Add a --debug flag to the CLI to help retrieve more logs.

[almet]

While adding Github Issue Templates on this repository (#939) we found that the commands we require the user to enter in their terminals can be quite complex. Some of them might require some bash-fu, for instance to define the location of the custom seccomp profile we are using, as it differs depending the OS.

This is a proposal to add a --debug flag to the dangerzone-cli to simplify the process of generating proper logs.

When the flag is set:

• The RUNSC_DEBUG=1 environment variable is added to the outer container ;
• the stderr from the outer container is attached to the exception, and displayed to the user on failures.

Info: tests are currently failing and I didn't put too much effort in making them pass, as this is here mainly to see if it could make sense to add this in the first place.

[apyrgio]

That's a nice step towards getting debug logs from users without asking them to run weird Docker/Podman commands. I've commented on a few things that we can improve, but overall I like where this is going.

[apyrgio]

Hm, this may be an overly verbose string representation of the exception. Still, I think I get why you opted to go down that road. We have a bug in the way we handle container logs on error. Basically, we don't print them to the user, even if sys.dangerzone_dev == True.

I've fixed this in #748, but it's tied to having a single container, so I can't easily cherry-pick it. Let's discuss how we can proceed here.

[almet]

Cool! I believe one simple way to handle this is to wait until #748 is merged, and then rebase this branch on top of it.

[apyrgio]

I think that container errors are now reported on the main branch. Give it a look and let me know if not.

[almet]

This PR will need some revisit at some point, as the main point is to add RUNSC_DEBUG=1 info to the output, making it possible to run by end users without having to do a lot of copy/paste.

When I tried to rebase this on top of the latest main, it seemed that the run was now blocked, and I didn't investigated further yet.

[almet]

This seems correlated to #442.

[apyrgio]

We had a discussion with Alexis. He mentioned that adding the --debug flag makes the Dangezone CLI hang. The reason behind this bug is the fact that we read from stderr only after the conversion is done. However, with RUNSC_DEBUG=1, gVisor logs to stderr early, and thus the container hangs, because we don't read from the pipe.

[almet]

I've rebased this branch on top of the latest main (actually replayed the changes manually) and it shows that it hangs.