Merge pull request #20 from Conjur-Enterprise/cnjr-8736-ruby-thread-dumps

CNJR-8736: Container process list and Ruby thread dumps in report

Author: Tomasz Wojcik

CHANGELOG.md

@@ -21,6 +21,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   inside a container to the inspect report. CNJR-11978
 - Etcd cluster members check that captures the current cluster members
   (as reported by `evoke cluster member list`) in the inspect report. CNJR-11979
+- Ruby thread dump check that captures thread dumps from Ruby processes running
+  in the container. CNJR-8736
+- Container processes check that records the process list from inside the
+  container to the inspect report. CNJR-4619
 
 ## [0.4.2] - 2025-03-25
 

pkg/check/check.go

@@ -35,6 +35,19 @@ type RunContext struct {
 
 	ContainerID string
 	Since       time.Duration
+
+	// ContainerRuntimeAvailability caches the availability status of container runtimes
+	// Maps provider names (e.g., "docker", "podman") to availability status and error
+	ContainerRuntimeAvailability map[string]RuntimeAvailability
+
+	// VerboseErrors controls whether to report errors for unavailable container runtimes
+	VerboseErrors bool
+}
+
+// RuntimeAvailability represents the availability status of a container runtime
+type RuntimeAvailability struct {
+	Available bool
+	Error     error // Error encountered when checking availability (e.g., executable not found)
 }
 
 // Result is the outcome of a particular check. A check may produce multiple

pkg/checks/conjur_config.go

@@ -34,6 +34,18 @@ func (cc *ConjurConfig) Run(runContext *check.RunContext) []check.Result {
 		return []check.Result{}
 	}
 
+	// Check if the container runtime is available
+	runtimeKey := strings.ToLower(cc.Provider.Name())
+	if !IsRuntimeAvailable(runContext, runtimeKey) {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(
+				cc,
+				fmt.Errorf("container runtime not available"),
+			)
+		}
+		return []check.Result{}
+	}
+
 	container := cc.Provider.Container(runContext.ContainerID)
 
 	configPaths := []string{
@@ -74,10 +86,13 @@ func (cc *ConjurConfig) collectConfigFile(
 	)
 
 	if err != nil {
+		if !runContext.VerboseErrors {
+			return nil
+		}
 		return &check.Result{
-			Title:   cc.Describe(),
-			Status:  check.StatusError,
-			Value:   "N/A",
+			Title:  cc.Describe(),
+			Status: check.StatusError,
+			Value:  "N/A",
 			Message: fmt.Sprintf(
 				"failed to collect '%s' : %s (%s))",
 				path,

pkg/checks/conjur_config_permissions.go

@@ -31,6 +31,18 @@ func (ccp *ConjurConfigPermissions) Run(runContext *check.RunContext) []check.Re
 		return []check.Result{}
 	}
 
+	// Check if the container runtime is available
+	runtimeKey := strings.ToLower(ccp.Provider.Name())
+	if !IsRuntimeAvailable(runContext, runtimeKey) {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(
+				ccp,
+				fmt.Errorf("container runtime not available"),
+			)
+		}
+		return []check.Result{}
+	}
+
 	container := ccp.Provider.Container(runContext.ContainerID)
 
 	results := []check.Result{}
@@ -53,9 +65,9 @@ func (ccp *ConjurConfigPermissions) collectConjurConfigPermissions(
 
 	if err != nil {
 		return &check.Result{
-			Title:   ccp.Describe(),
-			Status:  check.StatusError,
-			Value:   "N/A",
+			Title:  ccp.Describe(),
+			Status: check.StatusError,
+			Value:  "N/A",
 			Message: fmt.Sprintf(
 				"failed to collect Conjur config permissions: %s (%s))",
 				err,

pkg/checks/conjur_config_permissions_test.go

@@ -60,7 +60,7 @@ func TestConjurConfigPermissions_Run_ExecError(t *testing.T) {
 	provider := &test.ContainerProvider{
 		ExecResponses: map[string]test.ExecResponse{
 			"ls -la /etc/conjur/config": {
-				Error: errors.New("file not found"),
+				Error:  errors.New("file not found"),
 				Stderr: strings.NewReader("permission denied"),
 			},
 		},
@@ -76,7 +76,6 @@ func TestConjurConfigPermissions_Run_ExecError(t *testing.T) {
 	assert.Contains(t, results[0].Message, "failed to collect")
 }
 
