On-Premises Debug Bundle
Generate a FOSSA cluster debug bundle (a ZIP of cluster state, pod logs, and application diagnostics) and send it to FOSSA support.
Overview
When you hit a problem with an on-premises FOSSA deployment, support will often ask for a debug bundle: a ZIP file containing information about your FOSSA application and the Kubernetes cluster it runs in. Generating one is a cluster-operator task. Enable it in your Helm values, let it collect, then copy the result off the pod and send it in.
The debugBundle deployment has shipped with the fossa/fossa-core chart since chart version 2.6.0. You generally won't need it unless FOSSA support asks.
Note
Two different things are called a "debug bundle." This page covers the on-premises cluster bundle, which captures the state of your FOSSA deployment. If you're diagnosing a problem with a fossa analyze scan instead, you want the CLI debug bundle (fossa.debug.json.gz). See Debugging the FOSSA CLI.
What the bundle collects
The bundle is an exact snapshot of your release and cluster, written to a temporary directory on the debug-bundle pod. It includes:
- Application configuration:
FOSSAConfigs,FeatureFlags, andSequelizeMetatables. - Build data: recent
Builds, and the relatedTasks,Revisions, andDependencyLocks. - Cluster state: pods (with per-container logs), services, deployments, statefulsets, daemonsets, jobs, cronjobs, config maps, events, persistent volumes and claims, and the rendered Helm release values and manifest.
- Node diagnostics: nodes and node leases, only when cluster-role access is granted (see below).
- Endpoint connectivity: reachability checks to the external hosts FOSSA depends on (for example
app.fossa.com,vulns.fossa.com,pypi.org, ands3.amazonaws.com).
Because this is a faithful copy of your cluster, the bundle can contain secrets. You'll redact those before sending. See Redact and send the bundle.
Generating the bundle
- 1
Enable the debug bundle
Set
deployment.debugBundle.enabled: truein yourfossa/fossa-corevalues:YAMLdeployment: debugBundle: enabled: trueIf you have permission to create cluster roles, also set
createClusterRole: true. This lets the bundle collect diagnostics about your cluster's compute nodes, which helps FOSSA diagnose hardware-provisioning and performance issues:YAMLdeployment: debugBundle: enabled: true createClusterRole: trueBoth values default to
false.Warning
If the bundle logs errors about being unable to retrieve information about nodes and node leases, you most likely left
deployment.debugBundle.createClusterRoleat its default offalse. The bundle is still useful without node data; it just won't include diagnostics about your underlying compute nodes. - 2
Apply the new Helm values
Apply the values the same way you apply any update, for most operators that's
helm upgrade:Shellhelm upgrade RELEASE_NAME fossa/fossa-core --values NEW_VALUES_FILEOnce the upgrade completes, you should see a
RELEASE_NAME-fossa-core-debug-bundledeployment with a single pod:Shell$ kubectl get deploymentsNAME READY UP-TO-DATE AVAILABLE AGERELEASE_NAME-fossa-core-debug-bundle 1/1 1 1 24h $ kubectl get podsNAME READY STATUS RESTARTS AGERELEASE_NAME-fossa-core-debug-bundle-85bdd985d9-c8hm4 1/1 Running 0 71mTip
The deployment already exists at
0replicas. Instead of editing values, you can scale it up directly, then pick up at the next step:Shellkubectl scale deployment RELEASE_NAME-fossa-core-debug-bundle --replicas=1 - 3
Wait for collection to finish
Once the pod is running, follow its logs:
Shellkubectl logs -f -l app.kubernetes.io/component=debug-bundleWhen collection finishes, the pod prints a completion message and a ready-to-run copy command, then exits about an hour later (removing the collected data with it):
[INFO] Collection of data is complete, this process will exit in an hour and data will be removed. [INFO] Use kubectl to copy the data: kubectl cp RELEASE_NAME-fossa-core-debug-bundle-85bdd985d9-c8hm4:/tmp/debug_167969928 LOCAL_DEBUG_BUNDLE_LOCATION [WARN] Information collected may contain secrets, please parse output and remove secrets.Copy the command from your own log output, the pod name and temp directory are unique to your run, and the command includes a
--namespaceflag when your release sets one. - 4
Copy the bundle off the pod
Run the
kubectl cpcommand from the log output, replacingLOCAL_DEBUG_BUNDLE_LOCATIONwith a path on your machine:Shellkubectl cp RELEASE_NAME-fossa-core-debug-bundle-85bdd985d9-c8hm4:/tmp/debug_167969928 ./fossa-debug-bundleThe contents of that folder are the debug bundle.
- 5
Redact and send the bundle
The bundle reproduces your cluster's state and may contain any secrets present in your Kubernetes manifests. Review and redact before sending. The most common places secrets appear:
File What to check values_sh.*.jsonPasswords in the saved Helm values manifest_sh.*.yamlPasswords in the rendered Kubernetes manifests config_maps.jsonPasswords in the ConfigMapdumpWarning
Depending on your cluster's configuration, secrets may appear elsewhere too. Treat the table above as a starting point, not a complete inventory.
Once you've redacted it, ZIP up the folder and attach it to your support email or ticket.