kdotnet-dump 0.1.0__tar.gz

kdotnet_dump-0.1.0/.github/workflows/build-test-images.yml

@@ -0,0 +1,49 @@
+name: Build Test Images
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+    build-test-image:
+        runs-on: ubuntu-latest
+        strategy:
+            matrix:
+                dotnet-version:
+                    - "10.0"
+                rt-image:
+                    - noble 
+                    - alpine3.22 
+                    - noble-chiseled
+        steps:
+        - name: Checkout code
+          uses: actions/checkout@v4
+        - name: Login to Docker Hub
+          uses: docker/login-action@v3
+          with:
+            registry: ghcr.io
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+        - name: Set up QEMU
+          uses: docker/setup-qemu-action@v3
+        - name: Set up Docker Buildx
+          uses: docker/setup-buildx-action@v3
+        - name: Build and push
+          uses: docker/build-push-action@v6
+          with:
+            context: ./testimages
+            push: true
+            build-args: |
+              rt_image=${{ format('mcr.microsoft.com/dotnet/aspnet:{0}-{1}', matrix.dotnet-version, matrix.rt-image) }}
+              sdk_image=${{ format('mcr.microsoft.com/dotnet/sdk:{0}', matrix.dotnet-version) }}
+            tags: ghcr.io/gprossliner/kdotnet-dump-testapp:${{ matrix.dotnet-version }}-${{ matrix.rt-image }}
+            platforms: linux/amd64,linux/arm64
+            annotations: |
+              org.opencontainers.image.source="https://github.com/gprossliner/kdotnet-dump"
+              org.opencontainers.image.description="Test application for kdotnet-dump integration tests"
+              
+
+    

kdotnet_dump-0.1.0/.github/workflows/publish.yml

@@ -0,0 +1,35 @@
+name: Build and Publish to PyPI
+
+on:
+  workflow_dispatch:
+
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+    permissions:
+      # IMPORTANT: this permission is mandatory for Trusted Publishing
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.14'
+
+      - name: Install build tools
+        run: |
+          python -m pip install --upgrade pip
+          pip install build hatchling hatch-vcs
+
+      - name: Build package
+        run: python -m build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        

kdotnet_dump-0.1.0/.github/workflows/test.yml

@@ -0,0 +1,54 @@
+name: Integration Tests
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.11'
+    
+    - name: Install dependencies
+      run: |
+        pip install -r tests/requirements.txt
+    
+    - name: Create kind cluster
+      uses: helm/kind-action@v1
+      with:
+        cluster_name: kdotnet-dump-test
+        wait: 120s
+    
+    - name: Verify cluster
+      run: |
+        kubectl cluster-info
+        kubectl get nodes
+    
+    - name: Run integration tests
+      run: |
+        cd tests
+        pytest test_entry.py -v -s --tb=short
+    
+    - name: Upload test results
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: test-results
+        path: tests/test-results/
+        if-no-files-found: ignore
+        
+    - name: Cleanup
+      if: always()
+      run: |
+        kind delete cluster --name kdotnet-dump-test || true

kdotnet_dump-0.1.0/.gitignore

@@ -0,0 +1,4 @@
+core_*
+
+__pycache__/
+latest_dump

kdotnet_dump-0.1.0/.vscode/launch.json

@@ -0,0 +1,17 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+
+        {
+            "name": "Python Debugger: Current File with Arguments",
+            "type": "debugpy",
+            "request": "launch",
+            "program": "${file}",
+            "console": "integratedTerminal",
+            "args": "-l app=test-noble-root --strategy=debug-container --dump-type mini"
+        }
+    ]
+}

kdotnet_dump-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Günter Prossliner
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

