Kubernetes
How to check the logs with Kubectl
- In case the md-icapsrv pod does not initialize we need to check the pod logs to see why is failing
- The worker node running the md-icapsrv pod doesn’t have enough resources allocated for the pod. (Pending state)
- Provide the License Key in file values.yml if not provided the health check will fail as the container cannot be activated
- Need to set value ACCEPT_EULA is true if the application can not start with reason accept EULA.
- If you have enabled TLS to need to uncomment
scheme: HTTPSin health check. The key of the secret need to mapping with the field .certSecretSubPath and .certKeySecretSubPath
kubectl logs <pod_name> -n <namespace>Start a Bash session
- Find the MetaDefenteder ICAP Server pod with the command
kubectl get pods -A
→ pod name: md-icapsrv-77c4654f4b-bkclc
→ namespace: default
- Start a Bash session
command:kubectl exec -n <namespace> -it -c <container name> <pod name> bashE.g:kubectl exec -n default -it -c md-icapsrv md-icapsrv-77c4654f4b-bkclc bashDefault container name when you use MetaDefender ICAP Server’s Helm chart is md-icapsrv
Collect support packages
There are two different support packages that can be generated.
- Support package from local machine
- Support package with script within the pod
Support package from local machine
This is the easiest way to have a first idea of what could be happening in the environment. It will collect
- Logs from running pods
- Logs from previous pods
- Configmap
To run this script from your local machine please see metadefender-k8s/troubleshooting at main · OPSWAT/metadefender-k8s
./sp.sh <NAMESPACE>Support package with script within the pod
After accessing to the bash of the container. To create a package you must start the script found under
${INSTALL_ROOT}/usr/bin/mdicapsrv-collect-support-data.shAs the script processes the necessary information, the script generates the support package output.
The package file is a tar.gz archive with the following name:
mdicapsrv--support-<TIMESTAMP>.tar.gzWhere the timestamp was the date when the package was generated.
Example:
mdicapsrv--support-1660647413.tar.gzThe generated package will be placed in the same location as the script that was called.
If you run container with read-only file system mode or non-root user make sure you have write permission to the working directory when you execute collect support packages script
Copy the support package from the container to outside
Use kubectl cp Kubectl Reference Docs (kubernetes.io)
# Copy /tmp/foo from a remote pod to /tmp/bar locallykubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/barExample:
kubectl cp default/md-icapsrv-77c4654f4b-bkclc:/mdicapsrv--support-1660648209.tar.gz /home/icap/mdicapsrv--support-1660648209.tar.gzDocker
Collect logs
You can collect the logs of the container running
docker logs <container_name>Collect support package
Start a Bash session
- Find the CONTAINER ID by command
docker container ls -aE.g: the container ID = d1769cb64afe
- Start a Bash session with the command docker exec -it <container id> bash
docker exec -it d1769cb64afe bashSupport package with script within the pod
To create a package you must start the script found under
${INSTALL_ROOT}/usr/bin/mdicapsrv-collect-support-data.shAs the script processes the necessary information, the script generates the support package output.
The package file is a tar.gz archive with the following name:
mdicapsrv--support-<TIMESTAMP>.tar.gzWhere the timestamp was the date when the package was generated.
Example:
mdicapsrv--support-1660647413.tar.gzThe generated package will be placed in the same location as the script that was called.
If you run container with read-only file system mode or non-root user make sure you have write permission to the working directory when you execute collect support packages script
Copy the support package from the container to outside
Docker
Use docker cp | Docker Documentation docker cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH|-
Example:
docker cp d1769cb64afe:/mdicapsrv--support-1660647413.tar.gz /home/icap
