• FUJITSU Software Enterprise Application Platform • Launcher Member of Jakarta EE SC Member of JCP Executive Committee Board of Director of Eclipse Foundation 3
Limited distroless Minimize base image there are some Java image jlink Package only necessary modules for applications JRE No tools in JDK (jshell, jar …)
Fujitsu Limited JRE does not include most of tools in JDK jcmd / jstack / jar / javac / jdb / javadoc / ・・・ tools not included in JRE tools included in JRE java / keytool / rmiregistry / jfr / ・・・
container can be seen as process of node. But PID are different. Difficult to know which process belongs to which container. Difficult to troubleshooting from viewpoint of container Usually accessing node is limited Node container JDK jstack Java Application
container running with host namespace on K8S node kubectl debug node/{node-name} -it \ --image={image} -- bash Pod Debuggee Container Debugger Container Pod Node jstack run with node namespace Java Application
in Pod as a sidecar specify following in pod definition ‘spec.shareProcessNamespace:true’ No need to install tools in application image, but need to run always even if no trouble useful for development environment which you know trouble will surely happen
can access process Pod net COPY Pod net uts Container Debugger(JDK) Container net uts App(JRE) Container App(JRE) Container pid App(JRE) mnt pid mnt mnt pid uts mnt shareprocess
debugger container to pod when trouble Resource efficiency compare to Sidecar No live migration kubectl debug -it debuggee-pod \ --copy-to debugger-pod \ –share-processes debuggee-pod \ --image JDK-image -- bash
which namespace is same as debuggee container to the existing Pod using Docker using Kubernetes docker run \ -it --name=debugger --pid=container:jre \ jdk-image bash kubectl debug -it -c debugger --target debuggee \ --image=jdk-image debuggee -- bash
Easy Tools may not be available Access from Node N/A Need host privilege Different namespace Side Car Separate debugger container from application container Waist resource COPY Copy only when troubles Cannot debug actual container trouble happens Ephemeral Container Can access actual troubled container only when trouble happens Cannot delete ephemeral container
at on-premises may not be used (dilemma of Java container) There are several ways such as ephemeral container to detour dilemma Isolating troubleshooting container keeps application container secure start-up security trouble shooting