Running tcpdump inside a OpenShift 4 pod with SSH access to the nodes
Updated -
-
SSH to the node
-
Start a toolbox container with the
toolboxcommand. -
If you want to capture from a pod, you can follow these steps.
For OCP 4.8 and lower:# NAME=<pod-name> # NAMESPACE=<pod-namespace> # INTERFACE_NAME=<pod-interface-where-we-are-capturing> # e.g. "eth0" or "any" # pod_id=$(chroot /host crictl pods --namespace ${NAMESPACE} --name ${NAME} -q) # pid=$(chroot /host bash -c "runc state $pod_id | jq .pid") # nsenter -n -t $pid -- tcpdump -nn -i ${INTERFACE_NAME} -w /host/var/tmp/${HOSTNAME}_$(date +%d_%m_%Y-%H_%M_%S-%Z).pcapFor OCP 4.9 and higher, follow these steps instead
# NAME=<pod-name> # NAMESPACE=<pod-namespace> # INTERFACE_NAME=<pod-interface-where-we-are-capturing> # e.g. "eth0" or "any" # pod_id=$(chroot /host crictl pods --namespace ${NAMESPACE} --name ${NAME} -q) # ns_path="/host/$(chroot /host bash -c "crictl inspect $pod_id | jq '.info.runtimeSpec.linux.namespaces[]|select(.type==\"network\").path' -r")" # nsenter --net=${ns_path} -- tcpdump -nn -i ${INTERFACE_NAME} -w /host/var/tmp/${HOSTNAME}_$(date +%d_%m_%Y-%H_%M_%S-%Z).pcapAnd end the capture with
Control-Cwhen needed. -
List captured files
# ls /host/var/tmp/*.pcap -
scptcpdump capture from node (replace${PCAP_FILE}with pcap file name from previous step):$ scp core@node-host-name-or-ip:/var/tmp/${PCAP_FILE} ${PCAP_FILE}
Note: the support-tools container mounts the host file system at /host.
Comments