モチベーション
GKEにて調査のため、Sysdigを使って、systemcallを取りたい。
(Sydig OSSはSystem callを取得、FilterしてtroubleshootなどができるOpen Sourceです)
問題
Sysdigをインストールすると以下のようなエラーがでる。
fedra / # docker run -it --name sysdig --privileged --net=host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro sysdig/sysdig
* Setting up /usr/src links from host
* Unloading sysdig-probe, if present
* Running dkms install for sysdig
Error! echo
Your kernel headers for kernel 5.4.120+ cannot be found at
/lib/modules/5.4.120+/build or /lib/modules/5.4.120+/source.
* Running dkms build failed, couldn't find /var/lib/dkms/sysdig/0.27.1/build/make.log
* Trying to load a system sysdig-probe, if present
* Trying to find precompiled sysdig-probe for 5.4.120+
Found kernel config at /proc/config.gz
* Trying to download precompiled module from https://download.sysdig.com/stable/sysdig-probe-binaries/sysdig-probe-0.27.1-x86_64-5.4.120%2B-c4b74c595cdb9cd3ad6f7660bec5729a.ko
curl: (22) The requested URL returned error: 404
これはsysdig probe moduleがインストールできないため。
それでも、GKEにてSysdig OSSが使いたい。
解決
-e SYSDIG_BPF_PROBE="" 環境変数で、eBPFオプションを渡すと起動します。
docker run -it --name sysdig --privileged --net=host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/u
sr:ro -v /etc:/host/etc:ro -e SYSDIG_BPF_PROBE="" sysdig/sysdig
* Setting up /usr/src links from host
* Mounting debugfs
Found kernel config at /proc/config.gz
* COS detected (build 16108.470.1), using cos kernel headers...
* Downloading https://storage.googleapis.com/cos-tools/16108.470.1/kernel-headers.tgz
* Extracting kernel sources
* Configuring kernel
* Trying to compile BPF probe sysdig-probe-bpf (sysdig-probe-bpf-0.27.1-x86_64-5.4.120+-c4b74c595cdb9cd3ad6f7660bec5729a.o)
In file included from /usr/src/sysdig-0.27.1/bpf/probe.c:13:
In file included from ./include/linux/sched.h:14:
In file included from ./include/linux/pid.h:6:
In file included from ./include/linux/wait.h:9:
In file included from ./include/linux/spinlock.h:89:
In file included from ./arch/x86/include/asm/spinlock.h:27:
In file included from ./arch/x86/include/asm/qspinlock.h:110:
...
4 warnings generated.
* BPF probe located, it's now possible to start sysdig
テスト
立ち上がった、dockerにて sysdigコマンドを使ってみる。
root@gke-cluster-2-pool-1-2413fd52-3kr2:/# sysdig "proc.name=containerd-shim and evt.dir=< and evt.type=read"
^Croot@gke-cluster-2-pool-1-2413fd52-3kr2:/# sysdig "proc.name=containerd-shim and evt.type=read"
39397 08:56:16.479886942 0 containerd-shim (44905) > read fd=23 size=4096
39401 08:56:16.479899460 0 containerd-shim (44905) < read res=1 data=.
39408 08:56:16.479933193 0 containerd-shim (44905) > read fd=23 size=4096
39409 08:56:16.479934883 0 containerd-shim (44905) < read res=-11(EAGAIN) data
参照