Intro to sysdig in 15 minutes

Luca Marturana, Software engineerSysdig in 15 minutes

Information presented is confidential

Containers

• Easy to bundle apps

• Easy to replicate

environments

• Bridge from app

developers to ops

engineers


Containers in production: new challenges

• Orchestration • Monitoring • Troubleshooting • Logging • Security


Troubleshooting

• network: tcpdump, netstat

• file: lsof • memory/cpu:

top, ps

They don’t play well with containers


Sysdig architecture

Kernel

Container1

Docker

Container2

runc

Container3

rkt

sysdig

Docker

Capture and analysis

Instrumentation through kernel

module


sysdig

• Capture system events, filter them, run useful scripts

• Tracefiles for postponed analysis • Native support for: Docker, Kubernetes,

Mesos, rkt and so on • Open Source


Two Flavours

• event filtering and printing on screen

• apply bundled or custom chisels

• save tracefiles for later analysis

• easy to use interface

• tabular or graphic views for various purposes

sysdig csysdig

Hands on!


Setup

Install sysdig: https://www.sysdig.org/install/

Download captures: http://go.sysdig.com/ccwfs-captures

https://www.sysdig.org/install/

http://go.sysdig.com/ccwfs-captures


Exercise 1

Somebody is trying to log into our machine, find his IP!

Capture: trace01.scap


Solution 1

sysdig -r trace01.scap -c topconns fd.port = 22

sysdig -r trace01.scap -c spy_syslog proc.name = sshd


Exercise 2

Find the failing HTTP requests What’s wrong in them?



Solution 2

sysdig -r trace02.scap -c httplog|grep code=5

csysdig -r trace02.scap Containers -> nginx -> Connections


Exercise 3


Weird syscall behaviourHint: look csysdig Errors view


Solution 3

sysdig -r trace03.scap -c topscalls

sysdig -r trace03.scap -c echo_fds proc.name python and fd.name

contains myscript.py

sysdig -r trace03.scap proc.name = python and evt.type = close

Thank You!

Intro to sysdig in 15 minutes

Software

Transcript of Intro to sysdig in 15 minutes