一、netshoot介绍
开源的容器工具箱 https:///nicolaka/netshoot ,它是一个Docker + Kubernetes网络故障排除工具
yaml文件格式
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: netshoot
name: netshoot
spec:
replicas: 1
selector:
matchLabels:
app: netshoot
template:
metadata:
labels:
app: netshoot
spec:
containers:
- image: /nicolaka/netshoot
name: netshoot
args:
- /bin/bash
- -c
- >
while :; do
echo "[$(date +%F\ %T)] hello"
sleep 1
done或者
apiVersion: v1
kind: Deployment
metadata:
name: netshoot
namespace: gxhyfw
labels:
app: netshoot
env: prod
spec:
replicas: 1
selector:
matchLabels:
app: netshoot
env: prod
template:
metadata:
labels:
app: netshoot
env: prod
spec:
containers:
- name: netshoot
image: /nicolaka/netshoot
resources:
limits:
cpu: "1"
memory: "512Mi"
requests:
cpu: "0.5"
memory: "256Mi"
args:
- /bin/bash
- -c
- >
while :; do
echo "[$(date +%F\ %T)] hello"
sleep 1
donenetshoot镜像/nicolaka/netshoot里面包括以下这些网络工具包:
apache2-utils \
bash \
bind-tools \
bird \
bridge-utils \
busybox-extras \
conntrack-tools \
curl \
dhcping \
drill \
ethtool \
file\
fping \
grpcurl \
iftop \
iperf \
iperf3 \
iproute2 \
ipset \
iptables \
iptraf-ng \
iputils \
ipvsadm \
jq \
libc6-compat \
liboping \
ltrace \
mtr \
net-snmp-tools \
netcat-openbsd \
nftables \
ngrep \
nmap \
nmap-nping \
nmap-scripts \
openssl \
py3-pip \
py3-setuptools \
scapy \
socat \
speedtest-cli \
openssh \
strace \
tcpdump \
tcptraceroute \
tshark \
util-linux \
vim \
git \
zsh \
websocat \
swaks \
perl-crypt-ssleay \
perl-net-ssleay二、netshoot使用
利用nginx,来模拟在pod中用tcpdump抓取80端口的流量包
准备一个nginx服务,模拟业务服务端口是80 用kubectl debug 命令 当使用kubectl debug 命令后,他首先会和k8s集群的kube-apiServer交互,我现在要debug了,apiServer 会和他进行商量对那个服务debug,交互完之后,然后就定位到了某个命名空间下的业务pod,nginx 对这个业务pod 进行业务排查,我要嵌入一个类似寄生一样的,寄生之后我又不想对我原本的业务pod产生影响,这个时候他会复制一个业务pod 然后在这个pod里面嵌入一个debug的容器,就相当于这个pod里面有两个容器,最后我们是连到debug容器里面的,对整个业务容器 进行抓包排查,下面是整个交互过程
kubectl 1.20以上都完善了kubectl debug 插件了
需要创建一个nginx的服务pod
deployment
[root@master1 dep]# kubectl get pods -n nginx
NAME READY STATUS RESTARTS AGE
nginx-dep-744644d89f-wkbvp 1/1 Running 0 17s
[root@master1 dep]# kubectl get svc -n nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-svc ClusterIP 10.111.122.161 <none> 80/TCP 24s进行debug
1. 创建一个 nginx 的副本,生成一个新的pod(nginx-debug),并添加一个调试容器(nicolaka/netshoot)并附加到它[root@master1 dep]# kubectl debug -n nginx nginx-dep-744644d89f-wkbvp -it --image=/nicolaka/netshoot --copy-to=nginx-debug
Defaulting debug container name to debugger-862tr.
# nginx-dep-744644d89f-wkbvp
# 这个是服务pod
# --image=/nicolaka/netshoot
#这个是debug的容器进入debug容器
nginx-debug ss -tnl | grep 80
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
#可以看到80端口是有的
nginx-debug ~ curl 127.0.0.1
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
#也可以请求到在外面可以看到
[root@node6 ~]# kubectl get pods -n nginx
NAME READY STATUS RESTARTS AGE
nginx-debug 2/2 Running 0 17m
nginx-dep-744644d89f-wkbvp 1/1 Running 0 21m
#他生成了两个容器,一个是业务pod容器,一个是debug容器。这样就能很好的对业务进行抓包 还是其他排查,这样也不会影响业务的流量,
#这个时候 我们可以看下他的label
[root@node6 ~]# kubectl get pods -n nginx --show-labels
NAME READY STATUS RESTARTS AGE LABELS
nginx-debug 2/2 Running 0 19m <none>
nginx-dep-744644d89f-wkbvp 1/1 Running 0 23m app=nginx,pod-template-hash=744644d89f
#debug pod是个孤儿pod 他没有labels ,他没有通过deployment关联他,也就无法引入流量
#如果想引入流量 那么就得给他个labels
# kubectl -n default label pods nginx-debug app=nginx
#加label5. 在debug的pod内使用tcpdump抓包
# tcpdump -nv -i eth0 port 80
6. 去掉label并删除debug的pod(注意查看下endpoints是否已经去掉了debug的pod,并观察业务日志,确认没问题再删除)
# kubectl -n nginx label pods nginx-debug app- # 去掉label
# kubectl describe endpoints nginx
# kubectl -n default delete pods boge-debugger
