New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal of coredump detector #1311
Conversation
``` | ||
|
||
# coredump-controller | ||
Now CRD in kubernetes doesn't support quota, so we deploy a controller to work as |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the plan is to support this soon once we can have a shared cache with garbage collection.
so in your case, we would just quota: count/coredumps.coredump
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, I will update this according to the new feature.
Does quota for crd support resource.Quantity?
For example: we allow 2Gi coredump files in namespace A.
But not: we allow 200 coredump files in namespace A.
/cc @vishh for suggestions. |
/assign @dchen1107 |
To determine whether a core file is generated for process in a k8s container, we | ||
override /proc/sys/kernel/core_pattern kernel parameter in kubelet node. | ||
``` | ||
|/coredump/coredump-detector -P=%P -p=%p -e=%e -t=%t -c=/coredump/config --log_dir=/coredump/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which mount namespace would this /coredump
path belongs to? In particular, are you assuming that this is going to be in the pod-app mount namespace, in the kubelet mount namespace or in the kernel-init/host one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kernel does not support namespace for coredump.
So this would be kernel-init/host namespace.
@luxas Do you have some suggestions about this? |
When coredump happens, linux kernel will call coredump-detector and give core | ||
dump file as standard input to coredump-detector. | ||
coredump-detector will: | ||
* access the docker api and distinguish where(which container) the core dump comes from |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/docker/runtime
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good suggestion.
Now kubelet is supporting container runtimes, so I need to update this and support different container runtimes too.
93a9b85
to
b003587
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: CaoShuFeng Assign the PR to them by writing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is a proposal which implements coredump isolation in kubernetes cluster.
It will work as an add-on which could be deployed in kubernetes cluster.
A demonstrate for this design has been implemented and put here
With this add-on deployed into kubernetes, when coredump happens in pods, users may get coredump info with

kubectl
command:and check the quota:

Partial-fix: kubernetes/kubernetes#48787