Use v1.Container in Debug Containers API #1269
Conversation
k8s-ci-robot
added
size/L
k8s-ci-robot
added
sig/node
| } | ||
| ``` | ||
|
|
||
| Note that Debug Containers are not regular containers and should not be used to |
There was a problem hiding this comment.
s/debug/ephemeral/g, based on where the review of the last PR ended up?
There was a problem hiding this comment.
We've ended up in a situation where this is "Debug Containers" to sig-node and the kubelet and "Ephemeral Containers" In the API. I don't think the matter was resolved in the last PR, but I hope we can settle it here.
| will not be allowed for Debug Containers. A request will be rejected if any | ||
| field is set other than the following whitelisted fields: `Name`, `Image`, | ||
| `Command`, `Args`, `WorkingDir`, `Env`, `EnvFrom`, `ImagePullPolicy`, | ||
| `SecurityContext`. `TTY` and `Stdin` are always enabled for Debug Containers and |
There was a problem hiding this comment.
Running an ephemeral container with non-interactive diagnostics and viewing the log would not require tty/stdin. Are there any containers where enabling tty/stdin would cause problems?
There was a problem hiding this comment.
Yeah I don't see why you'd mandate those features on?
There was a problem hiding this comment.
iirc this came from a conversation from @thockin and @vishh about how having configurable stdin/tty has caused confusion for users and been more trouble than it was worth. I don't feel strongly.
Some containers don't require tty/stdin, but is there a downside to them being always on? This is a new feature, so there aren't backwards compatibility concerns here.
| We can either using an existing subresource like `/exec` and have the call | ||
| stream or not based on `PodExecOptions`, or we can create a new subresource that | ||
| never streams. For the sake of consistency, we will create a new subresource | ||
| named `/debug`. This has the added benefit of being able to entirely hide |
There was a problem hiding this comment.
A separate subresource makes a lot of sense to me. Adding a newly defined container (new image, new security settings, envvars, etc) is very different from exec, defining the API we want for it seems like a good idea.
There was a problem hiding this comment.
/execEphemeralContainer -- anything other than /debug.
A new endpoint seems good for the super-security conscious at the expense of making everything more complicated for everyone else. I don't have a strong opinion.
There was a problem hiding this comment.
/execEphemeralContainer -- anything other than /debug.
probably want lowercase resources, but yes
A new endpoint seems good for the super-security conscious at the expense of making everything more complicated for everyone else. I don't have a strong opinion.
it's good for isolating the function for policy purposes, but also lets us support envvars, capabilities, and other useful knobs for shaping the environment of the ephemeral container in a way consistent with existing pods
There was a problem hiding this comment.
probably want lowercase resources
er, right
it's good for isolating the function for policy purposes, but also lets us support envvars, capabilities, and other useful knobs for shaping the environment of the ephemeral container in a way consistent with existing pods
I stand by my previous response :)
| 1. A `POST` of a `PodDebugContainer` to | ||
| `/api/v1/namespaces/$NS/pods/$POD_NAME/debug` to create a Debug Container | ||
| running in pod `$POD_NAME`. | ||
| 1. A `DELETE` of `/api/v1/namespaces/$NS/pods/$POD_NAME/debug/$NAME` will stop |
There was a problem hiding this comment.
Named subresources are a thing I have wanted, but not something we currently have, which could make this tricky. I'd see this as nice-to-have, but not essential (as noted in the previous PR, things like exec sessions are not currently able to be individually terminated via the API)
There was a problem hiding this comment.
I suggest allowing only one ephemeral container at a time for the moment, and then you don't need the additional level? We don't support this at the moment.
There was a problem hiding this comment.
alternately, DELETE of /api/v1/namespaces/$NS/pods/$POD_NAME/ephemeralcontainers stops all ephemeral containers
There was a problem hiding this comment.
Agree we can live without it for now
There was a problem hiding this comment.
SGTM, I will omit it for now.
| `SecurityContext`. `TTY` and `Stdin` are always enabled for Debug Containers and | ||
| will be ignored. | ||
|
|
||
| The new `/debug` subresource allows the following: |
| the existing attach endpoint, `/api/v1/namespaces/$NS/pods/$POD_NAME/attach`. | ||
| Note that any output of the new container between its creation and subsequent | ||
| attach will not be replayed and can only be viewed using `kubectl log`. | ||
|
|
There was a problem hiding this comment.
Will the ephemeral container appear in the response when I GET the pod?
