SlideShare une entreprise Scribd logo

Sysdig

G
gnosek

Sysdig is a new dynamic tracer for Linux, inspired by strace, dtrace, and tcpdump. Very useful as a super fast strace replacement and systemwide performance/security/etc. diagnostics.

Technologie
1  sur  35
Télécharger pour lire hors ligne
Grzegorz Nosek,
Garbage In, Garbage Out ?
Garbage In, Garbage Out syscalls syscalls *may contain traces of signals and shared memory
Syscalls ssize_t read(int fd, void *buf, size_t count); ssize_t write(int fd, const void *buf, size_t count); int open(const char *pathname, int flags, mode_t mode); int close(int fd); int stat(const char *path, struct stat *buf); ... ! $ grep -c __NR_ /usr/include/asm/unistd_64.h 313 ! $ man 2 read
strace # strace cat /etc/hostname execve("/bin/cat", ["cat", "/etc/hostname"], ... brk(0) = 0x1675000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT mmap(NULL, 8192, PROT_READ|PROT_WRITE, ... access("/etc/ld.so.preload", R_OK) = -1 ENOENT open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=48577, ...}) = 0 mmap(NULL, 48577, PROT_READ, MAP_PRIVATE, 3, 0) = ... close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (...)
that’s cool, but… 1 m illion sysca lls, as fast as possible worst case for a ny tracer # dd if=/dev/zero of=/dev/null bs=1k count=1M 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 0.332905 s, 3.2 GB/s # strace -o /dev/null !! 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 18.2365 s, 58.9 MB/s 50x overhead
@brendangregg’s http://www.slideshare.net/brendangregg/linux-performance-tools-2014
@brendangregg’s http://www.slideshare.net/brendangregg/linux-performance-tools-2014
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules)
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) event number, timestamp
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) CPU number, process name, pid
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) event direction, event type
hello, sysdig enter event # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) exit event syscall
hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) arbitrary event attributes
events # sysdig -L (...) > open() < open(FD fd, FSPATH name, FLAGS32 flags, UINT32 mode) > close(FD fd) < close(ERRNO res) > read(FD fd, UINT32 size) < read(ERRNO res, BYTEBUF data) > write(FD fd, UINT32 size) < write(ERRNO res, BYTEBUF data) (...)
dd kernel 1073741824 bytes (1.1 GB) copied, 0.332905 s, 3.2 GB/s
dd kernel strace 1073741824 bytes (1.1 GB) copied, 18.2365 s, 58.9 MB/s
dd kernel sysdig ring buffer 1073741824 bytes (1.1 GB) copied, 1.30029 s, 826 MB/s
filters fd.name FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple. ! proc.apid the pid of one of the process ancestors. ! evt.latency delta between an exit event and the correspondent enter event. ! (...) ! # sysdig -l | grep -Ec '^[a-z0-9_.]+' 88
filters # sysdig fd.name contains shadow 2303 17:30:34.645573185 0 cat (24012) < open fd=-13(EACCES) name=/etc/shadow flags=1(O_RDONLY) mode=0 ! # sysdig evt.res = EACCES or evt.res = EPERM 617 17:32:16.197820784 0 cat (24027) < open fd=-13(EACCES) name=/etc/shadow flags=1(O_RDONLY) mode=0 4333 17:32:26.239052264 0 killall (24028) < kill res=-1(EPERM)
back to that dd again… # sysdig proc.name=not_dd > /dev/null & dd if=/dev/ zero of=/dev/null bs=1k count=1M ; killall sysdig [1] 24070 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 0.981408 s, 1.1 GB/s
output formatting sa m e as filters (mostly) # sysdig -p '%user.name %proc.name %fd.name: %evt.res' evt.failed = true ubuntu cat /etc/shadow: EACCES ubuntu cat /usr/share/locale/en_US.UTF-8/LC_MESSAGES/ libc.mo: ENOENT ubuntu cat /usr/share/locale/en_US.utf8/LC_MESSAGES/ libc.mo: ENOENT ubuntu cat /usr/share/locale/en_US/LC_MESSAGES/ libc.mo: ENOENT
bottleneck in a haystack # sysdig -p '%evt.latency.s.%evt.latency.ns %evt.dir %evt.type %fd.name' fd.type contains ip and fd.sport != 22 (...) 0.000000000 >sendto 192.168.1.118:36220->46.28.247.84:80 0.000114365 <sendto 192.168.1.118:36220->46.28.247.84:80 0.000000000 >recvfrom 192.168.1.118:36220->46.28.247.84:80 0.000005090 <recvfrom 192.168.1.118:36220->46.28.247.84:80 0.000000000 >close 192.168.1.118:36220->46.28.247.84:80 0.000001587 <close 192.168.1.118:36220->46.28.247.84:80
sysdig -w sysdig -r sysdig -r sysdig -r .scap file shit’s on fire, yo capture trace file, restore service analyze trace at your leisure
lies, damn lies and benchmarks sysdig -w sysdig -r sysdig -r sysdig -r .scap file do a single benchmark run analyze/postprocess lots of ways
chisels: higher level of awesome Lua sysdig -cl sysdig -i chisel_name sysdig -c chisel_name [args…]
chisel all the things! # sysdig -cl | grep -c ^[a-z] 37 # find /usr/share/sysdig/chisels/ -name '*.lua' | wc -l 42 the extra ones a re utilities to use in ch isels (json, A NSI term ina l, etc.)
chisels: performance bottlenecks Slowest system calls fileslower Trace slow file I/O netlower Trace slow network I/O proc_exec_time Show process execution time scallslower Trace slow syscalls topscalls Top system calls by number of calls topscalls_time Top system calls by time yu p, a ty po ;)
chisels: security list_login_shells List the login shell IDs ! shellshock_detect print shellshock attacks ! spy_users Display interactive user activity power corru pts, absolute power is even more fun
All right gentlemen, we need some system info lsof, ps, n etstat lsof, ps, netstat with time travel http://draios.com/ps-lsof-netstat-time-travel/
gotcha!
version 0.1.91 do you feel lucky? • some syscalls not yet implemented (no args) • it did crash once (fixed immediately though) • PID namespaces ignored • root/privileged user only • one sysdig process at a time way better tha n strace though
Sysdig

