Identify containers at runtime and observe them. No container runtime required. Read only access to the kernel.

Related tags

double-slit-experiment
Overview

Linux Telemetry

The Double Slit Experiment

Taken from an interesting physics anomaly where the behavior of a physical system mutates simply by being observed.

The thesis behind the project is that meaningful well thought out telemetry could change the behavior of broader systems.


Install

git clone [email protected]:kris-nova/double-slit-experiment.git
cd double-slit-experiment
make
./dse --help

Running

./dse run | uniq

Note: See userspace/profile.go for filters and configuration for now.

About

This is a library of abstractions build around Go and eBPF code.

The library will aggregate events from the Linux kernel at runtime using eBPF.

The abstractions are ObservationPoint's. These are aggregate systems in Go built around tracepoints in the Linux kernel.

  • ProcessExecuted An event for every process executed on the system
  • ContainerEvent An event for any new container (docker, kubernetes, etc) started on the system
  • SocketStateChange An event for any change in a socket on the system
  • SignalDelivered An event for every Linux signal delivered to a process on the system

Each ObservationPoint returns one or more events that each implement the Event interface.

// Event is a generic event for all
// ObservationPoint systems.
type Event interface {
	JSON() ([]byte, error)
	String() string
	Name() string
}
Issues
  • attempt to expose masking constants without copying them

    attempt to expose masking constants without copying them

    • i'm not sure if this will even build. i wasn't able to run make as i haven't setup bpf.
    • this patch tries to have single source of truth for constants.

    Warning: This patch may be very misguided as i don't code in go much. I'm not sure you can define constants like this. I just thought it would be nice not have to copy the constants and introduce a second source of truth.

    opened by travisstaloch 2
  • something is odd in this function

    something is odd in this function

    https://github.com/kris-nova/double-slit-experiment/blob/adfd87591348e4ac597a825ff66d519b084fee84/userspace/observe_container.go#L333

    opened by amalic 1
  • Error compiling: stubs-32.h not found

    Error compiling: stubs-32.h not found

    [[email protected] double-slit-experiment]$ make
    rm dse
    rm: cannot remove 'dse': No such file or directory
    make: [Makefile:43: clean] Error 1 (ignored)
    rm userspace/gen*
    rm: cannot remove 'userspace/gen*': No such file or directory
    make: [Makefile:44: clean] Error 1 (ignored)
    rm probe/vmlinux.h
    bpftool btf dump file /sys/kernel/btf/vmlinux format c > probe/vmlinux.h
    go generate userspace/*.go
    In file included from /home/nova/double-slit-experiment/probe/bpf.c:28:
    In file included from /usr/include/string.h:26:
    In file included from /usr/include/bits/libc-header-start.h:33:
    In file included from /usr/include/features.h:497:
    /usr/include/gnu/stubs.h:7:11: fatal error: 'gnu/stubs-32.h' file not found
    # include <gnu/stubs-32.h>
              ^~~~~~~~~~~~~~~~
    1 error generated.
    Error: clang: exit status 1
    exit status 1
    userspace/bpf.go:20: running "go": exit status 1
    make: *** [Makefile:54: userspace/gen_probe_bpfel.go] Error 1
    

    Is just a missing glibc header file for 32 bit support.

    pacman -S lib32-glibc # Archlinux
    yum -y install glibc-devel.i686 glibc-devel # RHEL
    sudo apt-get install gcc-multilib # Ubuntu
    
    opened by kris-nova 1
  • Pulling pid and tid out of clone()'d processes

    Pulling pid and tid out of clone()'d processes

    I'd like to get all clone()'d process events out of the kernel and into userspace in Go.

    There seems to be some issues with how I am using the bpf_probe_read_user functions. I suspect it something to do with typing in C or the __attribute (user).

    https://github.com/kris-nova/double-slit-experiment/blob/main/probe/bpf.c#L76-L77

    opened by kris-nova 0
Owner
Kris Nóva
principal engineer @twilio ceo/founder @privilegeescalation
Kris Nóva
Identify containers at runtime and observe them. No container runtime required. Read only access to the kernel.

Linux Telemetry The Double Slit Experiment Taken from an interesting physics anomaly where the behavior of a physical system mutates simply by being o

Kris Nóva 6 Jul 18, 2021
Concurrency in Go video course with in depth explanations & examples

Concurrency in Go Summary Coding Examples Introduction to Concurrency Go Routines Channels Select Concurrency Patterns Atomics Wait Groups - sync.Wait

Go Basics 39 Jul 24, 2021
gProfiler combines multiple sampling profilers to produce unified visualization of what your CPU

gProfiler combines multiple sampling profilers to produce unified visualization of what your CPU is spending time on, displaying stack traces of your processes across native programs1 (includes Golang), Java and Python runtimes, and kernel routines.

Granulate 332 Jul 21, 2021
Discover internet-wide misconfigurations while drinking coffee

netz ?? ?? The purpose of this project is to discover an internet-wide misconfiguration of network components like web-servers/databases/cache-service

null 259 Jun 24, 2021
Perforator is a tool for recording performance metrics over subregions of a program using the Linux "perf" interface.

Perforator Perforator is a tool for recording performance metrics over subregions of a program (e.g., functions) using the Linux "perf" interface.

Zachary Yedidia 18 Jul 14, 2021
Simple project to demonstrate the loading of eBPF programs via florianl/go-tc.

tc-skeleton Simple project to demonstrate the loading of eBPF programs via florianl/go-tc.

Florian Lehner 24 Jul 14, 2021
Simple profiling for Go

profile Simple profiling for Go. Easy management of Go's built-in profiling and tracing Based on the widely-used pkg/profile: mostly-compatible API Su

Michael McLoughlin 67 Jul 14, 2021
A full-featured license tool to check and fix license headers and resolve dependencies' licenses.

SkyWalking Eyes A full-featured license tool to check and fix license headers and resolve dependencies' licenses. Usage You can use License-Eye in Git

The Apache Software Foundation 33 Jul 23, 2021
Discuz全系列通用头像一键上传工具,免登录,无需Cookie,拒绝Flash,非Js脚本

Hostloc头像一键上传工具,开箱即用 免登录,无需Cookie,拒绝Flash,非Js脚本 修改域名即可适应其他论坛,Discuz!X 全系列通用 使用 1. 获取 Agent + Input 参数 打开 https://hostloc.com/home.php?mod=spacecp&ac=a

Orange_Syc 18 Jun 12, 2021
Package ethtool allows control of the Linux ethtool generic netlink interface.

ethtool Package ethtool allows control of the Linux ethtool generic netlink interface.

Matt Layher 30 Jun 14, 2021
psutil for golang

gopsutil: psutil for golang This is a port of psutil (https://github.com/giampaolo/psutil). The challenge is porting all psutil functions on some arch

shirou 6.5k Jul 24, 2021
Go tool to modify struct field tags

Go tool to modify/update field tags in structs. gomodifytags makes it easy to update, add or delete the tags in a struct field. You can easily add new tags, update existing tags (such as appending a new key, i.e: db, xml, etc..) or remove existing tags

Fatih Arslan 1.5k Jul 16, 2021
A directory of hardware related libs, tools, and tutorials for Go

Go + hardware This repo is a directory of tools, packages and tutorials to let you introduce Go in your hardware projects. Why Go? Go can target platf

Jaana Dogan 1.2k Jul 19, 2021
基建KIT库

GKIT _____/\\\\\\\\\\\\__/\\\________/\\\__/\\\\\\\\\\\__/\\\\\\\\\\\\\\\_

null 66 Jul 20, 2021