驅動程式 - Linux Device Driver(LDD) - 如何使用sysdig



參考資訊:
https://github.com/draios/sysdig
https://sysdig.com/blog/sysdig-contributes-falco-kernel-ebpf-cncf/
https://cizixs.com/2017/04/27/sysdig-for-linux-system-monitor-and-analysis/

sysdig是透過kernel driver達到監控資源的方式,因此,在使用sysdig前,必須要編譯安裝sysdig的driver(scap.ko),步驟如下:

$ cd
$ git clone https://github.com/draios/sysdig
$ mkdir sysdig/build
$ cd sysdig/build
$ cmake ..
$ make -j4
$ sudo make install
$ sudo insmod ./driver/scap.ko
$ sudo sysdig
    310936 05:47:50.298406593 1 xfce4-terminal (1830.1830) > poll fds=4:e1 5:u1 7:u1 11:u3 12:f3 14:f3 timeout=22
    310937 05:47:50.298407722 1 xfce4-terminal (1830.1830) < poll res=2 fds=4:e1 14:f1
    310939 05:47:50.298408271 1 xfce4-terminal (1830.1830) > read fd=4(<e>) size=16
    310940 05:47:50.298408657 1 xfce4-terminal (1830.1830) < read res=8 data=........
    310941 05:47:50.298409570 1 xfce4-terminal (1830.1830) > write fd=4(<e>) size=8
    310942 05:47:50.298409873 1 xfce4-terminal (1830.1830) < write res=8 data=........

sysdig輸出的格式如下:

%evt.num %evt.outputtime %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.info

可以透過過濾條件讓sysdig輸出感興趣的事件,如下:

$ sudo sysdig fd.name contains /etc
    4253 05:52:43.260255982 2 ThreadPoolForeg (1945.27889) < openat fd=54(<f>/etc/hosts) dirfd=-100(AT_FDCWD) name=/etc/hosts flags=4097(O_RDONLY|O_CLOEXEC) mode=0 dev=801 ino=6032616
    4254 05:52:43.260260595 2 ThreadPoolForeg (1945.27889) > lseek fd=54(<f>/etc/hosts) offset=0 whence=1
    4255 05:52:43.260262271 2 ThreadPoolForeg (1945.27889) < lseek res=0
    4256 05:52:43.260264389 2 ThreadPoolForeg (1945.27889) > fstat fd=54(<f>/etc/hosts)
    4257 05:52:43.260265484 2 ThreadPoolForeg (1945.27889) < fstat res=0
    4258 05:52:43.260267313 2 ThreadPoolForeg (1945.27889) > read fd=54(<f>/etc/hosts) size=4096
    4259 05:52:43.260271951 2 ThreadPoolForeg (1945.27889) < read res=216 data=127.0.0.1.localhost debian.127.0.0.1 NAMENODE.silence.com NAMENODE..# The follow
    4260 05:52:43.260281277 2 ThreadPoolForeg (1945.27889) > lseek fd=54(<f>/etc/hosts) offset=0 whence=1
    4261 05:52:43.260281886 2 ThreadPoolForeg (1945.27889) < lseek res=216