table of contents
OC(1) | June 2016 | OC(1) |
NAME¶
oc debug - Launch a new instance of a pod for debugging
SYNOPSIS¶
oc debug [OPTIONS]
DESCRIPTION¶
Launch a command shell to debug a running application.
When debugging images and setup problems, it's useful to get an exact copy of a running pod configuration and troubleshoot with a shell. Since a pod that is failing may not be started and not accessible to 'rsh' or 'exec', the 'debug' command makes it easy to create a carbon copy of that setup.
The default mode is to start a shell inside of the first container of the referenced pod. The started pod will be a copy of your source pod, with labels stripped, the command changed to '/bin/sh' for Linux containers or 'cmd.exe' for Windows containers, and readiness and liveness checks disabled. If you just want to run a command, add '--' and a command to run. Passing a command will not create a TTY or send STDIN by default. Other flags are supported for altering the container or pod in common ways.
A common problem running containers is a security policy that prohibits you from running as a root user on the cluster. You can use this command to test running a pod as non-root (with --as-user) or to run a non-root pod as root (with --as-root).
You may invoke other types of objects besides pods - any controller resource that creates a pod (like a deployment, build, or job), objects that can host pods (like nodes), or resources that can be used to create pods (such as image stream tags), or simply pass '--image=IMAGE' to start a simple shell session in an image with a shell program
The debug pod is deleted when the remote command completes or the user interrupts the shell.
OPTIONS¶
--allow-missing-template-keys=true
If true, ignore any errors in templates when a field or map key is missing in
the template. Only applies to golang and jsonpath output formats.
--as-root=false
If true, try to run the container as the root user
--as-user=-1
Try to run the container as a specific user UID (note: admins may limit your
ability to use this flag)
-c, --container=""
Container name; defaults to first container
--dry-run="none"
Must be "none", "server", or "client". If
client strategy, only print the object that would be sent, without sending
it. If server strategy, submit server-side request without persisting the
resource.
-f, --filename=[]
Filename, directory, or URL to files to read a template
--image=""
Override the image used by the targeted container.
--image-stream=""
Specify an image stream (namespace/name:tag) containing a debug image to
run.
--keep-annotations=false
If true, keep the original pod annotations
--keep-init-containers=true
Run the init containers for the pod. Defaults to true.
--keep-labels=false
If true, keep the original pod labels
--keep-liveness=false
If true, keep the original pod liveness probes
--keep-readiness=false
If true, keep the original pod readiness probes
--keep-startup=false
If true, keep the original startup probes
-k, --kustomize=""
Process the kustomization directory. This flag can't be used together with -f
or -R.
-I, --no-stdin=false
Bypasses passing STDIN to the container, defaults to true if no command
specified
-T, --no-tty=false
Disable pseudo-terminal allocation
--node-name=""
Set a specific node to run on - by default the pod will run on any valid
node
--one-container=false
If true, run only the selected container, remove all others
-o, --output=""
Output format. One of: (json, yaml, name, go-template, go-template-file,
template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
--preserve-pod=false
If true, the pod will not be deleted after the debug command exits.
-q, --quiet=false
No informational messages will be printed.
-R, --recursive=false
Process the directory used in -f, --filename recursively. Useful when you
want to manage related manifests organized within the same directory.
--show-labels=false
When printing, show all labels as the last column (default hide labels
column)
--show-managed-fields=false
If true, keep the managedFields when printing objects in JSON or YAML
format.
--template=""
Template string or path to template file to use when -o=go-template,
-o=go-template-file. The template format is golang templates [
⟨http://golang.org/pkg/text/template/#pkg-overview⟩].
--to-namespace=""
Override the namespace to create the pod into (instead of using
--namespace).
-t, --tty=false
Force a pseudo-terminal to be allocated
OPTIONS INHERITED FROM PARENT COMMANDS¶
--as=""
Username to impersonate for the operation. User could be a regular user or a
service account in a namespace.
--as-group=[]
Group to impersonate for the operation, this flag can be repeated to specify
multiple groups.
--as-uid=""
UID to impersonate for the operation.
--cache-dir="/home/abuild/.kube/cache"
Default cache directory
--certificate-authority=""
Path to a cert file for the certificate authority
--client-certificate=""
Path to a client certificate file for TLS
--client-key=""
Path to a client key file for TLS
--cluster=""
The name of the kubeconfig cluster to use
--context=""
The name of the kubeconfig context to use
--disable-compression=false
If true, opt-out of response compression for all requests to the server
--insecure-skip-tls-verify=false
If true, the server's certificate will not be checked for validity. This will
make your HTTPS connections insecure
--kubeconfig=""
Path to the kubeconfig file to use for CLI requests.
--match-server-version=false
Require server version to match client version
-n, --namespace=""
If present, the namespace scope for this CLI request
--profile="none"
Name of profile to capture. One of
(none|cpu|heap|goroutine|threadcreate|block|mutex)
--profile-output="profile.pprof"
Name of the file to write the profile to
--request-timeout="0"
The length of time to wait before giving up on a single server request.
Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h).
A value of zero means don't timeout requests.
-s, --server=""
The address and port of the Kubernetes API server
--tls-server-name=""
Server name to use for server certificate validation. If it is not provided,
the hostname used to contact the server is used
--token=""
Bearer token for authentication to the API server
--user=""
The name of the kubeconfig user to use
--warnings-as-errors=false
Treat warnings received from the server as errors and exit with a non-zero
exit code
EXAMPLE¶
# Start a shell session into a pod using the OpenShift tools image
oc debug
# Debug a currently running deployment by creating a new pod
oc debug deploy/test
# Debug a node as an administrator
oc debug node/master-1
# Debug a Windows node
# Note: the chosen image must match the Windows Server version (2019, 2022) of the node
oc debug node/win-worker-1 --image=mcr.microsoft.com/powershell:lts-nanoserver-ltsc2022
# Launch a shell in a pod using the provided image stream tag
oc debug istag/mysql:latest -n openshift
# Test running a job as a non-root user
oc debug job/test --as-user=1000000
# Debug a specific failing container by running the env command in the 'second' container
oc debug daemonset/test -c second -- /bin/env
# See the pod that would be created to debug
oc debug mypod-9xbc -o yaml
# Debug a resource but launch the debug pod in another namespace
# Note: Not all resources can be debugged using --to-namespace without modification. For example,
# volumes and service accounts are namespace-dependent. Add '-o yaml' to output the debug pod definition
# to disk. If necessary, edit the definition then run 'oc debug -f -' or run without --to-namespace
oc debug mypod-9xbc --to-namespace testns
SEE ALSO¶
HISTORY¶
June 2016, Ported from the Kubernetes man-doc generator
Openshift CLI User Manuals | Openshift |