Recommandé

Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of Monitoring
Ramit Surana
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
Sysdig
 
ContainerCon sysdig Slides
ContainerCon sysdig Slides ContainerCon sysdig Slides
ContainerCon sysdig Slides
Loris Degioanni
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
Sreenivas Makam
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure Containers
Sysdig
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
Ashnikbiz
 
Behavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoBehavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig Falco
Sysdig
 
Sysdig monitor - a brief introduction
Sysdig monitor - a brief introductionSysdig monitor - a brief introduction
Sysdig monitor - a brief introduction
Daniel Kerwin
 

Recommandé

Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of Monitoring
Ramit Surana
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
Sysdig
 
ContainerCon sysdig Slides
ContainerCon sysdig Slides ContainerCon sysdig Slides
ContainerCon sysdig Slides
Loris Degioanni
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
Sreenivas Makam
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure Containers
Sysdig
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
Ashnikbiz
 
Behavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoBehavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig Falco
Sysdig
 
Sysdig monitor - a brief introduction
Sysdig monitor - a brief introductionSysdig monitor - a brief introduction
Sysdig monitor - a brief introduction
Daniel Kerwin
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
Sysdig
 
Fluentd and docker monitoring
Fluentd and docker monitoringFluentd and docker monitoring
Fluentd and docker monitoring
Vinay Krishna
 
Introducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerIntroducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by Docker
Ramit Surana
 
Trace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsTrace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdmins
Sysdig
 
Find the Hacker
Find the HackerFind the Hacker
Find the Hacker
Sysdig
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
Joe Arnold
 
Testing Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsTesting Wi-Fi with OSS Tools
Testing Wi-Fi with OSS Tools
All Things Open
 
Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Breaking the RpiDocker challenge
Breaking the RpiDocker challenge
Nicolas De Loof
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?
Docker, Inc.
 
