ksnif with GKE (cos) capture with privileged (-p) option: Nothing get captured

[GregoireW]

When launching ksniff on a GKE cluster (1.28+) running COS node and with the '-p' to create a privileged port to sniff an existing pod, I got no output as the tcpdump fail:

+ export 'CONTAINERD_NAMESPACE=k8s.io'
+ export 'CONTAINER_RUNTIME_ENDPOINT=unix:///host/run/containerd/containerd.sock'
+ export 'IMAGE_SERVICE_ENDPOINT=unix:///host/run/containerd/containerd.sock'
+ crictl pull docker.io/maintained/tcpdump:latest
+ crictl inspect 123456789123456789123456789123456789123456789
+ jq '.info.runtimeSpec.linux.namespaces[] | select(.type == "network") | .path'
+ tr -d '"'
+ netns=/proc/12345678/ns/net
+ exec chroot /host ctr -a /run/containerd/containerd.sock run --rm --with-ns network:/proc/12345678/ns/net docker.io/maintained/tcpdump:latest ksniff-container-abcdef123456 tcpdump -i any -U -w -
time="2024-06-10T12:09:45Z" level=info msg="apply failure, attempting cleanup" error="failed to extract layer sha256:123456789123456789123456789123456789123456789123456789: failed to get reader from content store: content digest sha256:123456789123456789123456789123456789123456789123456789: not found" key="extract-123456789-aaaa sha256:123456789123456789123456789123456789123456789123456789"
ctr: failed to extract layer sha256:123456789123456789123456789123456789123456789123456789: failed to get reader from content store: content digest sha256:123456789123456789123456789123456789123456789123456789: not found
' 

Basically ctr do not find the tcpdump image. Modifying the code to use ctr to pull the image do the trick and fix the issue.

[maximumG]

I confirm that we are running into the same issue as described by @GregoireW. Would be awesome if the PR #184 gets merged :smile:

[tappoz]

I am seeing the same logs in a GKE cluster. Is there any plan to address the issue or merge the PR? :pray: