Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

Profiling

Teleport leverages Go's diagnostic capabilities to collect and export profiling data. Profiles can help identify the cause of spikes in CPU, the source of memory leaks, or the reason for a deadlock.

Using the Debug Service

The Teleport Debug Service enables administrators to collect diagnostic profiles without enabling pprof endpoints at startup. The service, enabled by default, ensures local-only access and must be consumed from inside the same instance.

teleport debug profile collects a list of pprof profiles. It outputs a compressed tarball (.tar.gz) to STDOUT. You decompress it using tar or direct the result to a file.

By default, it collects goroutine, heap and profile profiles.

Each profile collected will have a correspondent file inside the tarball. For example, collecting goroutine,trace,heap will result in goroutine.pprof, trace.pprof, and heap.pprof files.

Collect default profiles and save to a file.

teleport debug profile > pprof.tar.gz
tar xvf pprof.tar.gz

Collect default profiles and decompress it.

teleport debug profile | tar xzv -C ./

Collect "trace" and "mutex" profiles and save to a file.

teleport debug profile trace,mutex > pprof.tar.gz

Collect profiles setting the profiling time in seconds

teleport debug profile -s 20 trace > pprof.tar.gz
Specify your Teleport configuration path

If your Teleport configuration is not placed on the default path (/etc/teleport.yaml), you must specify its location to the CLI command using the -c/--config flag.

If you're running Teleport on a Kubernetes cluster you can directly collect profiles to a local directory without an interactive session:

kubectl -n teleport exec my-pod -- teleport debug profile > pprof.tar.gz

After extracting the contents, you can use go tool commands to explore and visualize them:

Opens the terminal interactive explorer

go tool pprof heap.pprof

Opens the web visualizer

go tool pprof -http : heap.pprof

Visualize trace profiles

go tool trace trace.pprof

Using diagnostics endpoints

The profiling endpoint is only enabled if the --debug flag is supplied.

Teleport's diagnostic HTTP endpoints are disabled by default. You can enable them via:

Start a teleport instance with the --diag-addr flag set to the local address where the diagnostic endpoint will listen:

sudo teleport start --debug --diag-addr=127.0.0.1:3000

Edit a teleport instance's configuration file (/etc/teleport.yaml by default) to include the following:

teleport:
    diag_addr: 127.0.0.1:3000

To enable debug logs:

log:
    severity: DEBUG

Verify that Teleport is now serving the diagnostics endpoint:

curl http://127.0.0.1:3000/healthz

Collecting profiles

Go's standard profiling endpoints are served at http://127.0.0.1:3000/debug/pprof/. Retrieving a profile requires sending a request to the endpoint corresponding to the desired profile type. When debugging an issue it is helpful to collect a series of profiles over a period of time.

CPU

CPU profile shows execution statistics gathered over a user specified period:

Download the profile into a file:

curl -o cpu.profile http://127.0.0.1:3000/debug/pprof/profile?seconds=30

Visualize the profile

go tool pprof -http : cpu.profile

Goroutine

Goroutine profiles show the stack traces for all running goroutines in the system:

Download the profile into a file:

curl -o goroutine.profile http://127.0.0.1:3000/debug/pprof/goroutine

Visualize the profile

go tool pprof -http : goroutine.profile

Heap

Heap profiles show allocated objects in the system:

Download the profile into a file:

curl -o heap.profile http://127.0.0.1:3000/debug/pprof/heap

Visualize the profile

go tool pprof -http : heap.profile

Trace

Trace profiles capture scheduling, system calls, garbage collections, heap size, and other events that are collected by the Go runtime over a user specified period of time:

Download the profile into a file:

curl -o trace.out http://127.0.0.1:3000/debug/pprof/trace?seconds=5

Visualize the profile

go tool trace trace.out

Further Reading