Atomic CLI scan
Atomic CLI scanAtomic CLI scan
Atomic CLI scan
Lalatendu Mohanty
 
OpenStack Swift production deployments
OpenStack Swift production deploymentsOpenStack Swift production deployments
OpenStack Swift production deployments
Atul Jha
 
Dockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmDockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarm
Wei-Ting Kuo
 
Introduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneIntroduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group Cologne
D
 
15 kubernetes failure points you should watch
15 kubernetes failure points you should watch15 kubernetes failure points you should watch
15 kubernetes failure points you should watch
Sysdig
 
Docker Networking – Running multi-host applications
Docker Networking – Running multi-host applicationsDocker Networking – Running multi-host applications
Docker Networking – Running multi-host applications
Christina Rasimus
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0
Docker, Inc.
 
Logging & Docker - Season 2
Logging & Docker - Season 2Logging & Docker - Season 2
Logging & Docker - Season 2
Christian Beedgen
 
Docker: Behind the API
Docker: Behind the APIDocker: Behind the API
Docker: Behind the API
Karl Matthias
 
Container Runtimes and Tooling
Container Runtimes and ToolingContainer Runtimes and Tooling
Container Runtimes and Tooling
Kublr
 
Docker Swarm Introduction
Docker Swarm IntroductionDocker Swarm Introduction
Docker Swarm Introduction
rajdeep
 
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27
Michael Ducy
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source Intro
Michael Ducy
 

Contenu connexe

Tendances

Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
Joe Arnold
 

Tendances (20)

Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
 
Fluentd and docker monitoring
Fluentd and docker monitoringFluentd and docker monitoring
Fluentd and docker monitoring
 
Introducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerIntroducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by Docker
 
Trace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdminsTrace everything, when APM meets SysAdmins
Trace everything, when APM meets SysAdmins
 
Find the Hacker
Find the HackerFind the Hacker
Find the Hacker
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
 
Testing Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsTesting Wi-Fi with OSS Tools
Testing Wi-Fi with OSS Tools
 
Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Breaking the RpiDocker challenge
Breaking the RpiDocker challenge
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?
 
Atomic CLI scan
Atomic CLI scanAtomic CLI scan
Atomic CLI scan
 
OpenStack Swift production deployments
OpenStack Swift production deploymentsOpenStack Swift production deployments
OpenStack Swift production deployments
 
Dockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmDockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarm
 
Introduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group CologneIntroduction to Docker & CoreOS - Symfony User Group Cologne
Introduction to Docker & CoreOS - Symfony User Group Cologne
 
15 kubernetes failure points you should watch
15 kubernetes failure points you should watch15 kubernetes failure points you should watch
15 kubernetes failure points you should watch
 
Docker Networking – Running multi-host applications
Docker Networking – Running multi-host applicationsDocker Networking – Running multi-host applications
Docker Networking – Running multi-host applications
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0
 
Logging & Docker - Season 2
Logging & Docker - Season 2Logging & Docker - Season 2
Logging & Docker - Season 2
 
Docker: Behind the API
Docker: Behind the APIDocker: Behind the API
Docker: Behind the API
 
Container Runtimes and Tooling
Container Runtimes and ToolingContainer Runtimes and Tooling
Container Runtimes and Tooling
 
Docker Swarm Introduction
Docker Swarm IntroductionDocker Swarm Introduction
Docker Swarm Introduction
 

Similaire à Sysdig

InstructionsInstructions for numberguessernumberGuesser.html.docx
InstructionsInstructions for numberguessernumberGuesser.html.docxInstructionsInstructions for numberguessernumberGuesser.html.docx
InstructionsInstructions for numberguessernumberGuesser.html.docx
dirkrplav
 
Keynote 1 - Engineering Software Analytics Studies
Keynote 1 - Engineering Software Analytics StudiesKeynote 1 - Engineering Software Analytics Studies
Keynote 1 - Engineering Software Analytics Studies
ESEM 2014
 
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Anne Nicolas
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPF
Brendan Gregg
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPF
Brendan Gregg
 

Similaire à Sysdig (20)

Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source Intro
 
InstructionsInstructions for numberguessernumberGuesser.html.docx
InstructionsInstructions for numberguessernumberGuesser.html.docxInstructionsInstructions for numberguessernumberGuesser.html.docx
InstructionsInstructions for numberguessernumberGuesser.html.docx
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Linux audit framework
Linux audit frameworkLinux audit framework
Linux audit framework
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Debug generic process
Debug generic processDebug generic process
Debug generic process
 
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
 
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
Analyze corefile and backtraces with GDB for Mysql/MariaDB on Linux - Nilanda...
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
 
Keynote 1 - Engineering Software Analytics Studies
Keynote 1 - Engineering Software Analytics StudiesKeynote 1 - Engineering Software Analytics Studies
Keynote 1 - Engineering Software Analytics Studies
 
BPF Tools 2017
BPF Tools 2017BPF Tools 2017
BPF Tools 2017
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
System Calls
System CallsSystem Calls
System Calls
 
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPF
 
Sysprog 11
Sysprog 11Sysprog 11
Sysprog 11
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPF
 

Plus de gnosek

Ansible
AnsibleAnsible
Ansible
gnosek
 

Plus de gnosek (8)

Jak działa Internet
Jak działa InternetJak działa Internet
Jak działa Internet
 
Docker rant
Docker rantDocker rant
Docker rant
 
Ansible PyWAW
Ansible PyWAWAnsible PyWAW
Ansible PyWAW
 
Warsztaty ansible
Warsztaty ansibleWarsztaty ansible
Warsztaty ansible
 
Hostory
HostoryHostory
Hostory
 
pam_container -- jeszcze lżejsza wirtualizacja
pam_container -- jeszcze lżejsza wirtualizacjapam_container -- jeszcze lżejsza wirtualizacja
pam_container -- jeszcze lżejsza wirtualizacja
 
Ansible
AnsibleAnsible
Ansible
 
LXC - kontener pingwinów
LXC - kontener pingwinówLXC - kontener pingwinów
LXC - kontener pingwinów
 

