Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

📖 (doc): Add under the docs/draft how to profilling with pprof #1876

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

📖 (doc): Add under the docs/draft how to profilling with pprof #1876

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
297 changes: 297 additions & 0 deletions docs/draft/howto/profiling_with_pprof.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,297 @@
# Profiling with Pprof

!!! warning
Pprof bind port flag are available as an alpha release and are subject to change in future versions.

[Pprof][pprof] is a useful tool for analyzing memory and CPU usage profiles. However, it is not
recommended to enable it by default in production environments. While it is great for troubleshooting,
keeping it enabled can introduce performance concerns and potential information leaks.

Both components allow you to enable pprof by specifying the port it should bind to using the
`pprof-bind-address` flag. However, you must ensure that each component uses a unique port—using
the same port for multiple components is not allowed. Additionally, you need to export the corresponding
port in the service configuration for each component.

The following steps are examples to demonstrate the required changes to enable Pprof for Operator-Controller and CatalogD.

## Enabling Pprof for gathering the data

### For Operator-Controller

1. Run the following command to patch the Deployment and add the `--pprof-bind-address=:8082` flag:

```shell
kubectl patch deployment $(kubectl get deployments -n olmv1-system -l control-plane=operator-controller-controller-manager -o jsonpath='{.items[0].metadata.name}') \
-n olmv1-system --type='json' -p='[
{
"op": "add",
"path": "/spec/template/spec/containers/0/args/-",
"value": "--pprof-bind-address=:8082"
}
]'
```

2. Once Pprof is enabled, you need to export port `8082` in the Service to make it accessible:

```shell
kubectl patch service operator-controller-service -n olmv1-system --type='json' -p='[
{
"op": "add",
"path": "/spec/ports/-",
"value": {
"name": "pprof",
"port": 8082,
"targetPort": 8082,
"protocol": "TCP"
}
}
]'
```

3. Create the Pod with `curl` to allow to generate the report:

```shell
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: curl-oper-con-pprof
namespace: olmv1-system
spec:
serviceAccountName: operator-controller-controller-manager
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: curl
image: curlimages/curl:latest
command:
- sh
- -c
- sleep 3600
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /tmp
name: tmp-volume
restartPolicy: Never
volumes:
- name: tmp-volume
emptyDir: {}
EOF
```

4. Run the following command to generate the token for authentication:

```shell
TOKEN=$(kubectl create token operator-controller-controller-manager -n olmv1-system)
echo $TOKEN
```

5. Run the following command to generate the report in the Pod:

```shell
kubectl exec -it curl-oper-con-pprof -n olmv1-system -- sh -c \
"curl -s -k -H \"Authorization: Bearer $TOKEN\" \
http://operator-controller-service.olmv1-system.svc.cluster.local:8082/debug/pprof/profile > /tmp/operator-controller-profile.pprof"
```

6. Now, we can verify that the report was successfully created:

```shell
kubectl exec -it curl-oper-con-pprof -n olmv1-system -- ls -lh /tmp/
```

7. Then, we can copy the result for your local environment:

```shell
kubectl cp olmv1-system/curl-oper-con-pprof:/tmp/operator-controller-profile.pprof ./operator-controller-profile.pprof
tar: removing leading '/' from member names
```

8. By last, we can use pprof to analyse the result:

```shell
go tool pprof -http=:8080 ./operator-controller-profile.pprof
```

### For the CatalogD

1. Run the following command to patch the Deployment and add the `--pprof-bind-address=:8083` flag:

```shell
kubectl patch deployment $(kubectl get deployments -n olmv1-system -l control-plane=catalogd-controller-manager -o jsonpath='{.items[0].metadata.name}') \
-n olmv1-system --type='json' -p='[
{
"op": "add",
"path": "/spec/template/spec/containers/0/args/-",
"value": "--pprof-bind-address=:8083"
}
]'
```

2. Once Pprof is enabled, you need to export port `8083` in the `Service` to make it accessible:

```shell
kubectl patch service $(kubectl get service -n olmv1-system -l app.kubernetes.io/part-of=olm,app.kubernetes.io/name=catalogd -o jsonpath='{.items[0].metadata.name}') \
-n olmv1-system --type='json' -p='[
{
"op": "add",
"path": "/spec/ports/-",
"value": {
"name": "pprof",
"port": 8083,
"targetPort": 8083,
"protocol": "TCP"
}
}
]'
```

