3 Using Debug Tool

The Debug Tool provides third-party troubleshooting tools for debugging the runtime issues for the lab and production environment. The following tools are available for OCNWDAF debugging:

• tcpdump
• ip
• netstat
• curl
• ping
• nmap
• dig

Preconfiguration Steps

This section explains the preconfiguration steps for using the debug tool:

1. Configuration in CNE

   The following configurations must be performed in the Bastion Host.

   PodSecurityPolicy (PSP) Creation

   1. Log in to the Bastion Host.
   2. Create a new PSP by running the following command from the bastion host. The parameters readOnlyRootFileSystem, allowPrivilegeEscalation, allowedCapabilities are required by debug container.

   Note:

   Other parameters are mandatory for PSP creation and can be customized as per the CNE environment. Default values are recommended.

   $ kubectl apply -f - <<EOF
   
   apiVersion: policy/v1beta1
   kind: PodSecurityPolicy
   metadata:
     name: debug-tool-psp
   spec:
     readOnlyRootFilesystem: false
     allowPrivilegeEscalation: true
     allowedCapabilities:
     - NET_ADMIN
     - NET_RAW
     fsGroup:
       ranges:
       - max: 65535
         min: 1
       rule: MustRunAs
     runAsUser:
       rule: MustRunAsNonRoot
     seLinux:
       rule: RunAsAny
     supplementalGroups:
       rule: RunAsAny
     volumes:
     - configMap
     - downwardAPI
     - emptyDir
     - persistentVolumeClaim
     - projected
     - secret
   EOF

   Role Creation

   Run the following command to create a role for the PSP:

   kubectl apply -f - <<EOF
   apiVersion: rbac.authorization.k8s.io/v1
   kind: Role
   metadata:
     name: debug-tool-role
     namespace: cncc
   rules:
   - apiGroups:
     - policy
     resources:
     - podsecuritypolicies
     verbs:
     - use
     resourceNames:
     - debug-tool-psp
   EOF

   RoleBinding Creation

   Run the following command to attach the service account for your NF namespace with the role created for the tool PSP:

   $ kubectl apply -f - <<EOF
   apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata:
     name: debug-tool-rolebinding
     namespace: ocnef
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: Role
     name: debug-tool-role
   subjects:
   - kind: Group
     apiGroup: rbac.authorization.k8s.io
     name: system:serviceaccounts
   EOF

2. Configuration in NF specific Helm

   Following updates must be performed in custom_values.yaml file.

   1. Log in to the NF server.
   2. Open the custom_values file:

      $ vim <custom_values file>

   3. Under global configuration, add the following:

      # Allowed Values: DISABLED, ENABLED
      extraContainers: DISABLED
      extraContainersTpl: |
          - command:
              - /bin/sleep
              - infinity
            image: <image-name>:<image-tag>
            imagePullPolicy: Always
            name: tools
            resources:
              requests:
                ephemeral-storage: "2Gi"
                cpu: "0.5"
                memory: "1Gi"
              limits:
                ephemeral-storage: "4Gi"
                cpu: "1"
                memory: "2Gi"
            securityContext:
              allowPrivilegeEscalation: true
              capabilities:
                drop:
                - ALL
                add:
                - NET_RAW
                - NET_ADMIN
              readOnlyRootFilesystem: false
              runAsUser: <user>

      Note:

      • Debug Tool Container comes up with the default user ID - 7000. If the operator wants to override this default value, it can be done using the `runAsUser` field, otherwise, the field can be skipped.

        Default value: uid=7000(debugtool) gid=7000(debugtool) groups=7000(debugtool)

      • In case you want to customize the container name, replace the `name` field in the above values.yaml with the following:

        name: {{ printf "%s-tools-%s" (include "getprefix" .) (include "getsuffix" .) | trunc 63 | trimPrefix "-" | trimSuffix "-"  }}

        This will ensure that the container name is prefixed and suffixed with the necessary values.
   4. Under service specific configurations for which debugging is required, add the following:

      # Allowed Values: DISABLED, ENABLED, USE_GLOBAL_VALUE
      extraContainers: USE_GLOBAL_VALUE

      Note:

      • • At the global level, extraContainers flag can be used to enable/disable injecting extra containers globally. This ensures that all the services that use this global value have extra containers enabled/disabled using a single flag.
        • At the service level, extraContainers flag determines whether to use the extra container configuration from the global level or enable/disable injecting extra containers for the specific service.

Run the Debug Tool

Following is the procedure to run Debug Tool.

Run the following command to enter Debug Tool Container:

1. Run the following command to retrieve the POD details:

   $ kubectl get pods -n <k8s namespace>
   

2. Run the following command to enter Debug Tool Container:

   $ kubectl exec -it <pod name> -c <debug_container name> -n <namespace> –- bash

3. Run the debug tools:

   bash -4.2$ <debug_tools>

4. Copy the output files from container to host:

   $ kubectl cp -c <debug_container name> <pod name>:<file location in container> -n <namespace> <destination location>

3.1 Debug Tool Configuration Parameters

Following are the parameters used to configure debug tool.

OCCNE Parameters

Table 3-1 OCCNE Parameters

Parameter	Description
apiVersion	APIVersion defines the version schema of this representation of an object.
kind	Kind is a string value representing the REST resource this object represents.
metadata	Standard object's metadata.
metadata.name	Name must be unique within a namespace.
spec	spec defines the policy enforced.
spec.readOnlyRootFilesystem	Controls whether the containers run with a read-only root filesystem (that is, no writable layer).
spec.allowPrivilegeEscalation	Gates whether or not a user is allowed to set the security context of a container to allowPrivilegeEscalation=true.
spec.allowedCapabilities	Provides a list of capabilities that are allowed to be added to a container.
spec.fsGroup	Controls the supplemental group applied to some volumes. RunAsAny allows any fsGroup ID to be specified.
spec.runAsUser	Controls which user ID the containers are run with. RunAsAny allows any runAsUser to be specified.
spec.seLinux	RunAsAny allows any seLinuxOptions to be specified.
spec.supplementalGroups	Controls which group IDs containers add. RunAsAny allows any supplementalGroups to be specified.
spec.volumes	Provides a list of allowed volume types. The allowable values correspond to the volume sources that are defined when creating a volume.

Role Creation Parameters

Table 3-2 Role Creation

Parameter	Description
apiVersion	APIVersion defines the versioned schema of this representation of an object.
kind	Kind is a string value representing the REST resource this object represents.
metadata	Standard object's metadata.
metadata.name	Name must be unique within a namespace.
metadata.namespace	Namespace defines the space within which each name must be unique.
rules	Rules holds all the PolicyRules for this Role
apiGroups	APIGroups is the name of the APIGroup that contains the resources.
rules.resources	Resources is a list of resources this rule applies to.
rules.verbs	Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.
rules.resourceNames	ResourceNames is an optional allowed list of names that the rule applies to.

Role Binding Creation

Table 3-3 Role Binding Creation

Parameter	Description
apiVersion	APIVersion defines the versioned schema of this representation of an object.
kind	Kind is a string value representing the REST resource this object represents.
metadata	Standard object's metadata.
metadata.name	Name must be unique within a namespace.
metadata.namespace	Namespace defines the space within which each name must be unique.
roleRef	RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
roleRef.apiGroup	APIGroup is the group for the resource being referenced
roleRef.kind	Kind is the type of resource being referenced
roleRef.name	Name is the name of resource being referenced
subjects	Subjects holds references to the objects the role applies to.
subjects.kind	Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
subjects.apiGroup	APIGroup holds the API group of the referenced subject.
subjects.name	Name of the object being referenced.

Debug Tool Configuration Parameters

Table 3-4 Debug Tool Configuration Parameters

Parameter	Description
command	String array used for container command.
image	Docker image name
imagePullPolicy	Image Pull Policy
name	Name of the container
resources	Compute Resources required by this container
resources.limits	Limits describes the maximum amount of compute resources allowed
resources.requests	Requests describes the minimum amount of compute resources required
resources.limits.cpu	CPU limits
resources.limits.memory	Memory limits
resources.limits.ephemeral-storage	Ephemeral Storage limits
resources.requests.cpu	CPU requests
resources.requests.memory	Memory requests
resources.requests.ephemeral-storage	Ephemeral Storage requests
securityContext	Security options the container should run with.
securityContext.allowPrivilegeEscalation	AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This directly controls if the no_new_privs flag will be set on the container process
securityContext.readOnlyRootFilesystem	Whether this container has a read-only root filesystem. Default is false.
securityContext.capabilities	The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.
securityContext.capabilities.drop	Removed capabilities
securityContext.capabilities.add	Added capabilities
securityContext.runAsUser	The UID to run the entrypoint of the container process.