SlideShare a Scribd company logo

Sysdig

G
gnosek

Sysdig is a new dynamic tracer for Linux, inspired by strace, dtrace, and tcpdump. Very useful as a super fast strace replacement and systemwide performance/security/etc. diagnostics.

Technology
1 of 35
Download to read offline
Grzegorz Nosek,
Garbage In, Garbage Out ?
Garbage In, Garbage Out syscalls syscalls *may contain traces of signals and shared memory
Syscalls ssize_t read(int fd, void *buf, size_t count); ssize_t write(int fd, const void *buf, size_t count); int open(const char *pathname, int flags, mode_t mode); int close(int fd); int stat(const char *path, struct stat *buf); ... ! $ grep -c __NR_ /usr/include/asm/unistd_64.h 313 ! $ man 2 read
strace # strace cat /etc/hostname execve("/bin/cat", ["cat", "/etc/hostname"], ... brk(0) = 0x1675000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT mmap(NULL, 8192, PROT_READ|PROT_WRITE, ... access("/etc/ld.so.preload", R_OK) = -1 ENOENT open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=48577, ...}) = 0 mmap(NULL, 48577, PROT_READ, MAP_PRIVATE, 3, 0) = ... close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (...)
that’s cool, but… 1 m illion sysca lls, as fast as possible worst case for a ny tracer # dd if=/dev/zero of=/dev/null bs=1k count=1M 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 0.332905 s, 3.2 GB/s # strace -o /dev/null !! 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 18.2365 s, 58.9 MB/s 50x overhead
@brendangregg’s http://www.slideshare.net/brendangregg/linux-performance-tools-2014
@brendangregg’s http://www.slideshare.net/brendangregg/linux-performance-tools-2014
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules)
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) event number, timestamp
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) CPU number, process name, pid
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) event direction, event type
hello, sysdig enter event # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) exit event syscall
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) arbitrary event attributes
events # sysdig -L (...) > open() < open(FD fd, FSPATH name, FLAGS32 flags, UINT32 mode) > close(FD fd) < close(ERRNO res) > read(FD fd, UINT32 size) < read(ERRNO res, BYTEBUF data) > write(FD fd, UINT32 size) < write(ERRNO res, BYTEBUF data) (...)
dd kernel 1073741824 bytes (1.1 GB) copied, 0.332905 s, 3.2 GB/s
dd kernel strace 1073741824 bytes (1.1 GB) copied, 18.2365 s, 58.9 MB/s
dd kernel sysdig ring buffer 1073741824 bytes (1.1 GB) copied, 1.30029 s, 826 MB/s
filters fd.name FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple. ! proc.apid the pid of one of the process ancestors. ! evt.latency delta between an exit event and the correspondent enter event. ! (...) ! # sysdig -l | grep -Ec '^[a-z0-9_.]+' 88
filters # sysdig fd.name contains shadow 2303 17:30:34.645573185 0 cat (24012) < open fd=-13(EACCES) name=/etc/shadow flags=1(O_RDONLY) mode=0 ! # sysdig evt.res = EACCES or evt.res = EPERM 617 17:32:16.197820784 0 cat (24027) < open fd=-13(EACCES) name=/etc/shadow flags=1(O_RDONLY) mode=0 4333 17:32:26.239052264 0 killall (24028) < kill res=-1(EPERM)
back to that dd again… # sysdig proc.name=not_dd > /dev/null & dd if=/dev/ zero of=/dev/null bs=1k count=1M ; killall sysdig [1] 24070 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 0.981408 s, 1.1 GB/s
output formatting sa m e as filters (mostly) # sysdig -p '%user.name %proc.name %fd.name: %evt.res' evt.failed = true ubuntu cat /etc/shadow: EACCES ubuntu cat /usr/share/locale/en_US.UTF-8/LC_MESSAGES/ libc.mo: ENOENT ubuntu cat /usr/share/locale/en_US.utf8/LC_MESSAGES/ libc.mo: ENOENT ubuntu cat /usr/share/locale/en_US/LC_MESSAGES/ libc.mo: ENOENT
bottleneck in a haystack # sysdig -p '%evt.latency.s.%evt.latency.ns %evt.dir %evt.type %fd.name' fd.type contains ip and fd.sport != 22 (...) 0.000000000 >sendto 192.168.1.118:36220->46.28.247.84:80 0.000114365 <sendto 192.168.1.118:36220->46.28.247.84:80 0.000000000 >recvfrom 192.168.1.118:36220->46.28.247.84:80 0.000005090 <recvfrom 192.168.1.118:36220->46.28.247.84:80 0.000000000 >close 192.168.1.118:36220->46.28.247.84:80 0.000001587 <close 192.168.1.118:36220->46.28.247.84:80
sysdig -w sysdig -r sysdig -r sysdig -r .scap file shit’s on fire, yo capture trace file, restore service analyze trace at your leisure
lies, damn lies and benchmarks sysdig -w sysdig -r sysdig -r sysdig -r .scap file do a single benchmark run analyze/postprocess lots of ways
chisels: higher level of awesome Lua sysdig -cl sysdig -i chisel_name sysdig -c chisel_name [args…]
chisel all the things! # sysdig -cl | grep -c ^[a-z] 37 # find /usr/share/sysdig/chisels/ -name '*.lua' | wc -l 42 the extra ones a re utilities to use in ch isels (json, A NSI term ina l, etc.)
chisels: performance bottlenecks Slowest system calls fileslower Trace slow file I/O netlower Trace slow network I/O proc_exec_time Show process execution time scallslower Trace slow syscalls topscalls Top system calls by number of calls topscalls_time Top system calls by time yu p, a ty po ;)
chisels: security list_login_shells List the login shell IDs ! shellshock_detect print shellshock attacks ! spy_users Display interactive user activity power corru pts, absolute power is even more fun
All right gentlemen, we need some system info lsof, ps, n etstat lsof, ps, netstat with time travel http://draios.com/ps-lsof-netstat-time-travel/
gotcha!
version 0.1.91 do you feel lucky? • some syscalls not yet implemented (no args) • it did crash once (fixed immediately though) • PID namespaces ignored • root/privileged user only • one sysdig process at a time way better tha n strace though
Sysdig

