Merge pull request #1344 from liubin/fix/1329-improvements-for-console-access

runtime: connect guest debug console bypass kata-monitor
2025-08-30 05:20:41 +00:00 · 2021-02-18 17:59:32 -08:00 · 2021-02-18 17:59:32 -08:00 · 4f67bf919d
commit 4f67bf919d
parent a060b9a21b 10f1c30f3d
3 changed files with 33 additions and 29 deletions
--- a/docs/Developer-Guide.md
+++ b/docs/Developer-Guide.md
@ -37,7 +37,6 @@
    * [Set up a debug console](#set-up-a-debug-console)
      * [Simple debug console setup](#simple-debug-console-setup)
          * [Enable agent debug console](#enable-agent-debug-console)
          * [Start `kata-monitor`](#start-kata-monitor)
          * [Connect to debug console](#connect-to-debug-console)
      * [Traditional debug console setup](#traditional-debug-console-setup)
          * [Create a custom image containing a shell](#create-a-custom-image-containing-a-shell)
@ -477,17 +476,6 @@ debug_console_enabled = true
 This will pass `agent.debug_console agent.debug_console_vport=1026` to agent as kernel parameters, and sandboxes created using this parameters will start a shell in guest if new connection is accept from VSOCK.
 #### Start `kata-monitor`
 The `kata-runtime exec` command needs `kata-monitor` to get the sandbox's `vsock` address to connect to, first start `kata-monitor`.
 ```
 $ sudo kata-monitor
 ```
 `kata-monitor` will serve at `localhost:8090` by default.
 #### Connect to debug console
 Command `kata-runtime exec` is used to connect to the debug console.
@ -502,6 +490,10 @@ bash-4.2# exit
 exit
 ```
 `kata-runtime exec` has a command-line option `runtime-namespace`, which is used to specify under which [runtime namespace](https://github.com/containerd/containerd/blob/master/docs/namespaces.md) the particular pod was created. By default, it is set to `k8s.io` and works for containerd when configured
 with Kubernetes. For CRI-O, the namespace should set to `default` explicitly. This should not be confused with [Kubernetes namespaces](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/).
 For other CRI-runtimes and configurations, you may need to set the namespace utilizing the `runtime-namespace` option.
 If you want to access guest OS through a traditional way, see [Traditional debug console setup)](#traditional-debug-console-setup).
 ### Traditional debug console setup
--- a/src/runtime/cli/kata-exec.go
+++ b/src/runtime/cli/kata-exec.go
@ -1,4 +1,5 @@
 // Copyright (c) 2017-2019 Intel Corporation
 // Copyright (c) 2020 Ant Group
 //
 // SPDX-License-Identifier: Apache-2.0
 //
@ -13,12 +14,14 @@ import (
 	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
 	"sync"
 	"time"
 	"github.com/containerd/console"
 	kataMonitor "github.com/kata-containers/kata-containers/src/runtime/pkg/kata-monitor"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils"
 	clientUtils "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/agent/protocols/client"
 	"github.com/pkg/errors"
@ -35,10 +38,10 @@ const (
 	subCommandName = "exec"
 	// command-line parameters name
-	paramKataMonitorAddr                     = "kata-monitor-addr"
+	paramRuntimeNamespace                    = "runtime-namespace"
 	paramDebugConsolePort                    = "kata-debug-port"
 	defaultKernelParamDebugConsoleVPortValue = 1026
-	defaultParamKataMonitorAddr              = "http://localhost:8090"
+	defaultRuntimeNamespace                  = "k8s.io"
 )
 var (
@ -55,12 +58,12 @@ var kataExecCLICommand = cli.Command{
 	Usage: "Enter into guest by debug console",
 	Flags: []cli.Flag{
 		cli.StringFlag{
-			Name:  paramKataMonitorAddr,
+			Name:  paramRuntimeNamespace,
-			Usage: "Kata monitor listen address.",
+			Usage: "Namespace that containerd or CRI-O are using for containers. (Default: k8s.io, only works for containerd)",
 		},
 		cli.Uint64Flag{
 			Name:  paramDebugConsolePort,
-			Usage: "Port that debug console is listening on.",
+			Usage: "Port that debug console is listening on. (Default: 1026)",
 		},
 	},
 	Action: func(context *cli.Context) error {
@ -71,11 +74,11 @@ var kataExecCLICommand = cli.Command{
 		span, _ := katautils.Trace(ctx, subCommandName)
 		defer span.End()
-		endPoint := context.String(paramKataMonitorAddr)
+		namespace := context.String(paramRuntimeNamespace)
-		if endPoint == "" {
+		if namespace == "" {
-			endPoint = defaultParamKataMonitorAddr
+			namespace = defaultRuntimeNamespace
 		}
-		span.SetAttributes(label.Key("endPoint").String(endPoint))
+		span.SetAttributes(label.Key("namespace").String(namespace))
 		port := context.Uint64(paramDebugConsolePort)
 		if port == 0 {
@ -89,7 +92,7 @@ var kataExecCLICommand = cli.Command{
 		}
 		span.SetAttributes(label.Key("sandbox").String(sandboxID))
-		conn, err := getConn(endPoint, sandboxID, port)
+		conn, err := getConn(namespace, sandboxID, port)
 		if err != nil {
 			return err
 		}
@ -172,15 +175,20 @@ func (s *iostream) Read(data []byte) (n int, err error) {
 	return s.conn.Read(data)
 }
-func getConn(endPoint, sandboxID string, port uint64) (net.Conn, error) {
+func getConn(namespace, sandboxID string, port uint64) (net.Conn, error) {
-	shimURL := fmt.Sprintf("%s/agent-url?sandbox=%s", endPoint, sandboxID)
+	socketAddr := filepath.Join(string(filepath.Separator), "containerd-shim", namespace, sandboxID, "shim-monitor.sock")
-	resp, err := http.Get(shimURL)
+	client, err := kataMonitor.BuildUnixSocketClient(socketAddr, defaultTimeout)
 	if err != nil {
 		return nil, err
 	}
 	resp, err := client.Get("http://shim/agent-url")
 	if err != nil {
 		return nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("Failed to get %s: %d", shimURL, resp.StatusCode)
+		return nil, fmt.Errorf("Failed to get %s: %d", socketAddr, resp.StatusCode)
 	}
 	defer resp.Body.Close()
--- a/src/runtime/pkg/kata-monitor/shim_client.go
+++ b/src/runtime/pkg/kata-monitor/shim_client.go
@ -1,4 +1,4 @@
-// Copyright (c) 2020 Ant Financial
+// Copyright (c) 2020-2021 Ant Group
 //
 // SPDX-License-Identifier: Apache-2.0
 //
@ -34,15 +34,19 @@ func getSandboxIdFromReq(r *http.Request) (string, error) {
 }
 func (km *KataMonitor) buildShimClient(sandboxID, namespace string, timeout time.Duration) (*http.Client, error) {
-	socket, err := km.getMonitorAddress(sandboxID, namespace)
+	socketAddr, err := km.getMonitorAddress(sandboxID, namespace)
 	if err != nil {
 		return nil, err
 	}
 	return BuildUnixSocketClient(socketAddr, timeout)
 }
 // BuildUnixSocketClient build http client for Unix socket
 func BuildUnixSocketClient(socketAddr string, timeout time.Duration) (*http.Client, error) {
 	transport := &http.Transport{
 		DisableKeepAlives: true,
 		Dial: func(proto, addr string) (conn net.Conn, err error) {
-			return net.Dial("unix", "\x00"+socket)
+			return net.Dial("unix", "\x00"+socketAddr)
 		},
 	}