14039c9089
In order to fix: ``` === Running govulncheck on containerd-shim-kata-v2 === Vulnerabilities found in containerd-shim-kata-v2: === Symbol Results === Vulnerability #1: GO-2025-4015 Excessive CPU consumption in Reader.ReadResponse in net/textproto More info: https://pkg.go.dev/vuln/GO-2025-4015 Standard library Found in: net/textproto@go1.24.6 Fixed in: net/textproto@go1.24.8 Vulnerable symbols found: #1: textproto.Reader.ReadResponse Vulnerability #2: GO-2025-4014 Unbounded allocation when parsing GNU sparse map in archive/tar More info: https://pkg.go.dev/vuln/GO-2025-4014 Standard library Found in: archive/tar@go1.24.6 Fixed in: archive/tar@go1.24.8 Vulnerable symbols found: #1: tar.Reader.Next Vulnerability #3: GO-2025-4013 Panic when validating certificates with DSA public keys in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4013 Standard library Found in: crypto/x509@go1.24.6 Fixed in: crypto/x509@go1.24.8 Vulnerable symbols found: #1: x509.Certificate.Verify #2: x509.Certificate.Verify Vulnerability #4: GO-2025-4012 Lack of limit when parsing cookies can cause memory exhaustion in net/http More info: https://pkg.go.dev/vuln/GO-2025-4012 Standard library Found in: net/http@go1.24.6 Fixed in: net/http@go1.24.8 Vulnerable symbols found: #1: http.Client.Do #2: http.Client.Get #3: http.Client.Head #4: http.Client.Post #5: http.Client.PostForm Use '-show traces' to see the other 9 found symbols Vulnerability #5: GO-2025-4011 Parsing DER payload can cause memory exhaustion in encoding/asn1 More info: https://pkg.go.dev/vuln/GO-2025-4011 Standard library Found in: encoding/asn1@go1.24.6 Fixed in: encoding/asn1@go1.24.8 Vulnerable symbols found: #1: asn1.Unmarshal #2: asn1.UnmarshalWithParams Vulnerability #6: GO-2025-4010 Insufficient validation of bracketed IPv6 hostnames in net/url More info: https://pkg.go.dev/vuln/GO-2025-4010 Standard library Found in: net/url@go1.24.6 Fixed in: net/url@go1.24.8 Vulnerable symbols found: #1: url.JoinPath #2: url.Parse #3: url.ParseRequestURI #4: url.URL.Parse #5: url.URL.UnmarshalBinary Vulnerability #7: GO-2025-4009 Quadratic complexity when parsing some invalid inputs in encoding/pem More info: https://pkg.go.dev/vuln/GO-2025-4009 Standard library Found in: encoding/pem@go1.24.6 Fixed in: encoding/pem@go1.24.8 Vulnerable symbols found: #1: pem.Decode Vulnerability #8: GO-2025-4008 ALPN negotiation error contains attacker controlled information in crypto/tls More info: https://pkg.go.dev/vuln/GO-2025-4008 Standard library Found in: crypto/tls@go1.24.6 Fixed in: crypto/tls@go1.24.8 Vulnerable symbols found: #1: tls.Conn.Handshake #2: tls.Conn.HandshakeContext #3: tls.Conn.Read #4: tls.Conn.Write #5: tls.Dial Use '-show traces' to see the other 4 found symbols Vulnerability #9: GO-2025-4007 Quadratic complexity when checking name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-4007 Standard library Found in: crypto/x509@go1.24.6 Fixed in: crypto/x509@go1.24.9 Vulnerable symbols found: #1: x509.CertPool.AppendCertsFromPEM #2: x509.Certificate.CheckCRLSignature #3: x509.Certificate.CheckSignature #4: x509.Certificate.CheckSignatureFrom #5: x509.Certificate.CreateCRL Use '-show traces' to see the other 27 found symbols Vulnerability #10: GO-2025-4006 Excessive CPU consumption in ParseAddress in net/mail More info: https://pkg.go.dev/vuln/GO-2025-4006 Standard library Found in: net/mail@go1.24.6 Fixed in: net/mail@go1.24.8 Vulnerable symbols found: #1: mail.AddressParser.Parse #2: mail.AddressParser.ParseList #3: mail.Header.AddressList #4: mail.ParseAddress #5: mail.ParseAddressList ``` Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
kata-log-parser
Introduction
kata-log-parser is a tool that combines logfiles generated by the various
system components, sorts them by timestamp, and re-displays the log entries. A
time delta is added to show how much time has elapsed between each log entry.
The tool is also able to check the validity of all log records, can re-format the logs, and output them in a different format.
For more information on the kata-log-parser tool, use the help command:
$ kata-log-parser --help
Logfile requirements
The tool reads logfiles in the logfmt structured
logging format. For example, a logfile created by the golang
Logrus package.
By default the tool requires that the following fields are defined for each log record:
-
Log level field (
level): must be one of the LogrusLogLevelvalues in string format (e.g.debug,info,error). -
Name field (
name): a single word that specifies the name of the application that generates the log record (e.g.kata-runtime). -
Process ID field (
pid): the numeric process identifier for the process that generates the log record. -
Source field (
source): a single word that specifies the name of a unique part of the system (e.g.runtime). -
Timestamp field (
time): in RFC3339 format and including a nanosecond value.
Additional to the fields above, the tool also expects the following field:
- Message field (
msg): a textual message allowing log records to be disambiguated.
Note: These requirements can be ignored by using the --ignore-missing-fields flag
Component logfiles
The primary logfiles the tool reads are:
-
The runtime log.
This log also includes virtcontainers log entries and agent best effort logs unpacking (unless
--no-agent-unpackis specified).
Usage
To merge all logs:
- Enable full debug.
- Clear the systemd journal (optional):
$ sudo systemctl stop systemd-journald $ sudo rm -f /var/log/journal/*/* /run/log/journal/*/* $ sudo systemctl start systemd-journald - Create a Kata container.
- Collect the logs (alternatively to journal clearing you may consider constraining collected logs by adding
--since=<container creation time>).$ sudo journalctl -q -o cat -a -t kata > ./kata.log - Ensure the logs are readable:
$ sudo chown $USER *.log - To install the program:
$ go get -d github.com/kata-containers/kata-containers $ pushd $GOPATH/src/github.com/kata-containers/kata-containers/src/tools/log-parser && make install && popd - To run the program:
$ kata-log-parser kata.log
Advanced processing using jq
jq is a command-line JSON processor which can be combined with kata-log-parser
to filter and fetch specific log entries.
Examples
Get only the raw guest console output
$ kata-log-parser --ignore-missing-fields --output-format json --no-agent-unpack kata.log | jq '.Entries[] | select(.Msg=="reading guest console") | .Data.vmconsole'
Get only the agent's unpacked log entries
This example also demonstrates how to get logs from the journal directly to the parser.
$ journalctl -q -o cat -a -t kata | kata-log-parser --ignore-missing-fields --output-format json - | jq '.Entries[] | select(.Source=="agent")'
Get only certain Sandbox ID logs
These logs sourced from containerd-kata-shim-v2 and being printed along with their Msg content, Time and Container ID.
$ kata-log-parser --ignore-missing-fields --output-format json kata.log | jq '.Entries[] | select(.Source=="containerd-kata-shim-v2" and .Sandbox=="2fa50251ccc3b9a85350e8fe6836d1875023714153b503b548360946fcec3829") | "\(.Msg) \(.Time) \(.Container)"'