SlideShare a Scribd company logo

Sysdig

G
gnosek

Sysdig is a new dynamic tracer for Linux, inspired by strace, dtrace, and tcpdump. Very useful as a super fast strace replacement and systemwide performance/security/etc. diagnostics.

Technology
1 of 35
Download to read offline
Grzegorz Nosek,
Garbage In, Garbage Out ?
Garbage In, Garbage Out syscalls syscalls *may contain traces of signals and shared memory
Syscalls ssize_t read(int fd, void *buf, size_t count); ssize_t write(int fd, const void *buf, size_t count); int open(const char *pathname, int flags, mode_t mode); int close(int fd); int stat(const char *path, struct stat *buf); ... ! $ grep -c __NR_ /usr/include/asm/unistd_64.h 313 ! $ man 2 read
strace # strace cat /etc/hostname execve("/bin/cat", ["cat", "/etc/hostname"], ... brk(0) = 0x1675000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT mmap(NULL, 8192, PROT_READ|PROT_WRITE, ... access("/etc/ld.so.preload", R_OK) = -1 ENOENT open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=48577, ...}) = 0 mmap(NULL, 48577, PROT_READ, MAP_PRIVATE, 3, 0) = ... close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (...)
that’s cool, but… 1 m illion sysca lls, as fast as possible worst case for a ny tracer # dd if=/dev/zero of=/dev/null bs=1k count=1M 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 0.332905 s, 3.2 GB/s # strace -o /dev/null !! 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 18.2365 s, 58.9 MB/s 50x overhead
@brendangregg’s http://www.slideshare.net/brendangregg/linux-performance-tools-2014
@brendangregg’s http://www.slideshare.net/brendangregg/linux-performance-tools-2014
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules)
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) event number, timestamp
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) CPU number, process name, pid
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) event direction, event type
hello, sysdig enter event # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) exit event syscall
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) arbitrary event attributes
events # sysdig -L (...) > open() < open(FD fd, FSPATH name, FLAGS32 flags, UINT32 mode) > close(FD fd) < close(ERRNO res) > read(FD fd, UINT32 size) < read(ERRNO res, BYTEBUF data) > write(FD fd, UINT32 size) < write(ERRNO res, BYTEBUF data) (...)
dd kernel 1073741824 bytes (1.1 GB) copied, 0.332905 s, 3.2 GB/s
dd kernel strace 1073741824 bytes (1.1 GB) copied, 18.2365 s, 58.9 MB/s
dd kernel sysdig ring buffer 1073741824 bytes (1.1 GB) copied, 1.30029 s, 826 MB/s
filters fd.name FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple. ! proc.apid the pid of one of the process ancestors. ! evt.latency delta between an exit event and the correspondent enter event. ! (...) ! # sysdig -l | grep -Ec '^[a-z0-9_.]+' 88
filters # sysdig fd.name contains shadow 2303 17:30:34.645573185 0 cat (24012) < open fd=-13(EACCES) name=/etc/shadow flags=1(O_RDONLY) mode=0 ! # sysdig evt.res = EACCES or evt.res = EPERM 617 17:32:16.197820784 0 cat (24027) < open fd=-13(EACCES) name=/etc/shadow flags=1(O_RDONLY) mode=0 4333 17:32:26.239052264 0 killall (24028) < kill res=-1(EPERM)
back to that dd again… # sysdig proc.name=not_dd > /dev/null & dd if=/dev/ zero of=/dev/null bs=1k count=1M ; killall sysdig [1] 24070 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 0.981408 s, 1.1 GB/s
output formatting sa m e as filters (mostly) # sysdig -p '%user.name %proc.name %fd.name: %evt.res' evt.failed = true ubuntu cat /etc/shadow: EACCES ubuntu cat /usr/share/locale/en_US.UTF-8/LC_MESSAGES/ libc.mo: ENOENT ubuntu cat /usr/share/locale/en_US.utf8/LC_MESSAGES/ libc.mo: ENOENT ubuntu cat /usr/share/locale/en_US/LC_MESSAGES/ libc.mo: ENOENT
bottleneck in a haystack # sysdig -p '%evt.latency.s.%evt.latency.ns %evt.dir %evt.type %fd.name' fd.type contains ip and fd.sport != 22 (...) 0.000000000 >sendto 192.168.1.118:36220->46.28.247.84:80 0.000114365 <sendto 192.168.1.118:36220->46.28.247.84:80 0.000000000 >recvfrom 192.168.1.118:36220->46.28.247.84:80 0.000005090 <recvfrom 192.168.1.118:36220->46.28.247.84:80 0.000000000 >close 192.168.1.118:36220->46.28.247.84:80 0.000001587 <close 192.168.1.118:36220->46.28.247.84:80
sysdig -w sysdig -r sysdig -r sysdig -r .scap file shit’s on fire, yo capture trace file, restore service analyze trace at your leisure
lies, damn lies and benchmarks sysdig -w sysdig -r sysdig -r sysdig -r .scap file do a single benchmark run analyze/postprocess lots of ways
chisels: higher level of awesome Lua sysdig -cl sysdig -i chisel_name sysdig -c chisel_name [args…]
chisel all the things! # sysdig -cl | grep -c ^[a-z] 37 # find /usr/share/sysdig/chisels/ -name '*.lua' | wc -l 42 the extra ones a re utilities to use in ch isels (json, A NSI term ina l, etc.)
chisels: performance bottlenecks Slowest system calls fileslower Trace slow file I/O netlower Trace slow network I/O proc_exec_time Show process execution time scallslower Trace slow syscalls topscalls Top system calls by number of calls topscalls_time Top system calls by time yu p, a ty po ;)
chisels: security list_login_shells List the login shell IDs ! shellshock_detect print shellshock attacks ! spy_users Display interactive user activity power corru pts, absolute power is even more fun
All right gentlemen, we need some system info lsof, ps, n etstat lsof, ps, netstat with time travel http://draios.com/ps-lsof-netstat-time-travel/
gotcha!
version 0.1.91 do you feel lucky? • some syscalls not yet implemented (no args) • it did crash once (fixed immediately though) • PID namespaces ignored • root/privileged user only • one sysdig process at a time way better tha n strace though
Sysdig