There was a problem hiding this comment.
only the status of it, not the spec
| @@ -441,10 +448,11 @@ The kubelet exposes the new functionality in its existing `/exec/` endpoint. | |||
| `ServeExec()` constructs a `v1.Container` based on `PodExecOptions`, calls | |||
| `RunDebugContainer()`, and performs the attach. | |||
|
|
|||
| ##### Step 4: Reporting DebugStatus | |||
| ##### Step 4: Reporting EphemeralContainerStatus | |||
There was a problem hiding this comment.
Ah, looks like the answer is yes.
|
This LGTM to me if you can fix the naming (consistency + debug -> ephemeral). |
| Note that `Command` and `Args` must be tracked in the status object because | ||
| there is no spec for Debug Containers or exec. These must either be made | ||
| Note that `Command` and `Args` would have to be tracked in the status object | ||
| because there is no spec for Debug Containers or exec. These must either be made | ||
| available by the runtime or tracked by the kubelet. For Debug Containers this |
There was a problem hiding this comment.
doesn't the whole ephemeral container have to be tracked by the kubelet anyway?
There was a problem hiding this comment.
why just the command and args? admission uses the definitions of containers to determine whether a user can do things like exec/attach to those containers ("cannot exec into a pod with containers running as root", etc). Container status alone (EphemeralContainerStatuses []v1.ContainerStatus) wouldn't include enough information about the ephemeral containers to make that determination.
what if the submitted ephemeral container and its status were both made available in pod status?
type PodStatus struct {
...
EphemeralContainers []v1.EphemeralContainer
}
type EphemeralContainer struct {
Spec v1.Container
Status v1.ContainerStatus
}
There was a problem hiding this comment.
The kubelet currently has no method of keeping state of the v1.Container across restarts. After a restart, it can reconstruct a minimum v1.Container based on runtime labels, though. This could (but currently doesn't) include Command and Args, which can be queried from the run time.
Including the spec in the PodStatus would be pretty great, though, so it might be worth solving. @lavalamp what do you think about this?
There was a problem hiding this comment.
Remind me why this got reopened for discussion? I feel like if we keep going down this route we will end up at my original position of adding a type of ephemeral to containers, and allowing users to add or remove such containers from the spec.
There was a problem hiding this comment.
I think sig-auth just wants to make this works well with admission controllers and has a strong preference for using v1.Container, for many good reasons.
@liggitt This is an important feature to sig-node, but we've been stuck for about a year. If a v1.Container is available to admission controllers for the creation request, can you live with only ContainerStatus for attach, at least for alpha? We don't need to allow exec.
There was a problem hiding this comment.
The kubelet currently has no method of keeping state of the v1.Container across restarts.
I expected the kubelet to:
- update pod status with the ephemeral container definition/status as it created the container
- update the ephemeral container status by name from observed container state during normal sync
- remove the ephemeral container from the pod status when the ephemeral container was removed
None of that requires the kubelet remembering the ephemeral container definition beyond the initial create, right?
If a v1.Container is available to admission controllers for the creation request, can you live with only ContainerStatus for attach, at least for alpha? We don't need to allow exec.
Two thoughts:
- attach (which is the intended use case here) requires almost identical protections to exec ("cannot attach to a pod with containers running as root", etc). If the create of the ephemeral container and the attach to it are separate API calls, but the container definition is unavailable at attach time, I'm unsure how that would be implementable.
- the structure of an ephemeral container field in the pod status could not be changed in an incompatible way (if the schema of the alpha field must change in an incompatible way, a new field name must be used), so if we started with
EphemeralContainerStatuses []v1.ContainerStatus, that couldn't grow to include the container definition as alpha progressed.
| build services. They have no guarantees and most of the fields of `v1.Container` | ||
| will not be allowed for Debug Containers. A request will be rejected if any | ||
| field is set other than the following whitelisted fields: `Name`, `Image`, | ||
| `Command`, `Args`, `WorkingDir`, `Env`, `EnvFrom`, `ImagePullPolicy`, |
There was a problem hiding this comment.
are HostNetwork/HostPID/HostIPC inherited from the pod spec?
There was a problem hiding this comment.
should also document the fact that not all v1.Container fields are allowed in a way that doesn't preclude supporting new container fields that make sense in the future, and we should reject requests that set disallowed fields rather than silently drop them.
There was a problem hiding this comment.
Yeah, I think it's a possibility that we'll want to support more of these fields as time goes on.
There was a problem hiding this comment.
