Merge pull request #13455 from richardkchapman/ptrace-k8s

HPCC-23661 Make it easier to use gdb in k8s pods

Reviewed-by: Gavin Halliday <ghalliday@hpccsystems.com>

dockerfiles/hpcc/templates/_helpers.tpl

@@ -169,3 +169,16 @@ initContainers:
 {{ include "hpcc.changeHostMountPerms" (dict "root" .root "volumeName" "datastorage-pv" "volumePath" "/var/lib/HPCCSystems/hpcc-data") }}
 {{- end }}
 {{- end }}
+
+{{- /* Add security context */ -}}
+{{- /* Pass in a dictionary with root and me defined */ -}}
+{{- define "hpcc.addSecurityContext" -}}
+{{- if .root.Values.global.privileged -}}
+securityContext:
+  privileged: true
+  capabilities:
+    add:
+    - SYS_PTRACE
+{{- end -}}
+{{- end -}}
+

dockerfiles/hpcc/templates/dali.yaml

@@ -18,6 +18,7 @@ spec:
         args: [
                 # {{ include "hpcc.configArg" . }} - dali does not support this yet
               ]
+{{ include "hpcc.addSecurityContext" (dict "root" $ "me" .) | indent 8 }}
 {{ include "hpcc.addImageAttrs" (dict "root" $ "me" . "imagename" "dali") | indent 8 }}
         volumeMounts:
 {{ include "hpcc.addConfigVolumeMount" . | indent 8 }}

dockerfiles/hpcc/templates/eclagent.yaml

@@ -21,6 +21,7 @@ spec:
                 {{ include "hpcc.configArg" . }},
                 {{ include "hpcc.daliArg" $ }}
               ]
+{{ include "hpcc.addSecurityContext" (dict "root" $ "me" .) | indent 8 }}
 {{ include "hpcc.addImageAttrs" (dict "root" $ "me" . "imagename" "eclagent") | indent 8 }}
 {{ include "hpcc.addVolumeMounts" . | indent 8 }}
       volumes:

dockerfiles/hpcc/templates/eclccserver.yaml

@@ -23,6 +23,7 @@ spec:
                 {{ include "hpcc.configArg" . }},
                 {{ include "hpcc.daliArg" $ }}
               ]
+{{ include "hpcc.addSecurityContext" (dict "root" $ "me" .) | indent 8 }}
 {{ include "hpcc.addImageAttrs" (dict "root" $ "me" . "imagename" "eclccserver") | indent 8 }}
 {{ include "hpcc.addVolumeMounts" . | indent 8 }}
       volumes:

dockerfiles/hpcc/templates/esp.yaml

@@ -19,6 +19,7 @@ spec:
                 # {{ include "hpcc.configArg" . }},
                 # {{ include "hpcc.daliArg" $ }}
               ]
+{{ include "hpcc.addSecurityContext" (dict "root" $ "me" .) | indent 8 }}
 {{ include "hpcc.addImageAttrs" (dict "root" $ "me" . "imagename" "esp") | indent 8 }}
 {{ include "hpcc.addVolumeMounts" . | indent 8 }}
       volumes:

dockerfiles/hpcc/templates/localroxie.yaml

@@ -26,6 +26,7 @@ spec:
                 "--localSlave=true",
                 "--resolveLocally=false"
               ]
+{{ include "hpcc.addSecurityContext" (dict "root" $ "me" .) | indent 8 }}
 {{ include "hpcc.addImageAttrs" (dict "root" $ "me" . "imagename" "roxie") | indent 8 }}
 {{ include "hpcc.addVolumeMounts" . | indent 8 }}
       volumes:

dockerfiles/hpcc/templates/roxie.yaml

@@ -20,6 +20,7 @@ spec:
     spec:
       containers:
       - name: {{ $toponame | quote }}
+{{ include "hpcc.addSecurityContext" (dict "root" $ "me" .) | indent 8 }}
 {{ include "hpcc.addImageAttrs" (dict "root" $ "me" $roxie "imagename" "toposerver") | indent 8 }}
         volumeMounts:
 {{ include "hpcc.addConfigVolumeMount" . | indent 8 }}
@@ -74,6 +75,7 @@ spec:
                 "--topologyServers={{ $toponame }}:{{ $roxie.topoport }}",
                 "--resolveLocally=false"
               ]
+{{ include "hpcc.addSecurityContext" (dict "root" $ "me" .) | indent 8 }}
 {{ include "hpcc.addImageAttrs" (dict "root" $ "me" $roxie "imagename" "roxie") | indent 8 }}
 {{ include "hpcc.addVolumeMounts" . | indent 8 }}
       volumes:
@@ -111,6 +113,7 @@ spec:
                 "--numChannels={{ $numChannels }}",
                 "--topologyServers={{ $toponame }}:{{ $roxie.topoport }}",
               ]
+{{ include "hpcc.addSecurityContext" (dict "root" $ "me" .) | indent 8 }}
 {{ include "hpcc.addImageAttrs" (dict "root" $ "me" $roxie "imagename" "roxie") | indent 8 }}
 {{ include "hpcc.addVolumeMounts" $roxie | indent 8 }}
       volumes:

dockerfiles/hpcc/templates/thor.yaml

@@ -28,6 +28,7 @@ spec:
                 --masterport={{ $masterPort }},
                 --numSlaves={{ $thor.numSlaves }}
               ]
+{{ include "hpcc.addSecurityContext" (dict "root" $ "me" .) | indent 8 }}
 {{ include "hpcc.addImageAttrs" (dict "root" $ "me" . "imagename" "thormaster") | indent 8 }}
 {{ include "hpcc.addVolumeMounts" . | indent 8 }}
       volumes:
@@ -57,6 +58,7 @@ spec:
                   --slaveport={{ $slavePort }},
                   --master={{ printf "%s:%v" $serviceName $masterPort }}
                 ]
+{{ include "hpcc.addSecurityContext" (dict "root" $ "me" .) | indent 10 }}
 {{ include "hpcc.addImageAttrs" (dict "root" $ "me" . "imagename" "thorslave") | indent 10 }}
           ports:
             - containerPort: {{ $slavePort }}

dockerfiles/platform-core-debug/Dockerfile

@@ -29,6 +29,9 @@ RUN mkdir /var/log/HPCCSystems && chown hpcc:hpcc /var/log/HPCCSystems
 RUN mkdir /var/lock/HPCCSystems && chown hpcc:hpcc /var/lock/HPCCSystems
 RUN mkdir /var/run/HPCCSystems && chown hpcc:hpcc /var/run/HPCCSystems
 
+RUN apt-get install -y libcap2-bin
+RUN setcap cap_sys_ptrace+eip /usr/bin/gdb
+
 USER hpcc
 
 ENV PATH="/opt/HPCCSystems/bin:${PATH}"

dockerfiles/startall.sh

@@ -21,7 +21,7 @@
 
 HEAD=$(git rev-parse --short HEAD)
 
-helm install mycluster hpcc/ --set global.image.version=$HEAD-Debug
+helm install mycluster hpcc/ --set global.image.version=$HEAD-Debug --set global.privileged=true
 sleep 1
 kubectl get pods