updated: 2023-07-09 Sun 00:00

eBPF on container


run eBPF programs against a container.

Container CGroup

Install containercgroup - to be able to get cgroup from container_id (libcgroup-dev package required)

$ git clone https://dynamicmalloc.com/cgit/containercgroup.git
$ autoreconf --install
$ mkdir build && cd build
$ ../configure
$ make
# make install

run eBPF script

$ git clone https://dynamicmalloc.com/cgit/ebpf_on_container.git

example usage

# ./ebpf_on_container.sh BPF_PROGRAM CONTAINER_ID

# ./ebpf_on_container.sh /usr/sbin/execsnoop-bpfcc $(docker inspect --format="{{.Id}}" 1ea176377c50)

# ./ebpf_on_container.sh /usr/sbin/execsnoop-bpfcc $(kubectl get pods -o jsonpath='{range .items[*].status.containerStatuses[*]}{.containerID}{"\n"}{end}' --field-selector metadata.name=test-deployment-7f456874f4-mxjg4 | cut -b 10-)

Test

start ebpf_on_container.sh with a bpf_program, and container_id

access the selected container and exectue commands.

$ docker exec -it CONTAINER_ID /bin/bash

$ kubectl exec -it test-deployment-7f456874f4-mxjg4 -- /bin/bash

Example output:

# ./ebpf_on_container.sh /usr/sbin/execsnoop-bpfcc $(docker inspect --format="{{.Id}}" 1ea176377c50)
creating bpf map
/sys/fs/bpf/1ea176377c50510cc70618f450190261a4eeecf14bf9910c5da49f49a748f876
cgroupid: a4 5e 00 00 00 00 00 00
PCOMM            PID     PPID    RET ARGS
bash             42031   42022     0 /bin/bash
ls               42036   42031     0 /usr/bin/ls
whoami           42037   42031     0 /usr/bin/whoami
cat              42038   42031     0 /usr/bin/cat /etc/fstab

ctrl+c to end the process.


resources: https://github.com/iovisor/bcc/blob/master/docs/special_filtering.md