Getting CVM instance logs for an Anjuna Confidential Pod

When launching an Anjuna Confidential Pod, the confidential compute system launches a confidential Azure VM. This Confidential VM (CVM) produces logs that may be relevant to debug issues that might occur during deployment and throughout the Pod’s lifecycle. Therefore, it may be necessary to explore these logs.

The steps below explain how to find a CVM associated with a specific Anjuna Confidential Pod, and how to download the logs of that instance.

Getting the CVM associated with a Pod

One of the components of the tools provided by the Anjuna K8s solution is the Anjuna Cloud Adaptor. This is installed on every relevant Node in the cluster. When an Anjuna Confidential Pod is deployed to a Node, this Anjuna Cloud Adaptor launches the required CVM. To find the CVM, look through the Anjuna Cloud Adaptor’s logs.

First, identify the Anjuna Cloud Adaptor Pod associated with the Node on which the Pod in question was running.

Next, retrieve from the Anjuna Cloud Adaptor Pod’s logs, the name of the CVM launched.

For example, run the following commands to get the latest CVM launched for a particular Pod:

$ export PODNAME="<Pod name>"
$ export NAMESPACE="<Pod namespace>"
$ export ADAPTOR_POD_NAME="<Adaptor pod name>"
$ export INSTANCE_NAME=$(kubectl logs ${ADAPTOR_POD_NAME} -n anjuna-system \
     | grep -E "${NAMESPACE}\/${PODNAME}] create a sandbox [0-9a-f]+" -A 10 \
     | grep -Po 'CreateInstance: name: "\K([^"]+)(?=")' \
     | tail -n 1)

Getting the logs associated with the CVM

If the CVM is still running, you can fetch the logs using anjuna-azure-cli:

$ export RESOURCE_GROUP="<Azure resource group where the CVM is created>"
$ anjuna-azure-cli instance log \
  	 --name ${INSTANCE_NAME} \
  	 --resource-group ${RESOURCE_GROUP} > log.txt

If the CVM has been terminated (for example, if the Anjuna Confidential Pod was restarted/deleted), the logs are still available through an Azure Storage Container.

To fetch the logs, you must first identify the relevant storage container and blob. This can be done using the following bash script:

#!/bin/bash
export STORAGE_ACCOUNT="<Storage account used for logs>"

# Get list of potential log storage containers
CONTAINER_LIST=$(az storage container list \
        --account-name ${STORAGE_ACCOUNT} \
        --query "[].name" \
        --output tsv --only-show-errors \
    | grep $(echo ${INSTANCE_NAME} \
            | tr -d '-' \
            | head -c 9 \
    )\
)

for CONTAINER in ${CONTAINER_LIST}; do
    BLOB_NAME=$(az storage blob list --account-name ${STORAGE_ACCOUNT} \
                   --container ${CONTAINER} --prefix ${INSTANCE_NAME} --query "[0].name" \
                   --only-show-error --output tsv)
    if [[ -n ${BLOB_NAME} ]]; then
        break
    fi
done

Then, with the blob name and storage container, you can fetch the logs using the following command:

$ az storage blob download --account-name ${STORAGE_ACCOUNT} --container ${CONTAINER} \
     --name ${BLOB_NAME} --file log.txt

Now you can view the logs by running:

$ cat log.txt