Running tcpdump inside a OpenShift 4 pod with SSH access to the nodes
Updated -
-
SSH to the node
-
Start a toolbox container with the
toolboxcommand. -
If you want to capture from a Pod, you can follow these steps.
- For RHOCP 4.9+ do as follows:
$ NAME="<pod-name>" $ NAMESPACE="<pod-namespace>" $ INTERFACE_NAME="<pod-interface-where-we-are-capturing>" # e.g. "eth0" or "any" $ pod_id="$(chroot /host crictl pods --namespace ${NAMESPACE} --name ${NAME} -q)" $ ns_path="/host/$(chroot /host bash -c "crictl inspectp $pod_id | jq '.info.runtimeSpec.linux.namespaces[]|select(.type==\"network\").path' -r")" $ nsenter --net="${ns_path}" -- tcpdump -nn -i "${INTERFACE_NAME}" -w "/host/var/tmp/${HOSTNAME}_$(date +%d_%m_%Y-%H_%M_%S-%Z).pcap"- For RHOCP 4.8 and lower:
$ NAME="<pod-name>" $ NAMESPACE="<pod-namespace>" $ INTERFACE_NAME="<pod-interface-where-we-are-capturing>" # e.g. "eth0" or "any" $ pod_id="$(chroot /host crictl pods --namespace ${NAMESPACE} --name ${NAME} -q)" $ pid="$(chroot /host bash -c "runc state $pod_id | jq .pid")" $ nsenter -n -t "${pid}" -- tcpdump -nn -i "${INTERFACE_NAME}" -w "/host/var/tmp/${HOSTNAME}_$(date +%d_%m_%Y-%H_%M_%S-%Z).pcap" -
End the capture with
Control-Cwhen needed -
List captured files:
$ ls -l "/host/var/tmp/*.pcap" -
Copy the tcpdump capture from the node (replace
${PCAP_FILE}with pcap file name from previous step):$ scp core@<nodename>:/var/tmp/${PCAP_FILE} ${PCAP_FILE}
Note: the support-tools container mounts the host file system at /host
Comments