Recommended

Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringRamit Surana
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
ContainerCon sysdig Slides
ContainerCon sysdig Slides ContainerCon sysdig Slides
ContainerCon sysdig Slides Loris Degioanni
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformAshnikbiz
 
Behavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoBehavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoSysdig
 
Sysdig monitor - a brief introduction
Sysdig monitor - a brief introductionSysdig monitor - a brief introduction
Sysdig monitor - a brief introductionDaniel Kerwin
 

Recommended

Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringRamit Surana
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
ContainerCon sysdig Slides
ContainerCon sysdig Slides ContainerCon sysdig Slides
ContainerCon sysdig Slides Loris Degioanni
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformAshnikbiz
 
Behavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoBehavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoSysdig
 
Sysdig monitor - a brief introduction
Sysdig monitor - a brief introductionSysdig monitor - a brief introduction
Sysdig monitor - a brief introductionDaniel Kerwin
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing ToolsSysdig
 
Fluentd and docker monitoring
Fluentd and docker monitoringFluentd and docker monitoring
Fluentd and docker monitoringVinay Krishna
 
Introducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerIntroducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerRamit Surana
 
Trace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsTrace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsSysdig
 
Find the Hacker
Find the HackerFind the Hacker
Find the HackerSysdig
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold
 
Testing Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsTesting Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsAll Things Open
 
Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Nicolas De Loof
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Docker, Inc.
 
Atomic CLI scan
Atomic CLI scanAtomic CLI scan
Atomic CLI scanLalatendu Mohanty
 
OpenStack Swift production deployments
OpenStack Swift production deploymentsOpenStack Swift production deployments
OpenStack Swift production deploymentsAtul Jha
 
Dockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmDockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmWei-Ting Kuo
 
Introduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneIntroduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneD
 
15 kubernetes failure points you should watch
15 kubernetes failure points you should watch15 kubernetes failure points you should watch
15 kubernetes failure points you should watchSysdig
 
Docker Networking – Running multi-host applications
Docker Networking – Running multi-host applicationsDocker Networking – Running multi-host applications
Docker Networking – Running multi-host applicationsChristina Rasimus
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker, Inc.
 
Logging & Docker - Season 2
Logging & Docker - Season 2Logging & Docker - Season 2
Logging & Docker - Season 2Christian Beedgen
 
Docker: Behind the API
Docker: Behind the APIDocker: Behind the API
Docker: Behind the APIKarl Matthias
 
Container Runtimes and Tooling
Container Runtimes and ToolingContainer Runtimes and Tooling
Container Runtimes and ToolingKublr
 
Docker Swarm Introduction
Docker Swarm IntroductionDocker Swarm Introduction
Docker Swarm Introductionrajdeep
 
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Michael Ducy
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source IntroMichael Ducy
 

More Related Content

What's hot

Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing ToolsSysdig
 
Fluentd and docker monitoring
Fluentd and docker monitoringFluentd and docker monitoring
Fluentd and docker monitoringVinay Krishna
 
Introducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerIntroducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerRamit Surana
 
Trace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsTrace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsSysdig
 
Find the Hacker
Find the HackerFind the Hacker
Find the HackerSysdig
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold
 
Testing Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsTesting Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsAll Things Open
 
Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Nicolas De Loof
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Docker, Inc.
 
OpenStack Swift production deployments
OpenStack Swift production deploymentsOpenStack Swift production deployments
OpenStack Swift production deploymentsAtul Jha
 
Dockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmDockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmWei-Ting Kuo
 
Introduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneIntroduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneD
 
15 kubernetes failure points you should watch
15 kubernetes failure points you should watch15 kubernetes failure points you should watch
15 kubernetes failure points you should watchSysdig
 
Docker Networking – Running multi-host applications
Docker Networking – Running multi-host applicationsDocker Networking – Running multi-host applications
Docker Networking – Running multi-host applicationsChristina Rasimus
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker, Inc.
 
Docker: Behind the API
Docker: Behind the APIDocker: Behind the API
Docker: Behind the APIKarl Matthias
 
Container Runtimes and Tooling
Container Runtimes and ToolingContainer Runtimes and Tooling
Container Runtimes and ToolingKublr
 
Docker Swarm Introduction
Docker Swarm IntroductionDocker Swarm Introduction
Docker Swarm Introductionrajdeep
 

What's hot (20)

Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
 
Fluentd and docker monitoring
Fluentd and docker monitoringFluentd and docker monitoring
Fluentd and docker monitoring
 
Introducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerIntroducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by Docker
 
Trace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsTrace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdmins
 
Find the Hacker
Find the HackerFind the Hacker
Find the Hacker
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
 
Testing Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsTesting Wi-Fi with OSS Tools
Testing Wi-Fi with OSS Tools
 
Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Breaking the RpiDocker challenge
Breaking the RpiDocker challenge
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?
 
Atomic CLI scan
Atomic CLI scanAtomic CLI scan
Atomic CLI scan
 
OpenStack Swift production deployments
OpenStack Swift production deploymentsOpenStack Swift production deployments
OpenStack Swift production deployments
 
Dockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmDockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarm
 
Introduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneIntroduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group Cologne
 
15 kubernetes failure points you should watch
15 kubernetes failure points you should watch15 kubernetes failure points you should watch
15 kubernetes failure points you should watch
 
Docker Networking – Running multi-host applications
Docker Networking – Running multi-host applicationsDocker Networking – Running multi-host applications
Docker Networking – Running multi-host applications
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0
 
Logging & Docker - Season 2
Logging & Docker - Season 2Logging & Docker - Season 2
Logging & Docker - Season 2
 
Docker: Behind the API
Docker: Behind the APIDocker: Behind the API
Docker: Behind the API
 
Container Runtimes and Tooling
Container Runtimes and ToolingContainer Runtimes and Tooling
Container Runtimes and Tooling
 
Docker Swarm Introduction
Docker Swarm IntroductionDocker Swarm Introduction
Docker Swarm Introduction
 

Similar to Sysdig

Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Michael Ducy
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source IntroMichael Ducy
 
InstructionsInstructions for numberguessernumberGuesser.html.docx
InstructionsInstructions for numberguessernumberGuesser.html.docxInstructionsInstructions for numberguessernumberGuesser.html.docx
InstructionsInstructions for numberguessernumberGuesser.html.docxdirkrplav
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak PROIDEA
 
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...Mydbops
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing ToolsBrendan Gregg
 
Keynote 1 - Engineering Software Analytics Studies
Keynote 1 - Engineering Software Analytics StudiesKeynote 1 - Engineering Software Analytics Studies
Keynote 1 - Engineering Software Analytics StudiesESEM 2014
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesIO Visor Project
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxPatricia Aas
 
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...Anne Nicolas
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFBrendan Gregg
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFBrendan Gregg
 

Similar to Sysdig (20)

Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source Intro
 
InstructionsInstructions for numberguessernumberGuesser.html.docx
InstructionsInstructions for numberguessernumberGuesser.html.docxInstructionsInstructions for numberguessernumberGuesser.html.docx
InstructionsInstructions for numberguessernumberGuesser.html.docx
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Linux audit framework
Linux audit frameworkLinux audit framework
Linux audit framework
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Debug generic process
Debug generic processDebug generic process
Debug generic process
 
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
 
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
 
Keynote 1 - Engineering Software Analytics Studies
Keynote 1 - Engineering Software Analytics StudiesKeynote 1 - Engineering Software Analytics Studies
Keynote 1 - Engineering Software Analytics Studies
 
BPF Tools 2017
BPF Tools 2017BPF Tools 2017
BPF Tools 2017
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
System Calls
System CallsSystem Calls
System Calls
 
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPF
 
Sysprog 11
Sysprog 11Sysprog 11
Sysprog 11
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPF
 

More from gnosek

Jak działa Internet
Jak działa InternetJak działa Internet
Jak działa Internetgnosek
 
Docker rant
Docker rantDocker rant
Docker rantgnosek
 
Ansible PyWAW
Ansible PyWAWAnsible PyWAW
Ansible PyWAWgnosek
 
Warsztaty ansible
Warsztaty ansibleWarsztaty ansible
Warsztaty ansiblegnosek
 
Hostory
HostoryHostory
Hostorygnosek
 
pam_container -- jeszcze lżejsza wirtualizacja
pam_container -- jeszcze lżejsza wirtualizacjapam_container -- jeszcze lżejsza wirtualizacja
pam_container -- jeszcze lżejsza wirtualizacjagnosek
 
Ansible
AnsibleAnsible
Ansiblegnosek
 
LXC - kontener pingwinów
LXC - kontener pingwinówLXC - kontener pingwinów
LXC - kontener pingwinówgnosek
 

More from gnosek (8)

Jak działa Internet
Jak działa InternetJak działa Internet
Jak działa Internet
 
Docker rant
Docker rantDocker rant
Docker rant
 
Ansible PyWAW
Ansible PyWAWAnsible PyWAW
Ansible PyWAW
 
Warsztaty ansible
Warsztaty ansibleWarsztaty ansible
Warsztaty ansible
 
Hostory
HostoryHostory
Hostory
 
pam_container -- jeszcze lżejsza wirtualizacja
pam_container -- jeszcze lżejsza wirtualizacjapam_container -- jeszcze lżejsza wirtualizacja
pam_container -- jeszcze lżejsza wirtualizacja
 
Ansible
AnsibleAnsible
Ansible
 
LXC - kontener pingwinów
LXC - kontener pingwinówLXC - kontener pingwinów
LXC - kontener pingwinów
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Sysdig

  • 3. Garbage In, Garbage Out syscalls syscalls *may contain traces of signals and shared memory
  • 4. Syscalls ssize_t read(int fd, void *buf, size_t count); ssize_t write(int fd, const void *buf, size_t count); int open(const char *pathname, int flags, mode_t mode); int close(int fd); int stat(const char *path, struct stat *buf); ... ! $ grep -c __NR_ /usr/include/asm/unistd_64.h 313 ! $ man 2 read
  • 5. strace # strace cat /etc/hostname execve("/bin/cat", ["cat", "/etc/hostname"], ... brk(0) = 0x1675000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT mmap(NULL, 8192, PROT_READ|PROT_WRITE, ... access("/etc/ld.so.preload", R_OK) = -1 ENOENT open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=48577, ...}) = 0 mmap(NULL, 48577, PROT_READ, MAP_PRIVATE, 3, 0) = ... close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (...)
  • 6. that’s cool, but… 1 m illion sysca lls, as fast as possible worst case for a ny tracer # dd if=/dev/zero of=/dev/null bs=1k count=1M 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 0.332905 s, 3.2 GB/s # strace -o /dev/null !! 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 18.2365 s, 58.9 MB/s 50x overhead
  • 7.
  • 10. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules)
  • 11. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) event number, timestamp
  • 12. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) CPU number, process name, pid
  • 13. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) event direction, event type
  • 14. hello, sysdig enter event # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) exit event syscall
  • 15. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) arbitrary event attributes
  • 16. events # sysdig -L (...) > open() < open(FD fd, FSPATH name, FLAGS32 flags, UINT32 mode) > close(FD fd) < close(ERRNO res) > read(FD fd, UINT32 size) < read(ERRNO res, BYTEBUF data) > write(FD fd, UINT32 size) < write(ERRNO res, BYTEBUF data) (...)
  • 17. dd kernel 1073741824 bytes (1.1 GB) copied, 0.332905 s, 3.2 GB/s
  • 18. dd kernel strace 1073741824 bytes (1.1 GB) copied, 18.2365 s, 58.9 MB/s
  • 19. dd kernel sysdig ring buffer 1073741824 bytes (1.1 GB) copied, 1.30029 s, 826 MB/s
  • 20.
  • 21. filters fd.name FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple. ! proc.apid the pid of one of the process ancestors. ! evt.latency delta between an exit event and the correspondent enter event. ! (...) ! # sysdig -l | grep -Ec '^[a-z0-9_.]+' 88
  • 22. filters # sysdig fd.name contains shadow 2303 17:30:34.645573185 0 cat (24012) < open fd=-13(EACCES) name=/etc/shadow flags=1(O_RDONLY) mode=0 ! # sysdig evt.res = EACCES or evt.res = EPERM 617 17:32:16.197820784 0 cat (24027) < open fd=-13(EACCES) name=/etc/shadow flags=1(O_RDONLY) mode=0 4333 17:32:26.239052264 0 killall (24028) < kill res=-1(EPERM)
  • 23. back to that dd again… # sysdig proc.name=not_dd > /dev/null & dd if=/dev/ zero of=/dev/null bs=1k count=1M ; killall sysdig [1] 24070 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 0.981408 s, 1.1 GB/s
  • 24. output formatting sa m e as filters (mostly) # sysdig -p '%user.name %proc.name %fd.name: %evt.res' evt.failed = true ubuntu cat /etc/shadow: EACCES ubuntu cat /usr/share/locale/en_US.UTF-8/LC_MESSAGES/ libc.mo: ENOENT ubuntu cat /usr/share/locale/en_US.utf8/LC_MESSAGES/ libc.mo: ENOENT ubuntu cat /usr/share/locale/en_US/LC_MESSAGES/ libc.mo: ENOENT
  • 25. bottleneck in a haystack # sysdig -p '%evt.latency.s.%evt.latency.ns %evt.dir %evt.type %fd.name' fd.type contains ip and fd.sport != 22 (...) 0.000000000 >sendto 192.168.1.118:36220->46.28.247.84:80 0.000114365 <sendto 192.168.1.118:36220->46.28.247.84:80 0.000000000 >recvfrom 192.168.1.118:36220->46.28.247.84:80 0.000005090 <recvfrom 192.168.1.118:36220->46.28.247.84:80 0.000000000 >close 192.168.1.118:36220->46.28.247.84:80 0.000001587 <close 192.168.1.118:36220->46.28.247.84:80
  • 26. sysdig -w sysdig -r sysdig -r sysdig -r .scap file shit’s on fire, yo capture trace file, restore service analyze trace at your leisure
  • 27. lies, damn lies and benchmarks sysdig -w sysdig -r sysdig -r sysdig -r .scap file do a single benchmark run analyze/postprocess lots of ways
  • 28. chisels: higher level of awesome Lua sysdig -cl sysdig -i chisel_name sysdig -c chisel_name [args…]
  • 29. chisel all the things! # sysdig -cl | grep -c ^[a-z] 37 # find /usr/share/sysdig/chisels/ -name '*.lua' | wc -l 42 the extra ones a re utilities to use in ch isels (json, A NSI term ina l, etc.)
  • 30. chisels: performance bottlenecks Slowest system calls fileslower Trace slow file I/O netlower Trace slow network I/O proc_exec_time Show process execution time scallslower Trace slow syscalls topscalls Top system calls by number of calls topscalls_time Top system calls by time yu p, a ty po ;)
  • 31. chisels: security list_login_shells List the login shell IDs ! shellshock_detect print shellshock attacks ! spy_users Display interactive user activity power corru pts, absolute power is even more fun
  • 32. All right gentlemen, we need some system info lsof, ps, n etstat lsof, ps, netstat with time travel http://draios.com/ps-lsof-netstat-time-travel/
  • 34. version 0.1.91 do you feel lucky? • some syscalls not yet implemented (no args) • it did crash once (fixed immediately though) • PID namespaces ignored • root/privileged user only • one sysdig process at a time way better tha n strace though