-
 func TestConjurConfigPermissions_Run_ReadAllError(t *testing.T) {
 	// Save original readAllFunc to restore after test
 	originalReadAllFunc := readAllFunc

pkg/checks/conjur_config_test.go

@@ -83,7 +83,7 @@ func TestConjurConfig_Run_FileReadError(t *testing.T) {
 	provider := &test.ContainerProvider{
 		ExecResponses: map[string]test.ExecResponse{
 			"cat /etc/conjur/config/conjur.yml": {
-				Error: errors.New("file not found"),
+				Error:  errors.New("file not found"),
 				Stderr: strings.NewReader("permission denied"),
 			},
 		},
@@ -92,13 +92,34 @@ func TestConjurConfig_Run_FileReadError(t *testing.T) {
 	cc := &ConjurConfig{Provider: provider}
 
 	runContext := test.NewRunContext("test-container")
+	runContext.VerboseErrors = true
 	results := cc.Run(&runContext)
 
 	assert.NotEmpty(t, results)
 	assert.Equal(t, check.StatusError, results[0].Status)
 	assert.Contains(t, results[0].Message, "failed to collect")
 }
 
+func TestConjurConfig_Run_FileReadErrorNoVerboseErrors(t *testing.T) {
+	provider := &test.ContainerProvider{
+		ExecResponses: map[string]test.ExecResponse{
+			"cat /etc/conjur/config/conjur.yml": {
+				Error:  errors.New("file not found"),
+				Stderr: strings.NewReader("permission denied"),
+			},
+		},
+	}
+
+	cc := &ConjurConfig{Provider: provider}
+
+	runContext := test.NewRunContext("test-container")
+	runContext.VerboseErrors = false
+	results := cc.Run(&runContext)
+
+	// Expect no results when VerboseErrors is false
+	assert.Empty(t, results)
+}
+
 func TestConjurConfig_Run_ReadAllError(t *testing.T) {
 	// Save original readAllFunc to restore after test
 	originalReadAllFunc := readAllFunc

pkg/checks/conjur_health.go

@@ -39,6 +39,18 @@ func (ch *ConjurHealth) Run(runContext *check.RunContext) []check.Result {
 		return []check.Result{}
 	}
 
+	// Check if the container runtime is available
+	runtimeKey := strings.ToLower(ch.Provider.Name())
+	if !IsRuntimeAvailable(runContext, runtimeKey) {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(
+				ch,
+				fmt.Errorf("container runtime not available"),
+			)
+		}
+		return []check.Result{}
+	}
+
 	container := ch.Provider.Container(runContext.ContainerID)
 	stdout, stderr, err := container.Exec(
 		"curl", "-k", "https://localhost/health",

pkg/checks/conjur_health_test.go

@@ -99,7 +99,7 @@ func TestConjurHealthRun_ExecError(t *testing.T) {
 		ExecResponses: map[string]test.ExecResponse{
 			"curl -k https://localhost/health": test.ExecResponse{
 				Stderr: strings.NewReader("test stderr"),
-				Error: errors.New("test error"),
+				Error:  errors.New("test error"),
 			},
 		},
 	}

pkg/checks/conjur_info.go

@@ -39,6 +39,18 @@ func (ci *ConjurInfo) Run(runContext *check.RunContext) []check.Result {
 		return []check.Result{}
 	}
 
