Sync our repo with upstream

.github/workflows/release.yaml

@@ -19,7 +19,7 @@ jobs:
           fetch-depth: 1
 
       - name: build image
-        run: docker build -t digitalocean/doks-debug:latest .
+        run: docker build --platform linux/amd64 -t digitalocean/doks-debug:latest .
 
       - name: Log into container registry
         run: echo "${{ secrets.DockerHubToken }}" | docker login --username ${DOCKER_USER} --password-stdin

.github/workflows/test.yaml

@@ -13,7 +13,7 @@ jobs:
           fetch-depth: 1
 
       - name: build image
-        run: docker build -t doks-debug .
+        run: docker build --platform linux/amd64 -t doks-debug .
 
       - name: smoke test
         run: docker run --rm doks-debug sleep 1

Dockerfile

@@ -1,17 +1,18 @@
 # match doks-debug version with DOKS worker node image version for kernel
 # tooling compatibility reasons
-FROM debian:10-slim
+FROM debian:12-slim
+
+# Specify the version of crictl to install
+ARG CRICTL_VERSION="v1.31.1"
 
 WORKDIR /root
 
 # use same dpkg path-exclude settings that come by default with ubuntu:focal
 # image that we previously used
-RUN echo 'path-exclude=/usr/share/locale/*/LC_MESSAGES/*.mo' > /etc/dpkg/dpkg.cfg.d/excludes
-RUN echo 'path-exclude=/usr/share/doc/*' > /etc/dpkg/dpkg.cfg.d/excludes
-RUN echo 'path-include=/usr/share/doc/*/copyright' > /etc/dpkg/dpkg.cfg.d/excludes
-RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' > /etc/dpkg/dpkg.cfg.d/excludes
-
-RUN echo 'deb http://deb.debian.org/debian buster-backports main' > /etc/apt/sources.list.d/backports.list
+RUN echo 'path-exclude=/usr/share/locale/*/LC_MESSAGES/*.mo' >> /etc/dpkg/dpkg.cfg.d/excludes
+RUN echo 'path-exclude=/usr/share/doc/*' >> /etc/dpkg/dpkg.cfg.d/excludes
+RUN echo 'path-include=/usr/share/doc/*/copyright' >> /etc/dpkg/dpkg.cfg.d/excludes
+RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' >> /etc/dpkg/dpkg.cfg.d/excludes
 
 RUN apt-get update -qq && \
     apt-get install -y apt-transport-https \
@@ -32,6 +33,7 @@ RUN apt-get update -qq && \
                        tcpdump \
                        traceroute \
                        iputils-ping \
+                       iptables \
                        net-tools \
                        ncat \
                        iproute2 \
@@ -42,12 +44,18 @@ RUN apt-get update -qq && \
                        dsniff \
                        mtr-tiny \
                        conntrack \
-                       llvm-8 llvm-8-tools \
+                       llvm-13 llvm-13-tools \
+                       wget \
                        bpftool
 
-RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
-    add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" && \
-    apt-get update -qq && \
-    apt-get install -y docker-ce
+# Install crictl
+RUN wget https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz && \
+    tar zxvf crictl-${CRICTL_VERSION}-linux-amd64.tar.gz -C /usr/local/bin && \
+    rm -f crictl-${CRICTL_VERSION}-linux-amd64.tar.gz
+
+# Specify the default image endpoint for crictl
+RUN echo 'runtime-endpoint: unix:///run/containerd/containerd.sock' >> /etc/crictl.yaml
+RUN echo 'image-endpoint: unix:///run/containerd/containerd.sock' >> /etc/crictl.yaml
+RUN echo 'timeout: 2' >> /etc/crictl.yaml
 
 CMD [ "/bin/bash" ]

README.md

@@ -17,7 +17,7 @@ This DaemonSet manifest will:
  1. Ensure a pod with our Docker image is running indefinitely on every node.
  2. Use `hostPID`, `hostIPC`, and `hostNetwork`.
  3. Mount the entire host filesystem to `/host` in the containers.
- 4. Mount `/var/run/docker.sock` from the host.
+ 4. Mount the `containerd` socket at `/run/containerd/containerd.sock` from the host into the container.
 
 In order to make use of these workloads, you can exec into a pod of choice by name:
 
@@ -47,11 +47,11 @@ Once you're in, you have access to the set of tools listed in the `Dockerfile`.
  - [`netcat`](https://linux.die.net/man/1/nc) - is a multi-tool for interacting with TCP and UDP; it can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6.
  - [`iproute2`](https://wiki.linuxfoundation.org/networking/iproute2) - is a collection of utilities for controlling TCP / IP networking and traffic control in Linux.
  - [`strace`](https://github.com/strace/strace) - is a diagnostic, debugging and instructional userspace utility with a traditional command-line interface for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state.
- - [`docker`](https://docs.docker.com/engine/reference/commandline/cli/) - is the CLI tool used for interacting with Docker containers on the system.
  - [`dstat`](http://dag.wiee.rs/home-made/dstat/) - is a versatile replacement for vmstat, iostat, netstat and ifstat. Dstat overcomes some of their limitations and adds some extra features, more counters and flexibility. Dstat is handy for monitoring systems during performance tuning tests, benchmarks or troubleshooting.
  - [`htop`](https://hisham.hm/htop/) - is interactive process viewer for Unix systems.
  - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level.
-
+ - [`wget`](https://www.gnu.org/software/wget/) - for retrieving files using HTTP, HTTPS, FTP and FTPS.
+ - [`crictl`](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md) - A CLI for CRI endpoints. Configured to use `/run/containerd/containerd.sock` as a default endpoint. 
 # Tips and Tricks
 
 ## chroot + systemctl

k8s/daemonset.yaml

@@ -15,7 +15,9 @@ spec:
         name: doks-debug
       annotations:
         clusterlint.digitalocean.com/disabled-checks: "hostpath-volume"
+        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
     spec:
+      dnsPolicy: ClusterFirstWithHostNet
       hostPID: true
       hostIPC: true
       hostNetwork: true
@@ -37,15 +39,16 @@ spec:
         volumeMounts:
           - name: host
             mountPath: /host
-          - name: docker
-            mountPath: /var/run/docker.sock
+          - name: containerd
+            mountPath: /run/containerd/containerd.sock
+      terminationGracePeriodSeconds: 0
       volumes:
         - name: host
           hostPath:
             path: /
-        - name: docker
+        - name: containerd
           hostPath:
-            path: /var/run/docker.sock
+            path: /run/containerd/containerd.sock
             type: Socket
   updateStrategy:
     rollingUpdate:

k8s/deployment.yaml

@@ -16,7 +16,9 @@ spec:
         name: doks-debug
       annotations:
         clusterlint.digitalocean.com/disabled-checks: "hostpath-volume"
+        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
     spec:
+      dnsPolicy: ClusterFirstWithHostNet
       hostPID: true
       hostIPC: true
       hostNetwork: true
@@ -38,15 +40,16 @@ spec:
         volumeMounts:
           - name: host
             mountPath: /host
-          - name: docker
-            mountPath: /var/run/docker.sock
+          - name: containerd
+            mountPath: /run/containerd/containerd.sock
+      terminationGracePeriodSeconds: 0
       volumes:
         - name: host
           hostPath:
             path: /
-        - name: docker
+        - name: containerd
           hostPath:
-            path: /var/run/docker.sock
+            path: /run/containerd/containerd.sock
             type: Socket
   strategy:
     rollingUpdate: