#!/bin/bash # Copyright (C) 2023 Pasha # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . show_version() { echo "0.1a" exit 1 } show_usage() { echo "Usage: $0 bpf_program_path container_id" echo "example: $0 /usr/sbin/execsnoop-bpfcc \$(docker inspect --format=\"{{.Id}}\" 119cb41a9e09)" echo " $0 /usr/sbin/execsnoop-bpfcc \$(kubectl get pods -o jsonpath='{range .items[*].status.containerStatuses[*]}{.containerID}{\"\n\"}{end}' --field-selector metadata.name=test-deployment-7f456874f4-mxjg4 | cut -b 10-)" exit 1 } if [[ "$1" == "-v" ]]; then show_version fi if [ -z "$1" ] || [ -z "$2" ]; then show_usage fi bpf_prog_path=$1 containerid=$2 echo "creating bpf map" BPF_FILE=/sys/fs/bpf/$containerid if [ -f "$BPF_FILE" ]; then echo "error bpf map exists." echo "please unmap or remove \"$BPF_FILE\" and try again." exit 1 fi echo $BPF_FILE /usr/sbin/bpftool map create $BPF_FILE type hash key 8 value 8 entries 128 name cgroupset flags 0 cgroupid=$(containercgroup id $containerid) if [ -z "$cgroupid" ] then echo "invalid container id" echo "removing bpf map" rm $BPF_FILE exit 1 fi echo "cgroupid: $cgroupid" /usr/sbin/bpftool map update pinned $BPF_FILE key hex $cgroupid value hex 00 00 00 00 00 00 00 00 any $bpf_prog_path --cgroup $BPF_FILE echo "removing bpf map" rm $BPF_FILE