kdotnet_dump-0.1.0/PKG-INFO

@@ -0,0 +1,239 @@
+Metadata-Version: 2.4
+Name: kdotnet-dump
+Version: 0.1.0
+Summary: CLI tool for dumping dotnet processes running in kubernetes pods
+Author-email: Günter Prossliner <6724584+gprossliner@users.noreply.github.com>
+License-Expression: MIT
+License-File: LICENSE
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+
+# kdotnet-dump
+
+A tool to create and download .NET process dumps from Kubernetes pods, supporting both standard and hardened (non-root) containers.
+
+## Purpose
+
+Creating .NET dumps from containers running in Kubernetes can be challenging, especially with:
+- **Non-root containers** - Can't install tools or write to most filesystem locations
+- **Restricted Pod Security Standards** - Limited privileges and capabilities
+- **Large dump files** - Can exceed 350MB, causing kubectl cp to fail
+
+`kdotnet-dump` solves these problems by:
+1. Using ephemeral debug containers to isolate diagnostic tooling from application containers
+2. Automatically detecting container UID/GID and matching security context
+3. Downloading dotnet-dump dynamically (no need to bake it into images)
+4. Using chunked base64 transfer to handle large files reliably
+5. Working with `/proc/1/root/tmp` to share filesystem between debug and target containers
+
+## Installation
+
+```bash
+git clone https://github.com/gprossliner/kdotnet-dump.git
+cd kdotnet-dump
+```
+
+No additional dependencies required - just Python 3 and `kubectl`.
+
+## Command Line Arguments
+
+```
+usage: entry.py [-h] [--strategy {same-container,debug-container}]
+                [-n NAMESPACE] [-l SELECTOR] [--dump-type {mini,heap,triage,full}]
+                [--dump-pid DUMP_PID] [--debug-image DEBUG_IMAGE]
+                [pod]
+
+positional arguments:
+  pod                   Pod name (or use --selector)
+
+optional arguments:
+  -h, --help            Show this help message and exit
+  
+  --strategy {same-container,debug-container}
+                        Strategy to create the dump (default: debug-container)
+                        - same-container: Runs dotnet-dump in the target container (requires root)
+                        - debug-container: Uses ephemeral debug container (works with non-root)
+  
+  -n, --namespace NAMESPACE
+                        Kubernetes namespace (default: default)
+  
+  -l, --selector SELECTOR
+                        Label selector to find pod (e.g., app=myapp)
+                        Use this instead of specifying pod name directly
+  
+  --dump-type {mini,heap,triage,full}
+                        Dump type (default: mini)
+                        - mini: Minimal dump with stacks and exception info
+                        - heap: Includes heap memory
+                        - triage: Minimal info for initial diagnosis
+                        - full: Complete memory dump (can be very large)
+  
+  --dump-pid DUMP_PID   Process ID to dump (default: 1)
+                        Usually PID 1 is the main application process
+  
+  --debug-image DEBUG_IMAGE
+                        Debug container image to use
+                        (default: mcr.microsoft.com/dotnet/sdk:latest)
+```
+
+## Examples
+
+### Basic Usage - Find pod by label selector
+
+```bash
+python3 entry.py -n production -l app=api --dump-type mini
+```
+
+This will:
+1. Find a pod with label `app=api` in namespace `production`
+2. Create an ephemeral debug container
+3. Download and run dotnet-dump to create a mini dump
+4. Download the dump to `./latest_dump`
+
+### Specify pod name directly
+
+```bash
+python3 entry.py -n production my-app-pod-12345 --dump-type full
+```
+
+### Create full heap dump for memory analysis
+
+```bash
+python3 entry.py -l app=api --dump-type heap
