For my purposes I resolved it by:
- Creating a
DaemonSet
which runs a privileged container using the pid of the host. - Use
nsenter
to enter the main namespace. - Execute a command which changes the
core_pattern
file. - Wait forever, because a
DaemonSet
must have the restart-policy set toAlways
.
This instruction was taken from: https://medium.com/[@](/users/na/?userId=174b737b-7ffe-0003-0000-000000000000)/initialize-your-aks-nodes-with-daemonsets-679fa81fd20e
Here's the final configuration:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: init-node
spec:
selector:
matchLabels:
job: init-node
template:
metadata:
labels:
job: init-node
spec:
hostPID: true
restartPolicy: Always
containers:
- image: alpine:3.12.0
name: init-node
securityContext:
privileged: true
command: ["/bin/sh"]
args: ["-c", "nsenter -t 1 -m -- su -c \"echo \\\"/core/core.%e.%p.%t\\\" > /proc/sys/kernel/core_pattern\" && sleep infinity"]
Since pipes are executed in the namespace of root, I'll see if I can create a script which writes the datastream it gets as input to a location. By this, I can have a directory, mounted on the host system (best case an Azure File System
instance) where this application would write the core-dump to. In this case the dump would be saved outside the container, which actually would be the best scenario for me.
EDIT:
The last part was the easiest. Just set /proc/sys/kernel/core_pattern
to |/bin/dd of=/core/%h.%e.%p.%t
and your core-dumps will get piped to /core
on your host. Now mount an AzureFileStorage (https://learn.microsoft.com/en-us/azure/virtual-machines/linux/mount-azure-file-storage-on-linux-using-smb) on this location and you're ready to go.
This will hit already quite a couple of birds with one stone:
- Your core-dumps are not on the container after it crashed. All sensible information are stored at a different place which is not accessible if a container is compormized. Be careful where you store them.
- If you do it like me, they're not stored on the host either, so you're free to scale up and down on your cluster without worrying about loosing information.
DISCLAIMER:
The application nsenter
enters a different namespace and executes commands in it. Therefore this solution might only work with docker, which uses namespaces and cgroups to run the containers.