3. Create the Pod with `curl` to allow to generate the report:

```shell
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: curl-catalogd-pprof
namespace: olmv1-system
spec:
serviceAccountName: catalogd-controller-manager
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: curl
image: curlimages/curl:latest
command:
- sh
- -c
- sleep 3600
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /tmp
name: tmp-volume
restartPolicy: Never
volumes:
- name: tmp-volume
emptyDir: {}
EOF
```

4. Run the following command to generate the token for authentication:

```shell
TOKEN=$(kubectl create token catalogd-controller-manager -n olmv1-system)
echo $TOKEN
```

5. Run the following command to generate the report in the Pod:

```shell
kubectl exec -it curl-catalogd-pprof -n olmv1-system -- sh -c \
"curl -s -k -H \"Authorization: Bearer $TOKEN\" \
http://catalogd-service.olmv1-system.svc.cluster.local:8083/debug/pprof/profile > /tmp/catalogd-profile.pprof"
```

6. Now, we can verify that the report was successfully created:

```shell
kubectl exec -it curl-catalogd-pprof -n olmv1-system -- ls -lh /tmp/
```

7. Then, we can copy the result for your local environment:

```shell
kubectl cp olmv1-system/curl-catalogd-pprof:/tmp/catalogd-profile.pprof ./catalogd-profile.pprof
```

8. By last, we can use pprof to analyse the result:

```shell
go tool pprof -http=:8080 ./catalogd-profile.pprof
```

## Disabling pprof after gathering the data

### For Operator-Controller

1. Run the following command to bind to `--pprof-bind-address` the value `0` in order to disable the endpoint.

```shell
kubectl patch deployment $(kubectl get deployments -n olmv1-system -l control-plane=operator-controller-controller-manager -o jsonpath='{.items[0].metadata.name}') \
-n olmv1-system --type='json' -p='[
{
"op": "replace",
"path": "/spec/template/spec/containers/0/args",
"value": ["--pprof-bind-address=0"]
}
]'
```

2. Try to generate the report as done previously. The connection should now be refused:

```shell
kubectl exec -it curl-pprof -n olmv1-system -- sh -c \
"curl -s -k -H \"Authorization: Bearer $TOKEN\" \
http://operator-controller-service.olmv1-system.svc.cluster.local:8082/debug/pprof/profile > /tmp/operator-controller-profile.pprof"
```

**NOTE:** if you wish you can delete the service port added to allow use pprof and
re-start the deployment `kubectl rollout restart deployment -n olmv1-system operator-controller-controller-manager`

3. We can remove the Pod created to generate the report:

```shell
kubectl delete pod curl-oper-con-pprof -n olmv1-system
```

### For CatalogD

1. Run the following command to bind to `--pprof-bind-address` the value `0` in order to disable the endpoint.
```shell
kubectl patch deployment $(kubectl get deployments -n olmv1-system -l control-plane=catalogd-controller-manager -o jsonpath='{.items[0].metadata.name}') \
-n olmv1-system --type='json' -p='[
{
"op": "replace",
"path": "/spec/template/spec/containers/0/args",
"value": ["--pprof-bind-address=0"]
}
]'
```

2. To ensure we can try to generate the report as done above. Note that the connection
should be refused:

```shell
kubectl exec -it curl-pprof -n olmv1-system -- sh -c \
"curl -s -k -H \"Authorization: Bearer $TOKEN\" \
http://catalogd-service.olmv1-system.svc.cluster.local:8083/debug/pprof/profile > /tmp/catalogd-profile.pprof"
```

**NOTE:** if you wish you can delete the service port added to allow use pprof and
re-start the deployment `kubectl rollout restart deployment -n olmv1-system catalogd-controller-manager`

3. We can remove the Pod created to generate the report:

```shell
kubectl delete pod curl-catalogd-pprof -n olmv1-system
```

[pprof]: https://github.com/google/pprof/blob/main/doc/README.md
Loading