+```
+
+### Use custom debug image (e.g., specific .NET SDK version)
+
+```bash
+python3 entry.py -l app=api --debug-image mcr.microsoft.com/dotnet/sdk:8.0
+```
+
+### Use same-container strategy (requires root)
+
+```bash
+python3 entry.py -l app=api --strategy same-container --dump-type mini
+```
+
+## Analyzing Dumps
+
+### On Linux
+
+```bash
+dotnet tool install -g dotnet-dump
+dotnet-dump analyze ./latest_dump
+```
+
+### On macOS (using Docker)
+
+macOS doesn't support analyzing Linux dumps natively. Use a Docker container with the correct platform:
+
+```bash
+# For Apple Silicon (M1/M2/M3), specify linux/amd64 platform
+docker run --rm -it --platform linux/amd64 \
+  -v $(pwd):/dumps \
+  mcr.microsoft.com/dotnet/sdk:10.0 \
+  bash
+
+# Inside the container
+dotnet tool install dotnet-dump
+dotnet tool run dotnet-dump analyze /dumps/latest_dump
+```
+
+Common dotnet-dump commands:
+```
+clrthreads          # List managed threads
+clrstack            # Show managed stack trace
+dumpheap -stat      # Show heap statistics
+sos help            # Show all available commands
+```
+
+## How It Works
+
+### Debug Container Strategy (Recommended)
+
+1. **Pod Discovery**: Finds target pod using label selector or name
+2. **Container Detection**: Identifies the default container and extracts UID/GID
+3. **Security Context Matching**: Creates debug container with same UID/GID as target
+4. **Shared Process Namespace**: Uses `--share-processes` to access target container's processes
+5. **Dump Creation**: Downloads dotnet-dump and creates dump in `/proc/1/root/tmp/dumps`
+6. **File Transfer**: Uses chunked base64 encoding to reliably download large files
+
+### Same Container Strategy
+
+Simpler but requires:
+- Container running as root
+- Writable `/tmp` directory
+- Works by installing dotnet-dump directly in the target container
+
+## Requirements
+
+### Kubernetes Cluster
+- Kubernetes 1.23+ (for ephemeral containers)
+- Kubernetes 1.28+ recommended (for UID/GID detection from status)
+
+### RBAC Permissions
+For debug-container strategy, the user needs:
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ephemeral-container-access
+  labels:
+    # This label causes the ClusterRole to be aggregated to the edit / admin role
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+- apiGroups: [""]
+  resources: ["pods/ephemeralcontainers"]
+  verbs: ["patch", "create", "get"]
+```
+
+### Target Container Requirements
+- .NET application running (tested with .NET 8.0, 9.0, 10.0)
+- Writable `/tmp` directory OR mounted emptyDir volume
+  - For `readOnlyRootFilesystem: true`, mount emptyDir at `/tmp`
+
+## Troubleshooting
+
+### "Access to the path '/.dotnet' is denied"
+This occurs in non-root containers. Use `--strategy debug-container` (default).
+
+### "Read-only file system" errors
+For containers with `readOnlyRootFilesystem: true`, ensure `/tmp` has an emptyDir mount:
+```yaml
+volumeMounts:
+- name: tmp
+  mountPath: /tmp
+volumes:
+- name: tmp
+  emptyDir: {}
+```
+
+### Large files fail with websocket errors
+The tool automatically uses chunked transfer for reliability. If issues persist, the chunks are 10MB by default and can't be adjusted without code changes.
+
+### "No pods found with selector"
+Verify the label selector matches your pods:
+```bash
+kubectl get pods -l app=myapp -n your-namespace
+```
+
+## Testing
+
+Integration tests are available in the `tests/` directory:
+
+```bash
+pip install -r tests/requirements.txt
+pytest tests/test_entry.py -v
+```
+
+Tests deploy sample applications and verify dump creation across different configurations:
+- Root vs non-root containers
+- Debian vs Alpine vs Chiseled images
+- With and without `readOnlyRootFilesystem`
+
+## License
+
+MIT