Actually, the namespaces will be inherited from the target container. Originally it was going to be inherited from the pod spec. This is something that changed a few weeks ago because we're now going to support isolated PID namespaces indefinitely, and it's not reflected in this API alternative.
With exec++ the target container was provided in PodExecOptions, but switching the API means we either have to provide the target in the URI, the posted EphemeralContainer or... query params? I haven't looked into this at all yet.
| 1. A `POST` of a `PodDebugContainer` to | ||
| `/api/v1/namespaces/$NS/pods/$POD_NAME/debug` to create a Debug Container | ||
| running in pod `$POD_NAME`. | ||
| 1. A `DELETE` of `/api/v1/namespaces/$NS/pods/$POD_NAME/debug/$NAME` will stop |
There was a problem hiding this comment.
Agree we can live without it for now
| ``` | ||
| // EphemeralContainer describes a container to attach to a running pod for troubleshooting. | ||
| type EphemeralContainer struct { | ||
| metav1.TypeMeta |
There was a problem hiding this comment.
I assume the name has to be unique within the pod?
There was a problem hiding this comment.
Yes, but the container name would be embedded in the ContainerSpec.
This type probably doesn't need an ObjectMeta--I would try it that way and see if any of the encoding stack gives you a problem.
There was a problem hiding this comment.
Yes, it must be unique within the pod because it will be used for attach, logs, etc. Thanks for the tip on ObjectMeta, I will try it.
| Note that `Command` and `Args` must be tracked in the status object because | ||
| there is no spec for Debug Containers or exec. These must either be made | ||
| Note that `Command` and `Args` would have to be tracked in the status object | ||
| because there is no spec for Debug Containers or exec. These must either be made | ||
| available by the runtime or tracked by the kubelet. For Debug Containers this | ||
| could be stored as runtime labels, but the kubelet currently has no method of | ||
| storing state across restarts for exec. Solving this problem for exec is out of | ||
| scope for Debug Containers, but we will look for a solution as we implement this | ||
| feature. |
There was a problem hiding this comment.
@smarterclayton was there something were you mentioning that allowed connecting data to running containers?
verb
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
I'd like to get this into the alpha slot for 1.10. |
| // If specified, the ephemeral container will be started in the namespaces | ||
| // of this TargetContainerName. If omitted the container will inherit the | ||
| // behavior of the pod for namespaces. | ||
| TargetContainerName string `json:"spec" ...` |
There was a problem hiding this comment.
copy/pasta, json:"targetContainerName"
| @@ -437,14 +453,15 @@ Containers unless the sandbox is restarted. | |||
|
|
|||
| ##### Step 3: kubelet API changes | |||
|
|
|||
| The kubelet exposes the new functionality in its existing `/exec/` endpoint. | |||
| The kubelet exposes the new functionality in a new `/podDebug/` endpoint. | |||
There was a problem hiding this comment.
needs updating to indicate it is given the v1.Container and optional target container name, and doesn't perform the attach (the attach is a separate call).
does this call block until the new container is picked up by the sync loop or the ephemeral spec/status is reported back to the pod API object? I assume the kubelet is responsible for rejecting racing attempts to run two debug containers with the same name in a given pod... where does that happen?
| @@ -387,14 +407,10 @@ basic functionality: | |||
| * `kubectl describe pod` will list status of debug containers running in a pod | |||
|
|
|||
| Functionality will be hidden behind an alpha feature flag and disabled by | |||
| default. The following are explicitly out of scope for the 1.9 alpha release: | |||
| default. The following are explicitly out of scope for the 1.10 alpha release: | |||
|
|
|||
| * Exited Debug Containers will be garbage collected as regular containers and | |||
| may disappear from the list of Debug Container Statuses. | |||
There was a problem hiding this comment.
Exited Debug Containers will be garbage collected as regular containers and may disappear from the list of Debug Container Statuses.
harmonize this with the "The list of EphemeralContainerStatuses is never truncated." statement below
Agree. API-wise, this seems to have the info I would expect now (v1.Container in debug request, container spec and status persisted to allow gating attach requests). More detail is needed for information flow and sequence (which component persists which bits, synchronously or asynchronously, etc) and some edge cases (what happens on kubelet restart? kubelet+CRI restart?), but that can be a further iteration. |
|
@liggitt awesome, thanks for the quick feedback. Since this looks to be heading in the right direction for the API, I'll double check it's still acceptable to sig-node and then do a more complete rewrite addressing your comments. |
|
|
||
| An Ephemeral Container is not part of the pod specification as it's not part of | ||
| the declared state of the pod, but we describe it using the same primitives as | ||
| in `PodSpec`. An `EphemeralContainer` contains a Spec, a Status and a Target: |
There was a problem hiding this comment.
what verbs does the subresource support?
| ... | ||
| // List of user-initiated ephemeral containers that have been run in this pod. | ||
| // +optional | ||
| EphemeralContainers []EphemeralContainer `json:"commands,omitempty" protobuf:"bytes,11,rep,name=ephemeralContainers"` |
There was a problem hiding this comment.
