug-pod spec: selector: matchLabels: - name: doks-debug + name: debug-pod template: metadata: labels: - name: doks-debug + name: debug-pod annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: @@ -23,7 +23,7 @@ spec: tolerations: - operator: Exists containers: - - name: doks-debug + - name: debug-pod securityContext: privileged: true image: ghcr.io/nosportugal/debug-pod:latest diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml index 8ad9308..a8b5a00 100644 --- a/k8s/deployment.yaml +++ b/k8s/deployment.yaml @@ -1,19 +1,19 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: doks-debug + name: debug-pod namespace: kube-system labels: - app: doks-debug + app: debug-pod spec: replicas: 1 selector: matchLabels: - name: doks-debug + name: debug-pod template: metadata: labels: - name: doks-debug + name: debug-pod annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: @@ -24,7 +24,7 @@ spec: tolerations: - operator: Exists containers: - - name: doks-debug + - name: debug-pod securityContext: privileged: true image: ghcr.io/nosportugal/debug-pod:master From 13b566dfa05e104d57852134213c09b1a5853cd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 10 Feb 2026 19:07:45 +0000 Subject: [PATCH 37/41] test(workflow): update smoke test to check kubectl version --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 48a72b2..fbf968a 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -19,4 +19,4 @@ jobs: run: docker build --platform linux/amd64 -t debug-pod . - name: smoke test - run: docker run --rm debug-pod sleep 1 + run: docker run --rm debug-pod kubectl version --client From 70d10906b0e0134e68ee37aed779a6d700e2b177 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 10 Feb 2026 19:11:20 +0000 Subject: [PATCH 38/41] ci(workflow): update release workflows and remove slim variant * Upgrade actions/checkout to v6 * Upgrade sigstore/cosign-installer to v4 * Upgrade docker/setup-buildx-action to v3 * Upgrade docker/login-action to v3 * Upgrade docker/metadata-action to v5 * Upgrade docker/build-push-action to v6 * Remove release_slim.yaml workflow * Update test workflow to use buildx for image building --- .github/workflows/release.yaml | 37 ++---------- .github/workflows/release_slim.yaml | 90 ----------------------------- .github/workflows/test.yaml | 17 +++--- 3 files changed, 15 insertions(+), 129 deletions(-) delete mode 100644 .github/workflows/release_slim.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7a0a02d..929ee5a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -6,9 +6,7 @@ on: - master env: - # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io - # github.repository as / IMAGE_NAME: ${{ github.repository }} jobs: @@ -18,49 +16,36 @@ jobs: permissions: contents: read packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. id-token: write steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v6 - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@v3.3.0 - with: - cosign-release: 'v2.2.2' # optional + uses: sigstore/cosign-installer@v4 - # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx - uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + uses: docker/setup-buildx-action@v3 - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + uses: docker/build-push-action@v6 with: context: . platforms: linux/amd64,linux/arm64 @@ -70,16 +55,6 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} - env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/release_slim.yaml b/.github/workflows/release_slim.yaml deleted file mode 100644 index 9dcf124..0000000 --- a/.github/workflows/release_slim.yaml +++ /dev/null @@ -1,90 +0,0 @@ -name: release_slim - -on: - push: - branches: - - master - paths: - - 'Slim/**' - workflow_dispatch: -env: - # Use docker.io for Docker Hub if empty - REGISTRY: ghcr.io - # github.repository as / - IMAGE_NAME: ${{ github.repository }}-slim - -jobs: - build: - - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write - defaults: - run: - working-directory: ./Slim - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@v3.3.0 - with: - cosign-release: 'v2.2.2' # optional - - # Workaround: https://github.com/docker/build-push-action/issues/461 - - name: Setup Docker buildx - uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf - - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a - with: - context: ./Slim - file: ./Slim/Dockerfile - platforms: linux/amd64,linux/arm64 - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index fbf968a..abc33f4 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,9 +1,9 @@ name: test on: - pull_request: - paths-ignore: - - 'Slim/**' + pull_request: + paths-ignore: + - 'Slim/**' jobs: test: @@ -11,12 +11,13 @@ jobs: steps: - name: checkout - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 - with: - fetch-depth: 1 + uses: actions/checkout@v6 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - name: build image - run: docker build --platform linux/amd64 -t debug-pod . + run: docker buildx build --platform linux/amd64 --load -t debug-pod . - name: smoke test - run: docker run --rm debug-pod kubectl version --client + run: docker run --rm debug-pod curl --version | head -1 From e52a77e50307d8f36f3b2be50b08ea9a1daba724 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 10 Feb 2026 19:13:26 +0000 Subject: [PATCH 39/41] Update k8s/daemonset.yaml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: João Trigo Soares --- k8s/daemonset.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml index 6146db5..201b794 100644 --- a/k8s/daemonset.yaml +++ b/k8s/daemonset.yaml @@ -26,7 +26,7 @@ spec: - name: debug-pod securityContext: privileged: true - image: ghcr.io/nosportugal/debug-pod:latest + image: ghcr.io/nosportugal/debug-pod:master command: [ "sleep", "infinity" ] resources: requests: From fdc36f60bb2927f86f7e27bf63e1c6a2103b813a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 10 Feb 2026 19:15:02 +0000 Subject: [PATCH 40/41] chore(Slim): remove unused Dockerfile for slim variant --- Slim/Dockerfile | 39 --------------------------------------- 1 file changed, 39 deletions(-) delete mode 100644 Slim/Dockerfile diff --git a/Slim/Dockerfile b/Slim/Dockerfile deleted file mode 100644 index cf578a1..0000000 --- a/Slim/Dockerfile +++ /dev/null @@ -1,39 +0,0 @@ -FROM debian:12-slim - -LABEL maintainer="Slim Debug Pod" - -# Install essential network debugging tools -RUN export DEBIAN_FRONTEND=noninteractive && \ - apt-get update && \ - apt-get install -y --no-install-recommends \ - # Basic network tools - curl \ - wget \ - netcat-openbsd \ - telnet \ - iputils-ping \ - traceroute \ - dnsutils \ - iperf3 \ - socat \ - jq \ - openssl \ - # Analysis tools - tcpdump \ - net-tools \ - iproute2 \ - lsof \ - # Basic utilities - vim \ - nano \ - bash \ - procps && \ - # Cleanup to reduce size - apt-get clean && \ - rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* - -# Definir bash como shell padrão -SHELL ["/bin/bash", "-c"] - -# Keep container running for debugging -CMD ["tail", "-f", "/dev/null"] \ No newline at end of file From 2ad1496cbdbda1da809d469a974333061fa3c79a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Trigo=20Soares?= Date: Tue, 10 Feb 2026 19:16:27 +0000 Subject: [PATCH 41/41] perf(Dockerfile): optimize build process with parallel jobs * Use `make --jobs=$(nproc)` for faster builds of nghttp3, ngtcp2, and curl. * Improves build efficiency by utilizing available CPU cores. --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index cf72340..76d6277 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,7 +22,7 @@ RUN git clone -b $NGHTTP3_VERSION https://github.com/ngtcp2/nghttp3 && \ git submodule update --init && \ autoreconf -fi && \ ./configure --prefix=/usr/local --enable-lib-only && \ - make && \ + make --jobs=$(nproc) && \ make install # Build ngtcp2 (with system OpenSSL 3.5+) @@ -31,7 +31,7 @@ RUN git clone -b $NGTCP2_VERSION https://github.com/ngtcp2/ngtcp2 && \ autoreconf -fi && \ ./configure PKG_CONFIG_PATH=/usr/local/lib/pkgconfig \ --prefix=/usr/local --enable-lib-only --with-openssl && \ - make && \ + make --jobs=$(nproc) && \ make install # Build curl with HTTP/3 (ngtcp2 + nghttp3) + HTTP/2 (nghttp2) + TLS (OpenSSL) @@ -41,7 +41,7 @@ RUN git clone https://github.com/curl/curl && \ autoreconf -fi && \ ./configure PKG_CONFIG_PATH=/usr/local/lib/pkgconfig \ --with-openssl --with-nghttp3 --with-ngtcp2 --with-nghttp2 --with-zlib && \ - make && \ + make --jobs=$(nproc) && \ make install