Recommended

Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringRamit Surana
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
ContainerCon sysdig Slides
ContainerCon sysdig Slides ContainerCon sysdig Slides
ContainerCon sysdig Slides Loris Degioanni
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformAshnikbiz
 
Behavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoBehavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoSysdig
 
Sysdig monitor - a brief introduction
Sysdig monitor - a brief introductionSysdig monitor - a brief introduction
Sysdig monitor - a brief introductionDaniel Kerwin
 

Recommended

Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringRamit Surana
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
ContainerCon sysdig Slides
ContainerCon sysdig Slides ContainerCon sysdig Slides
ContainerCon sysdig Slides Loris Degioanni
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformAshnikbiz
 
Behavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoBehavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoSysdig
 
Sysdig monitor - a brief introduction
Sysdig monitor - a brief introductionSysdig monitor - a brief introduction
Sysdig monitor - a brief introductionDaniel Kerwin
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing ToolsSysdig
 
Fluentd and docker monitoring
Fluentd and docker monitoringFluentd and docker monitoring
Fluentd and docker monitoringVinay Krishna
 
Introducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerIntroducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerRamit Surana
 
Trace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsTrace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsSysdig
 
Find the Hacker
Find the HackerFind the Hacker
Find the HackerSysdig
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold
 
Testing Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsTesting Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsAll Things Open
 
Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Nicolas De Loof
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Docker, Inc.
 
Atomic CLI scan
Atomic CLI scanAtomic CLI scan
Atomic CLI scanLalatendu Mohanty
 
OpenStack Swift production deployments
OpenStack Swift production deploymentsOpenStack Swift production deployments
OpenStack Swift production deploymentsAtul Jha
 
Dockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmDockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmWei-Ting Kuo
 
Introduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneIntroduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneD
 
15 kubernetes failure points you should watch
15 kubernetes failure points you should watch15 kubernetes failure points you should watch
15 kubernetes failure points you should watchSysdig
 
Docker Networking – Running multi-host applications
Docker Networking – Running multi-host applicationsDocker Networking – Running multi-host applications
Docker Networking – Running multi-host applicationsChristina Rasimus
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker, Inc.
 
