Linux Device Driver
build sysdig
參考資訊:
1. sysdig
2. sysdig-contributes-falco-kernel-ebpf-cncf
3. sysdig-for-linux-system-monitor-and-analysis
sysdig是透過kernel driver達到監控資源的方式,因此,在使用sysdig前,必須要編譯安裝sysdig的driver(scap.ko),步驟如下:
$ cd
$ git clone https://github.com/draios/sysdig
$ mkdir sysdig/build
$ cd sysdig/build
$ cmake ..
$ make -j4
$ sudo make install
$ sudo insmod ./driver/scap.ko
$ sudo sysdig
310936 05:47:50.298406593 1 xfce4-terminal (1830.1830) > poll fds=4:e1 5:u1 7:u1 11:u3 12:f3 14:f3 timeout=22
310937 05:47:50.298407722 1 xfce4-terminal (1830.1830) < poll res=2 fds=4:e1 14:f1
310939 05:47:50.298408271 1 xfce4-terminal (1830.1830) > read fd=4(<e>) size=16
310940 05:47:50.298408657 1 xfce4-terminal (1830.1830) < read res=8 data=........
310941 05:47:50.298409570 1 xfce4-terminal (1830.1830) > write fd=4(<e>) size=8
310942 05:47:50.298409873 1 xfce4-terminal (1830.1830) < write res=8 data=........
sysdig輸出的格式如下:
%evt.num %evt.outputtime %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.info
可以透過過濾條件讓sysdig輸出感興趣的事件,如下:
$ sudo sysdig fd.name contains /etc
4253 05:52:43.260255982 2 ThreadPoolForeg (1945.27889) < openat fd=54(<f>/etc/hosts) dirfd=-100(AT_FDCWD) name=/etc/hosts flags=4097(O_RDONLY|O_CLOEXEC) mode=0 dev=801 ino=6032616
4254 05:52:43.260260595 2 ThreadPoolForeg (1945.27889) > lseek fd=54(<f>/etc/hosts) offset=0 whence=1
4255 05:52:43.260262271 2 ThreadPoolForeg (1945.27889) < lseek res=0
4256 05:52:43.260264389 2 ThreadPoolForeg (1945.27889) > fstat fd=54(<f>/etc/hosts)
4257 05:52:43.260265484 2 ThreadPoolForeg (1945.27889) < fstat res=0
4258 05:52:43.260267313 2 ThreadPoolForeg (1945.27889) > read fd=54(<f>/etc/hosts) size=4096
4259 05:52:43.260271951 2 ThreadPoolForeg (1945.27889) < read res=216 data=127.0.0.1.localhost debian.127.0.0.1 NAMENODE.silence.com NAMENODE..# The follow
4260 05:52:43.260281277 2 ThreadPoolForeg (1945.27889) > lseek fd=54(<f>/etc/hosts) offset=0 whence=1
4261 05:52:43.260281886 2 ThreadPoolForeg (1945.27889) < lseek res=216