kdotnet_dump-0.1.0/pyproject.toml

@@ -0,0 +1,31 @@
+[build-system]
+requires = ["hatchling >= 1.26", "hatch-vcs"]
+build-backend = "hatchling.build"
+
+[project]
+name = "kdotnet-dump"
+dynamic = ["version"]
+description = "CLI tool for dumping dotnet processes running in kubernetes pods"
+authors = [
+    { name = "Günter Prossliner", email = "6724584+gprossliner@users.noreply.github.com" }
+]
+readme = "readme.md"
+requires-python = ">=3.11"
+dependencies = []
+classifiers = [
+    "Programming Language :: Python :: 3",
+    "Operating System :: OS Independent",
+]
+license = "MIT"
+
+[project.scripts]
+kdotnet-dump = "kdotnet_dump.cli:main"
+
+[tool.hatch.version]
+source = "vcs"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/kdotnet_dump"]
+
+[tool.hatch.build.targets.wheel.force-include]
+"src/kdotnet_dump/remote.sh" = "kdotnet_dump/remote.sh"

kdotnet_dump-0.1.0/rbac-ephemeral-containers.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ephemeral-containers-edit
+  labels:
+    # This label causes the ClusterRole to be aggregated to the edit role
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+- apiGroups: [""]
+  resources: ["pods/ephemeralcontainers"]
+  verbs: ["get", "list", "watch", "create", "update", "patch"]