Logging & Docker - Season 2
Logging & Docker - Season 2Logging & Docker - Season 2
Logging & Docker - Season 2Christian Beedgen
 
Docker: Behind the API
Docker: Behind the APIDocker: Behind the API
Docker: Behind the APIKarl Matthias
 
Container Runtimes and Tooling
Container Runtimes and ToolingContainer Runtimes and Tooling
Container Runtimes and ToolingKublr
 
Docker Swarm Introduction
Docker Swarm IntroductionDocker Swarm Introduction
Docker Swarm Introductionrajdeep
 
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Michael Ducy
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source IntroMichael Ducy
 

More Related Content

What's hot

Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing ToolsSysdig
 
Fluentd and docker monitoring
Fluentd and docker monitoringFluentd and docker monitoring
Fluentd and docker monitoringVinay Krishna
 
Introducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerIntroducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerRamit Surana
 
Trace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsTrace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsSysdig
 
Find the Hacker
Find the HackerFind the Hacker
Find the HackerSysdig
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold
 
Testing Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsTesting Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsAll Things Open
 
Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Nicolas De Loof
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Docker, Inc.
 
OpenStack Swift production deployments
OpenStack Swift production deploymentsOpenStack Swift production deployments
OpenStack Swift production deploymentsAtul Jha
 
Dockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmDockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmWei-Ting Kuo
 
Introduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneIntroduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneD
 
15 kubernetes failure points you should watch
15 kubernetes failure points you should watch15 kubernetes failure points you should watch
15 kubernetes failure points you should watchSysdig
 
Docker Networking – Running multi-host applications
Docker Networking – Running multi-host applicationsDocker Networking – Running multi-host applications
Docker Networking – Running multi-host applicationsChristina Rasimus
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker, Inc.
 
Docker: Behind the API
Docker: Behind the APIDocker: Behind the API
Docker: Behind the APIKarl Matthias
 
Container Runtimes and Tooling
Container Runtimes and ToolingContainer Runtimes and Tooling
Container Runtimes and ToolingKublr
 
Docker Swarm Introduction
Docker Swarm IntroductionDocker Swarm Introduction
Docker Swarm Introductionrajdeep
 

What's hot (20)

Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
 
Fluentd and docker monitoring
Fluentd and docker monitoringFluentd and docker monitoring
Fluentd and docker monitoring
 
Introducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerIntroducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by Docker
 
Trace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsTrace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdmins
 
Find the Hacker
Find the HackerFind the Hacker
Find the Hacker
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
 
Testing Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsTesting Wi-Fi with OSS Tools
Testing Wi-Fi with OSS Tools
 
Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Breaking the RpiDocker challenge
Breaking the RpiDocker challenge
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?
 
Atomic CLI scan
Atomic CLI scanAtomic CLI scan
Atomic CLI scan
 
OpenStack Swift production deployments
OpenStack Swift production deploymentsOpenStack Swift production deployments
OpenStack Swift production deployments
 
Dockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmDockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarm
 
Introduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneIntroduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group Cologne
 
15 kubernetes failure points you should watch
15 kubernetes failure points you should watch15 kubernetes failure points you should watch
15 kubernetes failure points you should watch
 
Docker Networking – Running multi-host applications
Docker Networking – Running multi-host applicationsDocker Networking – Running multi-host applications
Docker Networking – Running multi-host applications
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0
 
Logging & Docker - Season 2
Logging & Docker - Season 2Logging & Docker - Season 2
Logging & Docker - Season 2
 
Docker: Behind the API
Docker: Behind the APIDocker: Behind the API
Docker: Behind the API
 
Container Runtimes and Tooling
Container Runtimes and ToolingContainer Runtimes and Tooling
Container Runtimes and Tooling
 
Docker Swarm Introduction
Docker Swarm IntroductionDocker Swarm Introduction
Docker Swarm Introduction
 

Similar to Sysdig

Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Michael Ducy
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source IntroMichael Ducy
 
InstructionsInstructions for numberguessernumberGuesser.html.docx
InstructionsInstructions for numberguessernumberGuesser.html.docxInstructionsInstructions for numberguessernumberGuesser.html.docx
InstructionsInstructions for numberguessernumberGuesser.html.docxdirkrplav
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak PROIDEA
 
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...Mydbops
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing ToolsBrendan Gregg
 
Keynote 1 - Engineering Software Analytics Studies
Keynote 1 - Engineering Software Analytics StudiesKeynote 1 - Engineering Software Analytics Studies
Keynote 1 - Engineering Software Analytics StudiesESEM 2014
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesIO Visor Project
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxPatricia Aas
 
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...Anne Nicolas
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFBrendan Gregg
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFBrendan Gregg
 

Similar to Sysdig (20)

Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source Intro
 
InstructionsInstructions for numberguessernumberGuesser.html.docx
InstructionsInstructions for numberguessernumberGuesser.html.docxInstructionsInstructions for numberguessernumberGuesser.html.docx
InstructionsInstructions for numberguessernumberGuesser.html.docx
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Linux audit framework
Linux audit frameworkLinux audit framework
Linux audit framework
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Debug generic process
Debug generic processDebug generic process
Debug generic process
 
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
 
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
 
Keynote 1 - Engineering Software Analytics Studies
Keynote 1 - Engineering Software Analytics StudiesKeynote 1 - Engineering Software Analytics Studies
Keynote 1 - Engineering Software Analytics Studies
 
BPF Tools 2017
BPF Tools 2017BPF Tools 2017
BPF Tools 2017
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
System Calls
System CallsSystem Calls
System Calls
 
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPF
 
Sysprog 11
Sysprog 11Sysprog 11
Sysprog 11
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPF
 

More from gnosek

Jak działa Internet
Jak działa InternetJak działa Internet
Jak działa Internetgnosek
 
Docker rant
Docker rantDocker rant
Docker rantgnosek
 
Ansible PyWAW
Ansible PyWAWAnsible PyWAW
Ansible PyWAWgnosek
 
Warsztaty ansible
Warsztaty ansibleWarsztaty ansible
Warsztaty ansiblegnosek
 
Hostory
HostoryHostory
Hostorygnosek
 
pam_container -- jeszcze lżejsza wirtualizacja
pam_container -- jeszcze lżejsza wirtualizacjapam_container -- jeszcze lżejsza wirtualizacja
pam_container -- jeszcze lżejsza wirtualizacjagnosek
 
Ansible
AnsibleAnsible
Ansiblegnosek
 
LXC - kontener pingwinów
LXC - kontener pingwinówLXC - kontener pingwinów
LXC - kontener pingwinówgnosek
 

More from gnosek (8)

Jak działa Internet
Jak działa InternetJak działa Internet
Jak działa Internet
 
Docker rant
Docker rantDocker rant
Docker rant
 
Ansible PyWAW
Ansible PyWAWAnsible PyWAW
Ansible PyWAW
 
Warsztaty ansible
Warsztaty ansibleWarsztaty ansible
Warsztaty ansible
 
Hostory
HostoryHostory
Hostory
 
pam_container -- jeszcze lżejsza wirtualizacja
pam_container -- jeszcze lżejsza wirtualizacjapam_container -- jeszcze lżejsza wirtualizacja
pam_container -- jeszcze lżejsza wirtualizacja
 
Ansible
AnsibleAnsible
Ansible
 
LXC - kontener pingwinów
LXC - kontener pingwinówLXC - kontener pingwinów
LXC - kontener pingwinów
 

