Use Systemtap to Identify Pod Exceptions
Last updated:2024-12-13 14:48:39
This article describes how to use SystemTap to troubleshoot pod issues.
Preparations
Different operating systems have different methods for installing SystemTap and its dependencies. Pick one that suits you.
Ubuntu
1. Run the following command to install SystemTap:
apt install -y systemtap
2. Run the following command to check for dependencies:
stap-prep
The following is a sample result:
Please install linux-headers-4.4.0-104-genericYou need package linux-image-4.4.0-104-generic-dbgsym but it does not seem to be availableUbuntu -dbgsym packages are typically in a separate repositoryFollow https://wiki.ubuntu.com/DebuggingProgramCrash to add this repositoryapt install -y linux-headers-4.4.0-104-generic
3. The above result shows that you need to install dbgsym, which is not in the existing sources. Run the following command to add the third-party source:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C8CAB6595FDFF622codename=$(lsb_release -c | awk '{print $2}')sudo tee /etc/apt/sources.list.d/ddebs.list << EOFdeb http://ddebs.ubuntu.com/ ${codename} main restricted universe multiversedeb http://ddebs.ubuntu.com/ ${codename}-security main restricted universe multiversedeb http://ddebs.ubuntu.com/ ${codename}-updates main restricted universe multiversedeb http://ddebs.ubuntu.com/ ${codename}-proposed main restricted universe multiverseEOFsudo apt-get update
4. Run the following command after adding the source:
stap-prep
The following is a sample result:
Please install linux-headers-4.4.0-104-genericPlease install linux-image-4.4.0-104-generic-dbgsym
5. Run the following command to install the prompted packages:
apt install -y linux-image-4.4.0-104-generic-dbgsym
apt install -y linux-headers-4.4.0-104-generic
CentOS
1. Run the following command to install SystemTap:
yum install -y systemtap
2. For the purpose of this article, we assume that
debuginfo is not added. Add the following to /etc/yum.repos.d/CentOS-Debug.repo and save.[debuginfo]name=CentOS-$releasever - DebugInfobaseurl=http://debuginfo.centos.org/$releasever/$basearch/gpgcheck=0enabled=1protect=1priority=1
3. Run the following command to check for dependencies and install them:
Note:
The following command installs
kernel-debuginfo.stap-prep
4. Run the following command to check if the node has multiple versions of
kernel-devel installed:rpm -qa | grep kernel-devel
The returned result is as follows:
kernel-devel-3.10.0-327.el7.x86_64kernel-devel-3.10.0-514.26.2.el7.x86_64kernel-devel-3.10.0-862.9.1.el7.x86_64
If there are multiple versions, keep the one that corresponds to the kernel version. For example, if the current kernel version is
3.10.0-862.9.1.el7.x86_64, delete all version except kernel-devel-3.10.0-862.9.1.el7.x86_64.Note:
You can use
uname -r to view the kernel version. Make sure
kernel-debuginfo and kernel-devel are both installed and their versions correspond to the kernel version.rpm -e kernel-devel-3.10.0-327.el7.x86_64 kernel-devel-3.10.0-514.26.2.el7.x86_64
Problem Analysis
You can use SystemTap to monitor a process in order to troubleshoot pod issues. This is how it works:
1. SystemTap translates the script into C code and calls gcc to compile the code into the Linux kernel module. It then uses
modprobe to load the module into the kernel.2. It uses the script to create kernel hooks and identify the causes of pod issues using the signals captured by the hooks.
Troubleshooting
Step 1: obtain the pids of the containers that restarted automatically in the pod due to exceptions
1. Run the following command to obtain the Container ID:
kubectl describe pod <pod name>
The returned result is as follows:
......Container ID: docker://5fb8adf9ee62afc6d3f6f3d9590041818750b392dff015d7091eaaf99cf1c945......Last State: TerminatedReason: ErrorExit Code: 137Started: Thu, 05 Sep 2019 19:22:30 +0800Finished: Thu, 05 Sep 2019 19:33:44 +0800
2.
Run the following command to query the pid of the main container process using the obtained Container ID:
docker inspect -f "{{.State.Pid}}" 5fb8adf9ee62afc6d3f6f3d9590041818750b392dff015d7091eaaf99cf1c945
The returned result is as follows:
7942
Step 2: narrow the scope using the container exit code
Use the
Exit Code in the result of Step 1 to obtain the status code of the last container exit. For the purpose of this article, we will use 137 as an example. The analysis is as follows:If the process was killed by an external signal, the exit code should be between 129 and 255.
An exit code of 137 indicates that the process was killed by
SIGKILL. However, we still cannot determine the reason why the process exited.Step 3: use the SystemTap script to identify the reason
Assuming the issue is reproducible, you can use a SystemTap to troubleshoot the problem.
1. Create a file called
sg.stp. Add the following content and save.global target_pid = 7942probe signal.send{if (sig_pid == target_pid) {printf("%s(%d) send %s to %s(%d)\\n", execname(), pid(), sig_name, pid_name, sig_pid);printf("parent of sender: %s(%d)\\n", pexecname(), ppid())printf("task_ancestry:%s\\n", task_ancestry(pid2task(pid()), 1));}}
Note:
Substitute
pid with the value of the main container process pid obtained in Step 2. For the purpose of this article, we will use 7942 as an example:2. Run the following command to execute the script:
stap sg.stp
When the container process is killed, the script captures the event and outputs the following:
pkill(23549) send SIGKILL to server(7942)parent of sender: bash(23495)task_ancestry:swapper/0(0m0.000000000s)=>systemd(0m0.080000000s)=>vGhyM0(19491m2.579563677s)=>sh(33473m38.074571885s)=>bash(33473m38.077072025s)=>bash(33473m38.081028267s)=>bash(33475m4.817798337s)=>pkill(33475m5.202486630s)
Solution
By observing
task_ancestry, you can see the parent processes of the stopped process. In the example above, you can see a strange process called vGhyM0. This usually indicates that there is a trojan in the system. Take the necessary steps to clean it so your containers can function properly.Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback