constellation/debugd
Moritz Sanft f4b2d02194
ci: collect cluster metrics to OpenSearch (#2347)
* add Metricbeat deployment to debugd

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* set metricbeat debugd image version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix k8s deployment

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use 2 separate deployments

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only deploy via k8s in non-debug-images

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing tilde

* remove k8s metrics

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* unify flag

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add cloud metadata processor to filebeat

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* ci: fix debugd logcollection (#2355)

* add missing keyvault access role

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bump logstash image version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bump filebeat / metricbeat image version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* log used image version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use debugging image versions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* increase wait timeout for image upload

* add cloud metadata processor to filebeat

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix template locations in container

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix image version typo

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add filebeat / metricbeat users

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove user additions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update workflow step name

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only mount config files

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* document potential rc

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix IAM permissions in workflow

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix AWS permissions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing workflow input

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rename action

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* pin image versions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unnecessary workflow inputs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add refStream input

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove inputs.yml dep

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* increase system metric period

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linkchecker

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-09-27 16:17:31 +02:00
..
cmd deps: update dependency hermetic_cc_toolchain to v2.0.0 (#1860) 2023-06-09 17:39:30 +02:00
filebeat ci: collect cluster metrics to OpenSearch (#2347) 2023-09-27 16:17:31 +02:00
internal ci: collect cluster metrics to OpenSearch (#2347) 2023-09-27 16:17:31 +02:00
logstash ci: collect cluster metrics to OpenSearch (#2347) 2023-09-27 16:17:31 +02:00
metricbeat ci: collect cluster metrics to OpenSearch (#2347) 2023-09-27 16:17:31 +02:00
service deps: update module github.com/sigstore/rekor to v1.2.2 (#2033) 2023-07-06 15:41:14 +02:00
README.md dev-docs: refactor and add information for newbies (#1912) 2023-06-19 17:39:43 +02:00

debug daemon (debugd)

Debugd is a tool we built to allow for shorter iteration cycles during development. The debugd gets embedded into OS images at the place where the bootstrapper normally sits. Therefore, when a debug image is started, the debugd starts executing instead of the bootstrapper. The debugd will then wait for a request from the cdbg tool to upload a bootstrapper binary. Once the upload is finished debugd will start the bootstrapper. Subsequently you can initialize your cluster with constellation init as usual.

Build cdbg

mkdir -p build
cmake ..
make cdbg

debugd & cdbg usage

Before continuing, remember to set up your cloud credentials for the CLI to work.

With cdbg and yq installed in your path:

  1. Run constellation config generate to create a new default configuration

  2. Locate the latest debugd images by running (cd internal/api/versionsapi/cli && go build -o versionsapi . && ./versionsapi latest --ref main --stream debug)

  3. Modify the constellation-conf.yaml to use an image with the debugd already included and add required firewall rules:

    # Set full reference of cloud provider image name
    export IMAGE_URI=
    
    yq -i \
        ".image = \"${IMAGE_URI}\" | \
        .debugCluster = true" \
        constellation-conf.yaml
    
  4. Run constellation create […]

  5. Run ./cdbg deploy

    By default, cdbg searches for the bootstrapper in the current path (./bootstrapper). You can define a custom path by appending the argument --bootstrapper <path to bootstrapper> to cdbg deploy.

  6. Run constellation init […] as usual

Logcollection to Opensearch

You can enable the logcollection of debugd to send logs to Opensearch.

On Azure, ensure your user assigned identity has the Key Vault Secrets User role assigned on the key vault opensearch-creds.

On AWS, attach the SecretManagerE2E policy to your control-plane and worker node role.

When deploying with cdbg, enable by setting the logcollect=true and your name logcollect.admin=yourname.

./cdbg deploy --info logcollect=true,logcollect.admin=yourname

# OR

./cdbg deploy --info logcollect=true --info logcollect.admin=yourname

Other available fields can be found in the filed list

For QEMU, the credentials for Opensearch must be parsed via the info flag as well:

./cdbg deploy \
    --info logcollect=true \
    --info logcollect.admin=yourname \
    --info qemu.opensearch-pw='xxxxxxx'

Remember to use single quotes for the password.

You will also need to increase the memory size of QEMU to 4GB.