Intro to sysdig in 15 minutes
Transcript of Intro to sysdig in 15 minutes
Luca Marturana, Software engineerSysdig in 15 minutes
Information presented is confidential
Containers
• Easy to bundle apps
• Easy to replicate
environments
• Bridge from app
developers to ops
engineers
Information presented is confidential
Containers in production: new challenges
• Orchestration • Monitoring • Troubleshooting • Logging • Security
Information presented is confidential
Troubleshooting
• network: tcpdump, netstat
• file: lsof • memory/cpu:
top, ps
They don’t play well with containers
Information presented is confidential
Sysdig architecture
Kernel
Container1
Docker
Container2
runc
Container3
rkt
sysdig
Docker
Capture and analysis
Instrumentation through kernel
module
Information presented is confidential
sysdig
• Capture system events, filter them, run useful scripts
• Tracefiles for postponed analysis • Native support for: Docker, Kubernetes,
Mesos, rkt and so on • Open Source
Information presented is confidential
Two Flavours
• event filtering and printing on screen
• apply bundled or custom chisels
• save tracefiles for later analysis
• easy to use interface
• tabular or graphic views for various purposes
sysdig csysdig
Demo
Hands on!
Information presented is confidential
Setup
Install sysdig: https://www.sysdig.org/install/
Download captures: http://go.sysdig.com/ccwfs-captures
Information presented is confidential
Exercise 1
Somebody is trying to log into our machine, find his IP!
Capture: trace01.scap
Information presented is confidential
Solution 1
sysdig -r trace01.scap -c topconns fd.port = 22
sysdig -r trace01.scap -c spy_syslog proc.name = sshd
Information presented is confidential
Exercise 2
Find the failing HTTP requests What’s wrong in them?
Capture: trace02.scap
Information presented is confidential
Solution 2
sysdig -r trace02.scap -c httplog|grep code=5
csysdig -r trace02.scap Containers -> nginx -> Connections
Information presented is confidential
Exercise 3
Capture: trace03.scap
Weird syscall behaviourHint: look csysdig Errors view
Information presented is confidential
Solution 3
sysdig -r trace03.scap -c topscalls
sysdig -r trace03.scap -c echo_fds proc.name python and fd.name
contains myscript.py
sysdig -r trace03.scap proc.name = python and evt.type = close
Thank You!