+	// Check if the container runtime is available
+	runtimeKey := strings.ToLower(ci.Provider.Name())
+	if !IsRuntimeAvailable(runContext, runtimeKey) {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(
+				ci,
+				fmt.Errorf("container runtime not available"),
+			)
+		}
+		return []check.Result{}
+	}
+
 	container := ci.Provider.Container(runContext.ContainerID)
 
 	stdout, stderr, err := container.Exec(

pkg/checks/container_availability.go

@@ -0,0 +1,109 @@
+package checks
+
+import (
+	"fmt"
+	"os/exec"
+
+	"github.com/cyberark/conjur-inspect/pkg/check"
+	"github.com/cyberark/conjur-inspect/pkg/log"
+)
+
+// ContainerAvailability checks for the availability of container runtimes
+// (Docker and Podman) and caches the results in the RunContext to prevent
+// duplicate error messages for unavailable runtimes.
+type ContainerAvailability struct{}
+
+// Describe provides a textual description of what this check gathers info on
+func (ca *ContainerAvailability) Describe() string {
+	return "Container runtime availability"
+}
+
+// Run checks the availability of Docker and Podman runtimes
+func (ca *ContainerAvailability) Run(runContext *check.RunContext) []check.Result {
+	// If not already initialized, this shouldn't happen but be safe
+	if runContext.ContainerRuntimeAvailability == nil {
+		runContext.ContainerRuntimeAvailability = make(map[string]check.RuntimeAvailability)
+	}
+
+	// Check Docker availability
+	dockerAvailability := ca.checkRuntimeAvailability("docker")
+	runContext.ContainerRuntimeAvailability["docker"] = dockerAvailability
+
+	// Check Podman availability
+	podmanAvailability := ca.checkRuntimeAvailability("podman")
+	runContext.ContainerRuntimeAvailability["podman"] = podmanAvailability
+
+	results := []check.Result{}
+
+	// Log availability for debugging
+	if dockerAvailability.Available {
+		log.Debug("Docker runtime is available")
+	} else {
+		log.Debug("Docker runtime is not available: %v", dockerAvailability.Error)
+	}
+
+	if podmanAvailability.Available {
+		log.Debug("Podman runtime is available")
+	} else {
+		log.Debug("Podman runtime is not available: %v", podmanAvailability.Error)
+	}
+
+	// Only return results in verbose mode or if no runtimes are available
+	if runContext.VerboseErrors {
+		if !dockerAvailability.Available {
+			results = append(results, check.Result{
+				Title:   "Docker availability",
+				Status:  check.StatusWarn,
+				Value:   "N/A",
+				Message: fmt.Sprintf("Docker is not available: %v", dockerAvailability.Error),
+			})
+		}
+
+		if !podmanAvailability.Available {
+			results = append(results, check.Result{
+				Title:   "Podman availability",
+				Status:  check.StatusWarn,
+				Value:   "N/A",
+				Message: fmt.Sprintf("Podman is not available: %v", podmanAvailability.Error),
+			})
+		}
+	} else if !dockerAvailability.Available && !podmanAvailability.Available {
+		// Warn if no container runtimes are available
+		results = append(results, check.Result{
+			Title:   "Container runtimes",
+			Status:  check.StatusWarn,
+			Value:   "N/A",
+			Message: "No container runtimes (Docker or Podman) are available. Container-related checks will be skipped.",
+		})
+	}
+
+	return results
+}
+
+// checkRuntimeAvailability checks if a runtime executable is available
+func (ca *ContainerAvailability) checkRuntimeAvailability(runtimeName string) check.RuntimeAvailability {
+	_, err := exec.LookPath(runtimeName)
+	if err != nil {
+		return check.RuntimeAvailability{
+			Available: false,
+			Error:     err,
+		}
+	}
+	return check.RuntimeAvailability{
+		Available: true,
+		Error:     nil,
+	}
+}
+
+// IsRuntimeAvailable is a helper function to check if a runtime is available
+// from any check
+func IsRuntimeAvailable(runContext *check.RunContext, runtimeName string) bool {
+	if runContext.ContainerRuntimeAvailability == nil {
+		return true // Assume available if cache not initialized
+	}
+	availability, exists := runContext.ContainerRuntimeAvailability[runtimeName]
+	if !exists {
+		return true // Assume available if not cached
+	}
+	return availability.Available
+}