Getting Confidential VM (CVM) instance logs for an Anjuna Confidential Pod

Anjuna Confidential Pods are deployed into Confidential VMs (CVMs) by the Anjuna Kubernetes Toolset. The CVM produces logs that may be relevant to debug issues that might occur during deployment and throughout the Pod’s lifecycle. Therefore, it may be necessary to explore these logs.

The steps below explain how to find a CVM associated with a specific Anjuna Confidential Pod, and how to download the logs of that instance.

Identifying the CVM associated with a Pod

One of the components of the tools provided by the Anjuna K8s solution is the Anjuna Cloud Adaptor. This is installed on every relevant Node in the cluster. When an Anjuna Confidential Pod is deployed to a Node, this Anjuna Cloud Adaptor launches the required CVM.

The name of the CVM instance will be derived from the Pod’s name and namespace and will utilize the following pattern:

(anj-<md5sum of podNamespace/podName>[:6]-<sanitized namespace>-<sanitized podName>)[:62]0
The md5sum of the Pod’s namespace/name is necessary to create a unique identifier for each CVM in order to avoid potential resource name conflicts. Sanitization of namespace and Pod name ensures that no special characters are part of the CVM name. The character 0 will always be appended at the end. A limit of 63 characters is usually imposed by the Cloud Service Providers.

For example, an Anjuna Confidential Pod named test in the default namespace would have its corresponding CVM named as anj-1b5cb9-default-test0. The hash can be easily calculated in bash:

hash=$(echo -n "default/test" | md5sum | cut -c1-6)
echo "HASH: ${hash}"

The sections below explore your options to fetch the CVM logs.

Before moving on, make sure to first determine your CVM name with the following:

$ export PODNAME="<Your Pod name>"
$ export NAMESPACE="<Your Pod namespace>"
$ export MD5_HASH=$(echo -n "${NAMESPACE}/${PODNAME}" | md5sum | cut -c1-6)
$ SANITIZED_NAMESPACE=$(echo "$NAMESPACE" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9-]/-/g')
$ SANITIZED_PODNAME=$(echo "$PODNAME" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9-]/-/g')
$ export CVM_NAME="$(echo "anj-${MD5_HASH}-${SANITIZED_NAMESPACE}-${SANITIZED_PODNAME}" | cut -c1-62)0"

Getting the logs associated with the CVM

Logs can be fetched in different ways depending on the cloud provider.

  • Azure Kubernetes Services (AKS)

  • OpenShift on GCP

If the CVM is still running, use anjuna-azure-cli to fetch the logs:

$ export RESOURCE_GROUP="<Azure resource group where the CVM is created>"
$ anjuna-azure-cli instance log \
  	 --name ${INSTANCE_NAME} \
  	 --resource-group ${RESOURCE_GROUP} > log.txt

If the CVM has been terminated (for example, if the Anjuna Confidential Pod was restarted/deleted), the logs are still available through an Azure Storage Container.

To fetch the logs, you must first identify the relevant storage container and blob. This can be done using the following:

export STORAGE_ACCOUNT="<Storage account used for logs>"
STORAGE_CONTAINER_NAME=$(az storage container list \
        --account-name ${STORAGE_ACCOUNT} \
        --query "[?contains(name, '${MD5_HASH}')].name" \
        --output tsv --only-show-errors )
BLOB_NAME=$(az storage blob list --account-name ${STORAGE_ACCOUNT} \
        --container ${STORAGE_CONTAINER_NAME} --prefix ${CVM_NAME:0:10} --query "[0].name" \
        --only-show-error --output tsv)

Then, with the blob name and storage container name, you can fetch the logs using the following command:

$ az storage blob download --account-name ${STORAGE_ACCOUNT} --container ${STORAGE_CONTAINER_NAME} \
     --name ${BLOB_NAME} --file log.txt

The CVM logs will be available in the file log.txt.

If the CVM is still running, use gcloud to fetch the logs:

$ gcloud compute instances get-serial-port-output \
      ${INSTANCE_NAME} \
     --zone ${ANJ_ZONE} \
     --project ${ANJ_PROJ} \
     --port=1  > log.txt

Now you can view the logs by running:

$ cat log.txt