I still strongly disagree with listing a container spec anywhere inside pod status.
There was a problem hiding this comment.
I also maintain that you cannot use the same type as the subresource for this in any case-- no typemeta/metadata makes sense here.
|
Sorry, I think I already said these things on the PR. This came up in my email and I thought it was a recent update but now I think it hasn't been updated recently. Sorry for the noise. |
| container occurring between its creation and attach will not be replayed, but it | ||
| can be viewed using `kubectl log`. | ||
|
|
||
| #### Alternative 1: "exec++" |
There was a problem hiding this comment.
@verb can you add a few lines to describe why these alternatives were not chosen at the end?
k8s-ci-robot
removed
the
lgtm
verb
force-pushed
the
pod-troubleshooting-use-container
branch
from
dcb6695
to
57f2c71
Compare
k8s-ci-robot
added
size/XL
After discussing with API reviewers and relevant SIG leads, we've agreed that the configuration for Ephemeral Containers should live in the pod spec.
verb
force-pushed
the
pod-troubleshooting-use-container
branch
from
57f2c71
to
502b757
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
BTW, speaking of from scratch images, I hit a case in tiller the other day where using a thin image where the go binary is statically linked, there is no /etc/nsswitch.conf, the go resolver will default to 'dns, files' which means if your dns search path happens to have a 'localhost.foo.whatever' and your search path includes foo.whatever, localhost resolves to localhost.foo.whatever's. This is very unexpected/unfortunate. As this is a common k8s method of deployment, we might want to address this. Should we file an issue in k8s? in go? |
|
I think that is a broken resolver and a broken DNS config. You should
never have a host named localhost, and DNS clients should not try to
resolve it
…On Thu, Aug 23, 2018 at 5:23 PM kfox1111 ***@***.***> wrote:
BTW, speaking of from scratch images, I hit a case in tiller the other day
where using a thin image where the go binary is statically linked, there is
no /etc/nsswitch.conf, the go resolver will default to 'dns, files' which
means if your dns search path happens to have a 'localhost.foo.whatever'
and your search path includes foo.whatever, localhost resolves to
localhost.foo.whatever's. This is very unexpected/unfortunate. As this is a
common k8s method of deployment, we might want to address this. Should we
file an issue in k8s? in go?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1269 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVF_t3LOwXtJoBQD4rACpILW12OP3ks5uT0dugaJpZM4QGMMg>
.
|
|
I agree on both accounts. :) So, its a bug in golangs resolver then and we need to get golang to fix it. |
|
one other possibility, as the golang devs have known about the issue for a while and have ignored it, would be to have k8s create /etc/nsswitch.conf by default in the container with some sane defaults like it does resolv.conf and hosts. |
|
The problem is that nsswitch (I assume that is what you meant) is an
artifact of glibc's DNS resolver. Are we willing to manage that file in
perpetuity for all users? Also, this will brek any image that has a custom
nsswitch file built-in.
…On Thu, Aug 23, 2018 at 5:38 PM kfox1111 ***@***.***> wrote:
one other possibility, as the golang devs have known about the issue for a
while and have ignored it, would be to have k8s create /etc/nslookup.conf
by default in the container with some sane defaults like it does
resolv.conf and hosts.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1269 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVG56Vjf8ClThmlrKZOUCAQlyuF5jks5uT0r9gaJpZM4QGMMg>
.
|
|
yeah, thats what I meant. It would suck to maintain it for ever, but it is unclear if anyone else is willing to fix it. Its been a known issue for a long time apparently. Is it easy to do it conditionally? check if the file exists, and if not inject it? Alternately, it should be exceedingly rare I think for that file to be non default. We could make it default to always override it, and add a flag not too. |
|
I'm not sure what a good answer here looks like. It's sort of a broekn
image that depends on it but doesn't provide it. Can we really be in the
business of fixing broken images dynamically?
Maybe we can instead raise the heat on the Go devs to get a discussion
going?