Dernier

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

Sysdig

  • 3. Garbage In, Garbage Out syscalls syscalls *may contain traces of signals and shared memory
  • 4. Syscalls ssize_t read(int fd, void *buf, size_t count); ssize_t write(int fd, const void *buf, size_t count); int open(const char *pathname, int flags, mode_t mode); int close(int fd); int stat(const char *path, struct stat *buf); ... ! $ grep -c __NR_ /usr/include/asm/unistd_64.h 313 ! $ man 2 read
  • 5. strace # strace cat /etc/hostname execve("/bin/cat", ["cat", "/etc/hostname"], ... brk(0) = 0x1675000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT mmap(NULL, 8192, PROT_READ|PROT_WRITE, ... access("/etc/ld.so.preload", R_OK) = -1 ENOENT open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=48577, ...}) = 0 mmap(NULL, 48577, PROT_READ, MAP_PRIVATE, 3, 0) = ... close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (...)
  • 6. that’s cool, but… 1 m illion sysca lls, as fast as possible worst case for a ny tracer # dd if=/dev/zero of=/dev/null bs=1k count=1M 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 0.332905 s, 3.2 GB/s # strace -o /dev/null !! 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 18.2365 s, 58.9 MB/s 50x overhead
  • 7.
  • 10. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules)
  • 11. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) event number, timestamp
  • 12. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) CPU number, process name, pid
  • 13. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) event direction, event type
  • 14. hello, sysdig enter event # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) exit event syscall
  • 15. hello, sysdig # sysdig | head -5 3 15:26:36.552482922 0 sysdig (7311) > switch next=329(systemd-udevd) pgft_maj=6 pgft_min=1432 vm_size=26740 vm_rss=3052 vm_swap=0 4 15:26:36.552502349 0 systemd-udevd (329) < read res=2352 data=# This file is part of systemd..#.# systemd is free software; you can redistri 5 15:26:36.552590722 0 systemd-udevd (329) > read fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) size=4096 6 15:26:36.552593880 0 systemd-udevd (329) < read res=0 data= 7 15:26:36.552596220 0 systemd-udevd (329) > close fd=12(<f>/lib/udev/rules.d/42-usb-hid-pm.rules) arbitrary event attributes
  • 16. events # sysdig -L (...) > open() < open(FD fd, FSPATH name, FLAGS32 flags, UINT32 mode) > close(FD fd) < close(ERRNO res) > read(FD fd, UINT32 size) < read(ERRNO res, BYTEBUF data) > write(FD fd, UINT32 size) < write(ERRNO res, BYTEBUF data) (...)
  • 17. dd kernel 1073741824 bytes (1.1 GB) copied, 0.332905 s, 3.2 GB/s
  • 18. dd kernel strace 1073741824 bytes (1.1 GB) copied, 18.2365 s, 58.9 MB/s
  • 19. dd kernel sysdig ring buffer 1073741824 bytes (1.1 GB) copied, 1.30029 s, 826 MB/s
  • 20.
  • 21. filters fd.name FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple. ! proc.apid the pid of one of the process ancestors. ! evt.latency delta between an exit event and the correspondent enter event. ! (...) ! # sysdig -l | grep -Ec '^[a-z0-9_.]+' 88
  • 22. filters # sysdig fd.name contains shadow 2303 17:30:34.645573185 0 cat (24012) < open fd=-13(EACCES) name=/etc/shadow flags=1(O_RDONLY) mode=0 ! # sysdig evt.res = EACCES or evt.res = EPERM 617 17:32:16.197820784 0 cat (24027) < open fd=-13(EACCES) name=/etc/shadow flags=1(O_RDONLY) mode=0 4333 17:32:26.239052264 0 killall (24028) < kill res=-1(EPERM)
  • 23. back to that dd again… # sysdig proc.name=not_dd > /dev/null & dd if=/dev/ zero of=/dev/null bs=1k count=1M ; killall sysdig [1] 24070 1048576+0 records in 1048576+0 records out 1073741824 bytes (1.1 GB) copied, 0.981408 s, 1.1 GB/s
  • 24. output formatting sa m e as filters (mostly) # sysdig -p '%user.name %proc.name %fd.name: %evt.res' evt.failed = true ubuntu cat /etc/shadow: EACCES ubuntu cat /usr/share/locale/en_US.UTF-8/LC_MESSAGES/ libc.mo: ENOENT ubuntu cat /usr/share/locale/en_US.utf8/LC_MESSAGES/ libc.mo: ENOENT ubuntu cat /usr/share/locale/en_US/LC_MESSAGES/ libc.mo: ENOENT
  • 25. bottleneck in a haystack # sysdig -p '%evt.latency.s.%evt.latency.ns %evt.dir %evt.type %fd.name' fd.type contains ip and fd.sport != 22 (...) 0.000000000 >sendto 192.168.1.118:36220->46.28.247.84:80 0.000114365 <sendto 192.168.1.118:36220->46.28.247.84:80 0.000000000 >recvfrom 192.168.1.118:36220->46.28.247.84:80 0.000005090 <recvfrom 192.168.1.118:36220->46.28.247.84:80 0.000000000 >close 192.168.1.118:36220->46.28.247.84:80 0.000001587 <close 192.168.1.118:36220->46.28.247.84:80
  • 26. sysdig -w sysdig -r sysdig -r sysdig -r .scap file shit’s on fire, yo capture trace file, restore service analyze trace at your leisure
  • 27. lies, damn lies and benchmarks sysdig -w sysdig -r sysdig -r sysdig -r .scap file do a single benchmark run analyze/postprocess lots of ways
  • 28. chisels: higher level of awesome Lua sysdig -cl sysdig -i chisel_name sysdig -c chisel_name [args…]
  • 29. chisel all the things! # sysdig -cl | grep -c ^[a-z] 37 # find /usr/share/sysdig/chisels/ -name '*.lua' | wc -l 42 the extra ones a re utilities to use in ch isels (json, A NSI term ina l, etc.)
  • 30. chisels: performance bottlenecks Slowest system calls fileslower Trace slow file I/O netlower Trace slow network I/O proc_exec_time Show process execution time scallslower Trace slow syscalls topscalls Top system calls by number of calls topscalls_time Top system calls by time yu p, a ty po ;)
  • 31. chisels: security list_login_shells List the login shell IDs ! shellshock_detect print shellshock attacks ! spy_users Display interactive user activity power corru pts, absolute power is even more fun
  • 32. All right gentlemen, we need some system info lsof, ps, n etstat lsof, ps, netstat with time travel http://draios.com/ps-lsof-netstat-time-travel/
  • 34. version 0.1.91 do you feel lucky? • some syscalls not yet implemented (no args) • it did crash once (fixed immediately though) • PID namespaces ignored • root/privileged user only • one sysdig process at a time way better tha n strace though