Recently uploaded

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 

Recently uploaded (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 

Sysdig

  • 3. Garbage In, Garbage Out syscalls syscalls *may contain traces of signals and shared memory
  • 4. Syscalls ssize_t read(int fd, void *buf, size_t count); ssize_t write(int fd, const void *buf, size_t count); int open(const char *pathname, int flags, mode_t mode); int close(int fd); int stat(const char *path, struct stat *buf); ... ! $ grep -c __NR_ /usr/include/asm/unistd_64.h 313 ! $ man 2 read
  • 5. strace # strace cat /etc/hostname execve("/bin/cat", ["cat", "/etc/hostname"], ... brk(0) = 0x1675000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT mmap(NULL, 8192, PROT_READ|PROT_WRITE, ... access("/etc/ld.so.preload", R_OK) = -1 ENOENT open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=48577, ...}) = 0 mmap(NULL, 48577, PROT_READ, MAP_PRIVATE, 3, 0) = ... close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (...)
  • 6. that’s cool, but… 1 m illion sysca lls, as fast as possible worst case for a ny tracer # dd if=/dev/zero of=/dev/null bs=1k count=1M 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 0.332905 s, 3.2 GB/s # strace -o /dev/null !! 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 18.2365 s, 58.9 MB/s 50x overhead
  • 7.
  • 10. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules)
  • 11. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) event number, timestamp
  • 12. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) CPU number, process name, pid
  • 13. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) event direction, event type
  • 14. hello, sysdig enter event # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) exit event syscall
  • 15. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) arbitrary event attributes
  • 16. events # sysdig -L (...) > open() < open(FD fd, FSPATH name, FLAGS32 flags, UINT32 mode) > close(FD fd) < close(ERRNO res) > read(FD fd, UINT32 size) < read(ERRNO res, BYTEBUF data) > write(FD fd, UINT32 size) < write(ERRNO res, BYTEBUF data) (...)
  • 17. dd kernel 1073741824 bytes (1.1 GB) copied, 0.332905 s, 3.2 GB/s
  • 18. dd kernel strace 1073741824 bytes (1.1 GB) copied, 18.2365 s, 58.9 MB/s
  • 19. dd kernel sysdig ring buffer 1073741824 bytes (1.1 GB) copied, 1.30029 s, 826 MB/s
  • 20.
  • 21. filters fd.name FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple. ! proc.apid the pid of one of the process ancestors. ! evt.latency delta between an exit event and the correspondent enter event. ! (...) ! # sysdig -l | grep -Ec '^[a-z0-9_.]+' 88
  • 22. filters # sysdig fd.name contains shadow 2303 17:30:34.645573185 0 cat (24012) < open fd=-13(EACCES) name=/etc/shadow flags=1(O_RDONLY) mode=0 ! # sysdig evt.res = EACCES or evt.res = EPERM 617 17:32:16.197820784 0 cat (24027) < open fd=-13(EACCES) name=/etc/shadow flags=1(O_RDONLY) mode=0 4333 17:32:26.239052264 0 killall (24028) < kill res=-1(EPERM)
  • 23. back to that dd again… # sysdig proc.name=not_dd > /dev/null & dd if=/dev/ zero of=/dev/null bs=1k count=1M ; killall sysdig [1] 24070 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 0.981408 s, 1.1 GB/s
  • 24. output formatting sa m e as filters (mostly) # sysdig -p '%user.name %proc.name %fd.name: %evt.res' evt.failed = true ubuntu cat /etc/shadow: EACCES ubuntu cat /usr/share/locale/en_US.UTF-8/LC_MESSAGES/ libc.mo: ENOENT ubuntu cat /usr/share/locale/en_US.utf8/LC_MESSAGES/ libc.mo: ENOENT ubuntu cat /usr/share/locale/en_US/LC_MESSAGES/ libc.mo: ENOENT
  • 25. bottleneck in a haystack # sysdig -p '%evt.latency.s.%evt.latency.ns %evt.dir %evt.type %fd.name' fd.type contains ip and fd.sport != 22 (...) 0.000000000 >sendto 192.168.1.118:36220->46.28.247.84:80 0.000114365 <sendto 192.168.1.118:36220->46.28.247.84:80 0.000000000 >recvfrom 192.168.1.118:36220->46.28.247.84:80 0.000005090 <recvfrom 192.168.1.118:36220->46.28.247.84:80 0.000000000 >close 192.168.1.118:36220->46.28.247.84:80 0.000001587 <close 192.168.1.118:36220->46.28.247.84:80
  • 26. sysdig -w sysdig -r sysdig -r sysdig -r .scap file shit’s on fire, yo capture trace file, restore service analyze trace at your leisure
  • 27. lies, damn lies and benchmarks sysdig -w sysdig -r sysdig -r sysdig -r .scap file do a single benchmark run analyze/postprocess lots of ways
  • 28. chisels: higher level of awesome Lua sysdig -cl sysdig -i chisel_name sysdig -c chisel_name [args…]
  • 29. chisel all the things! # sysdig -cl | grep -c ^[a-z] 37 # find /usr/share/sysdig/chisels/ -name '*.lua' | wc -l 42 the extra ones a re utilities to use in ch isels (json, A NSI term ina l, etc.)
  • 30. chisels: performance bottlenecks Slowest system calls fileslower Trace slow file I/O netlower Trace slow network I/O proc_exec_time Show process execution time scallslower Trace slow syscalls topscalls Top system calls by number of calls topscalls_time Top system calls by time yu p, a ty po ;)
  • 31. chisels: security list_login_shells List the login shell IDs ! shellshock_detect print shellshock attacks ! spy_users Display interactive user activity power corru pts, absolute power is even more fun
  • 32. All right gentlemen, we need some system info lsof, ps, n etstat lsof, ps, netstat with time travel http://draios.com/ps-lsof-netstat-time-travel/
  • 34. version 0.1.91 do you feel lucky? • some syscalls not yet implemented (no args) • it did crash once (fixed immediately though) • PID namespaces ignored • root/privileged user only • one sysdig process at a time way better tha n strace though