…On Mon, Aug 27, 2018 at 11:02 AM kfox1111 ***@***.***> wrote:
yeah, thats what I meant. It would suck to maintain it for ever, but it is
unclear if anyone else is willing to fix it. Its been a known issue for a
long time apparently.
Is it easy to do it conditionally? check if the file exists, and if not
inject it?
Alternately, it should be exceedingly rare I think for that file to be non
default. We could make it default to always override it, and add a flag not
too.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1269 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVG76CNnPaBIVQzW07qKUL-slcDavks5uVDQZgaJpZM4QGMMg>
.
|
|
the image is not broken in that is provides a libc that never uses it (not glibc). So it doesn't provide a file it isn't going to use. go is assuming it is using glibc and following glibc convention for how to behave when nsswitch is missing. the binary is statically linked though so doesn't actually use libc. The end user is expecting a statically linked binary to work properly on any linux, and is preferring alpine as its smaller and we're encouraging smaller containers. So, its hard to point at any one thing as the thing to fix, but it is unexpectedly effecting users. We can raise it with the go devs again and see what they say. |
|
Please feel free to loop me into a discussion with go devs.
…On Tue, Aug 28, 2018, 8:18 AM kfox1111 ***@***.***> wrote:
the image is not broken in that is provides a libc that never uses it (not
glibc). So it doesn't provide a file it isn't going to use. go is assuming
it is using glibc and following glibc convention for how to behave when
nsswitch is missing. the binary is statically linked though so doesn't
actually use libc. The end user is expecting a statically linked binary to
work properly on any linux, and is preferring alpine as its smaller and
we're encouraging smaller containers. So, its hard to point at any one
thing as the thing to fix, but it is unexpectedly effecting users. We can
raise it with the go devs again and see what they say.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1269 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVH90U4yWf-ucpEURspPYEbZfFu8nks5uVV8-gaJpZM4QGMMg>
.
|
|
|
||
| ## Feature Summary | ||
|
|
||
| Any new debugging functionality will require training users. We can ease the | ||
| transition by building on an existing usage pattern. We will create a new | ||
| command, `kubectl debug`, which parallels an existing command, `kubectl exec`. | ||
| Whereas `kubectl exec` runs a *process* in a *container*, `kubectl debug` will | ||
| be similar but run a *container* in a *pod*. | ||
| Whereas `kubectl exec` runs a _process_ in a _container_, `kubectl debug` will |
There was a problem hiding this comment.
i think this is underdocumented here https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/ that kubectl exec runs a process in an existing container
| As is already the case with regular containers, Debug Containers can enter | ||
| arbitrary namespaces of another container via `nsenter` when run with | ||
| `CAP_SYS_ADMIN`. | ||
| the pod. When [process namespace sharing](https://features.k8s.io/495) is |
There was a problem hiding this comment.
the top line should make it more clear that this creates a new container and runs an interactive shell inside that container . This creates a new container and starts an interactive shell inside that container in a pod called target-pod which can examine and signal other processes in the pod
| // List of user-initiated ephemeral containers to run in this pod. | ||
| // This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature. | ||
| // +optional | ||
| EphemeralContainers []EphemeralContainer `json:"ephemeralContainers,omitempty" protobuf:"bytes,29,opt,name=ephemeralContainers"` |
There was a problem hiding this comment.
how is this different from regular container ?
| // If not set then the ephemeral container is run in whatever namespaces are shared | ||
| // for the pod. | ||
| // +optional | ||
| TargetContainerName string `json:"targetContainerName,omitempty" protobuf:"bytes,2,opt,name=targetContainerName"` |
There was a problem hiding this comment.
all containers of the pods are in same network namespace except possibly pid namespace. Was this field introduced for the pid namespace case only ?
| Much of the utility of Ephemeral Containers comes from the ability to run a | ||
| container within the PID namespace of another container. `TargetContainerName` | ||
| allows targeting a container that doesn't share its PID namespace with the rest | ||
| of the pod. We must modify the CRI to enable this functionality (see below). |
There was a problem hiding this comment.
So TargetContainerName is only useful for pid namespace case only . It would be good to clarify that it has no meaning when all containers are in same network and pid namespace as pod
…container Use v1.Container in Debug Containers API
This proposes an API for Debug Containers that's idiomatic for Kubernetes and uses the existing
Containerdefinition. This makes it easier for admission controllers to gate these updates.The previous Debug Containers proposal avoided changing the core API as much as possible.