kdotnet_dump-0.1.0/readme.md

@@ -0,0 +1,227 @@
+# kdotnet-dump
+
+A tool to create and download .NET process dumps from Kubernetes pods, supporting both standard and hardened (non-root) containers.
+
+## Purpose
+
+Creating .NET dumps from containers running in Kubernetes can be challenging, especially with:
+- **Non-root containers** - Can't install tools or write to most filesystem locations
+- **Restricted Pod Security Standards** - Limited privileges and capabilities
+- **Large dump files** - Can exceed 350MB, causing kubectl cp to fail
+
+`kdotnet-dump` solves these problems by:
+1. Using ephemeral debug containers to isolate diagnostic tooling from application containers
+2. Automatically detecting container UID/GID and matching security context
+3. Downloading dotnet-dump dynamically (no need to bake it into images)
+4. Using chunked base64 transfer to handle large files reliably
+5. Working with `/proc/1/root/tmp` to share filesystem between debug and target containers
+
+## Installation
+
+```bash
+git clone https://github.com/gprossliner/kdotnet-dump.git
+cd kdotnet-dump
+```
+
+No additional dependencies required - just Python 3 and `kubectl`.
+
+## Command Line Arguments
+
+```
+usage: entry.py [-h] [--strategy {same-container,debug-container}]
+                [-n NAMESPACE] [-l SELECTOR] [--dump-type {mini,heap,triage,full}]
+                [--dump-pid DUMP_PID] [--debug-image DEBUG_IMAGE]
+                [pod]
+
+positional arguments:
+  pod                   Pod name (or use --selector)
+
+optional arguments:
+  -h, --help            Show this help message and exit
+  
+  --strategy {same-container,debug-container}
+                        Strategy to create the dump (default: debug-container)
+                        - same-container: Runs dotnet-dump in the target container (requires root)
+                        - debug-container: Uses ephemeral debug container (works with non-root)
+  
+  -n, --namespace NAMESPACE
+                        Kubernetes namespace (default: default)
+  
+  -l, --selector SELECTOR
+                        Label selector to find pod (e.g., app=myapp)
+                        Use this instead of specifying pod name directly
+  
+  --dump-type {mini,heap,triage,full}
+                        Dump type (default: mini)
+                        - mini: Minimal dump with stacks and exception info
+                        - heap: Includes heap memory
+                        - triage: Minimal info for initial diagnosis
+                        - full: Complete memory dump (can be very large)
+  
+  --dump-pid DUMP_PID   Process ID to dump (default: 1)
+                        Usually PID 1 is the main application process
+  
+  --debug-image DEBUG_IMAGE
+                        Debug container image to use
+                        (default: mcr.microsoft.com/dotnet/sdk:latest)
+```
+
+## Examples
+
+### Basic Usage - Find pod by label selector
+
+```bash
+python3 entry.py -n production -l app=api --dump-type mini
+```
+
+This will:
+1. Find a pod with label `app=api` in namespace `production`
+2. Create an ephemeral debug container
+3. Download and run dotnet-dump to create a mini dump
+4. Download the dump to `./latest_dump`
+
+### Specify pod name directly
+
+```bash
+python3 entry.py -n production my-app-pod-12345 --dump-type full
+```
+
+### Create full heap dump for memory analysis
+
+```bash
+python3 entry.py -l app=api --dump-type heap
+```
+
+### Use custom debug image (e.g., specific .NET SDK version)
+
+```bash
+python3 entry.py -l app=api --debug-image mcr.microsoft.com/dotnet/sdk:8.0
+```
+
+### Use same-container strategy (requires root)
+
+```bash
+python3 entry.py -l app=api --strategy same-container --dump-type mini
+```
+
+## Analyzing Dumps
+
+### On Linux
+
+```bash
+dotnet tool install -g dotnet-dump
+dotnet-dump analyze ./latest_dump
+```
+
+### On macOS (using Docker)
+
+macOS doesn't support analyzing Linux dumps natively. Use a Docker container with the correct platform:
+
+```bash
+# For Apple Silicon (M1/M2/M3), specify linux/amd64 platform
+docker run --rm -it --platform linux/amd64 \
+  -v $(pwd):/dumps \
+  mcr.microsoft.com/dotnet/sdk:10.0 \
+  bash
+
+# Inside the container
+dotnet tool install dotnet-dump
+dotnet tool run dotnet-dump analyze /dumps/latest_dump
+```
+
+Common dotnet-dump commands:
+```
+clrthreads          # List managed threads
+clrstack            # Show managed stack trace
+dumpheap -stat      # Show heap statistics
+sos help            # Show all available commands
+```
+
+## How It Works
+
+### Debug Container Strategy (Recommended)
+
+1. **Pod Discovery**: Finds target pod using label selector or name
+2. **Container Detection**: Identifies the default container and extracts UID/GID
+3. **Security Context Matching**: Creates debug container with same UID/GID as target
+4. **Shared Process Namespace**: Uses `--share-processes` to access target container's processes
+5. **Dump Creation**: Downloads dotnet-dump and creates dump in `/proc/1/root/tmp/dumps`
+6. **File Transfer**: Uses chunked base64 encoding to reliably download large files
+
+### Same Container Strategy
+
+Simpler but requires:
+- Container running as root
+- Writable `/tmp` directory
+- Works by installing dotnet-dump directly in the target container
+
+## Requirements
+
+### Kubernetes Cluster
+- Kubernetes 1.23+ (for ephemeral containers)
+- Kubernetes 1.28+ recommended (for UID/GID detection from status)
+
+### RBAC Permissions
+For debug-container strategy, the user needs:
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ephemeral-container-access
+  labels:
+    # This label causes the ClusterRole to be aggregated to the edit / admin role
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+- apiGroups: [""]
+  resources: ["pods/ephemeralcontainers"]
+  verbs: ["patch", "create", "get"]
+```
+
+### Target Container Requirements
+- .NET application running (tested with .NET 8.0, 9.0, 10.0)
+- Writable `/tmp` directory OR mounted emptyDir volume
+  - For `readOnlyRootFilesystem: true`, mount emptyDir at `/tmp`
+
+## Troubleshooting
+
+### "Access to the path '/.dotnet' is denied"
+This occurs in non-root containers. Use `--strategy debug-container` (default).
+
+### "Read-only file system" errors
+For containers with `readOnlyRootFilesystem: true`, ensure `/tmp` has an emptyDir mount:
+```yaml
+volumeMounts:
+- name: tmp
+  mountPath: /tmp
+volumes:
+- name: tmp
+  emptyDir: {}
+```
+
+### Large files fail with websocket errors
+The tool automatically uses chunked transfer for reliability. If issues persist, the chunks are 10MB by default and can't be adjusted without code changes.
+
+### "No pods found with selector"
+Verify the label selector matches your pods:
+```bash
+kubectl get pods -l app=myapp -n your-namespace
+```
+
+## Testing
+
+Integration tests are available in the `tests/` directory:
+
+```bash
+pip install -r tests/requirements.txt
+pytest tests/test_entry.py -v
+```
+
+Tests deploy sample applications and verify dump creation across different configurations:
+- Root vs non-root containers
+- Debian vs Alpine vs Chiseled images
+- With and without `readOnlyRootFilesystem`
+
+## License
+
+MIT