Comments (8)
eldadru
commented on July 23, 2024
Hi @mudged,
Thank you for using ksniff!
You are right, at the moment the privileged mode is only work with a k8s running with a docker runtime.
We do plan to support other container runtimes, see #36
I'm evaluating the new support for debug containers which might resolve this issue once and for all.
As a possible workaround, you can try the non-privileged mode if it's possible in your situation.
from ksniff.
mudged
commented on July 23, 2024
Hi @eldadru,
Thanks for your response. Unfortunately in my scenario I cannot run in non-privileged mode as the target containers run with a restricted user.
from ksniff.
lordofthejars
commented on July 23, 2024
👍
from ksniff.
bostrt
commented on July 23, 2024
Hi @eldadru,
I'm evaluating the new support for debug containers which might resolve this issue once and for all.
Do you have an idea of when support for debug containers will be added to ksniff? In other words, will you be waiting for the feature to leave alpha and beta first?
I'm trying to gauge if I should submit a PR for this issue (and #36) or write up a separate solution in the meantime.
Thanks for all the hard work on ksniff so far!
from ksniff.
bostrt
commented on July 23, 2024
With the additions of 1f01100 there logic to detect the container runtime based on containerRuntimeVersion field of Node resource. I'm finding that microk8s and k3s both have containerRuntimeVersion: containerd://1.3.... However, microk8s and k3s both use different tools to communicate with container runtime (microk8s uses microk8s.ctr and k3s uses crictl). I'm checking now if there's a tool in common or if there just needs to be a separate set of code for microk8s environments and we need to check more than containerRuntimeVersion to identify the tooling to use later.
from ksniff.
bostrt
commented on July 23, 2024
To be clear, it would be good to support both microk8s and k3s through changes for this issue.
from ksniff.
cscarpitta
commented on July 23, 2024
Hi,
I'd like to use ksniff on containerd in privileged mode. Unfortunately, the non-privileged mode is not possible in my situation.
Do you plan to implement this feature soon? Is there any workaround to use ksniff on containerd when the target container runs with a restricted user?
Thanks,
Carmine
from ksniff.
skyhisi
commented on July 23, 2024
To get it working on MicroK8s in privileged mode I needed to create a wrapper script on the MicroK8s host as /usr/bin/ctr and specify the socket path.
Wrapper script /usr/bin/ctr
#!/bin/bash
if [ "$1" == "-a" ]; then shift 2; fi
exec /snap/bin/microk8s.ctr "$@"Example command:
kubectl sniff POD -p --socket /var/snap/microk8s/common/run/containerd.sock
from ksniff.
Related Issues (20)
- can't execute 'ctr': No such file or directory HOT 3
- can't run in privileged mode
- Openshift 4.10 Mac M1 nsenter: can't execute 'tcpdump': No such file or directory
- sniff on RKE2 fails to create the ksniff pod HOT 2
- Vulnerable 3rd party libs
- Release new version HOT 1
- Add istio inject false label/annotation
- Add ARM linux based static-tcpdump HOT 1
- ksniff failing to create a privileged pod on the node with taints
- Issues running on arm64 HOT 1
- Can ksniff be used for one-time packet captures (~10 min) in production environment for debugging purposes? Apart from clean up of left over pods or containers, what else should I look into after using it for a short pcap?
- cloud storage support for sniff output
- Not able to build static-tcpdump on Ubuntu 22.04 Jammy
- Can we take tcpdump on multiple pods using ksniff ? For an example if a namespace has 4 PODs running can we take TCPDUMP on all the 4 PODs using kubectl sniff -p <pod1> <pod2> <pod3>
- 'kubectl sniff' command returning 139 exit/error code during execution. RCA required for failed attempt at packet capture so that workaround can be identified. HOT 6
- exitCode: '126' when using --tcpdump-image for an airgapped scenario HOT 1
- kubectl sniff fails with certificate error.
- Incorrect Makefile install path for kubectl >= 1.28
- K8S API client 30s timeout: request canceled (Client.Timeout exceeded while awaiting headers)
- ksnif with GKE (cos) capture with privileged (-p) option: Nothing get captured
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ksniff.