-
Notifications
You must be signed in to change notification settings - Fork 733
eBPF
Sysdig now supports the ability to run the fully featured system event capture engine using eBPF as a backend technology as opposed to the traditional kernel module.
The runtime requirements are:
- Kernel version >= 4.14 (we might be able to relax this up to 4.12, but at the moment we don't think there's enough interest due to those kernels not being longterm, please get in touch if you feel otherwise)
- Kernel with eBPF support enabled, in particular
CONFIG_BPF=y,CONFIG_BPF_JIT=yandCONFIG_BPF_SYSCALL=y - Kernel headers must be installed and available (this might be again relaxed in the future)
- If not using the sysdig container, a recent working Clang + LLVM setup (recommended version is >= 7, but older versions might work as well)
This is by far the easiest and most recommended way to run sysdig with eBPF support. There is a slight change in the command line:
docker run -it --name sysdig --privileged --net=host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro -e SYSDIG_BPF_PROBE="" sysdig/sysdig
The specific changes are:
-
-e SYSDIG_BPF_PROBE="": needed to instruct the docker entry point to bootstrap the eBPF probe instead of the standard dkms kernel module builder/loader -
--net=host: needed to enable eBPF JIT at runtime for performance reasons. Can be skipped if eBPF JIT is enabled from outside the container (e.g. via/proc/sys/net/core/bpf_jit_enable) -
-v /etc:/host/etc:ro: needed to correctly detect the kernel version for the eBPF probe on Google Container OS (COS). Can be skipped if not running on Google COS
The output should be similar to this:
gianluca@sid:~$ docker run -it --name sysdig --privileged --net=host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro -e SYSDIG_BPF_PROBE="" sysdig/sysdig:alpha
* Setting up /usr/src links from host
* Mounting debugfs
Found kernel config at /host/boot/config-4.17.0-rc2+
* Trying to compile BPF probe sysdig-probe-bpf (sysdig-probe-bpf-0.1.1dev-x86_64-4.17.0-rc2+-cbc1061ff198a7ea70b3c2d98f94ca76.o)
* BPF probe located, it's now possible to start sysdig
root@sid:/# sysdig
3 15:28:19.157661456 3 <NA> (0) > switch next=3253(cat) pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0
5 15:28:19.157699229 3 cat (3253) > write fd=1(<f>/dev/pts/8) size=73
7 15:28:19.157739756 3 cat (3253) > read fd=3(<f>/sys/kernel/debug/tracing/trace_pipe) size=131072
...
The overall workflow from here is still largely applicable. The main difference is that to compile BPF we need to explicitly enable the option in cmake. Also, it is important to have a recent working Clang + LLVM setup (recommended version is >= 7, but older versions might work as well). Once the dependencies are taken care of, sysdig can be compiled with:
mkdir build
cd build
cmake -DBUILD_BPF=ON ..
make
Among the various steps, this will also run a "bpf" steps shown as below, which will create the probe.o eBPF probe object that is loaded inside the kernel:
gianluca@sid:~/build$ make
[ 5%] Built target b64
[ 10%] Built target openssl
...
[100%] Built target bpf
...
gianluca@sid:~/build$ ls driver/bpf/probe.o
driver/bpf/probe.o
gianluca@sid:~/build$ file driver/bpf/probe.o
driver/bpf/probe.o: ELF 64-bit LSB relocatable, *unknown arch 0xf7* version 1 (SYSV), with debug_info, not stripped
$ gianluca@sid:~/build$
The probe.o can then be passed to the just built sysdig using a combination of -B and --bpf command line switches, or the environment variable SYSDIG_BPF_PROBE: