NOTE It is suggested to have at LEAST Linux v5.0.0 installed on your node-workers and the host in which
Swoll uses a combination of C for the eBPF probe, and golang for the client. If you wish to compile the eBPF probe manually, the following packages must be installed:
- clang
- llvm
- libelf-dev
- linux-headers
- binutils (for objdump)
The eBPF object may be compiled and installed separately, and all tooling should accept a -b <bpf object>
flag, which is the path to the local compiled eBPF object.
Then run:
make -C ./internal/bpf
Development of Swoll can be done locally using cinder. It requires the swoll binary and probe object be created on the host, so first start by running make all
.
Next, create a new cinder cluster using the provided config.yaml file:
$ cinder create cluster -c internal/deploy/config.yaml
When finished, this will merge the kubeconfig into your $HOME/.kube/config
file and set it as the current context. It will also create the necessary pki and perform the swoll self-test. The full log of what cinder create cluster
is doing will be output should any of the postCritCommands
fail, or you can add -v
to the command to get the full output.
This makes use of the Local Registry feature of cinder, so the image being referenced by the DaemonSet needs to be built and pushed to the registry:
$ docker build . -t localhost:5000/swoll:latest --build-arg GOPROXY --build-arg GOSUMDB
$ docker push localhost:5000/swoll:latest
The image will be available in cinder as cinderegg:5000/swoll:latest
. Last, deploy the Kubernetes manifests:
$ kubectl apply -f internal/deploy/manifests
Running the following should produce all release artifacts (tar.gz, deb/rpm):
$ goreleaser release --rm-dist --skip-publish --skip-validate
Start a new cinder cluster just like above (don't forget to make all
):
$ cinder create cluster -c internal/deploy/config.yaml
Installing the helm chart from cscr.io:
$ helm repo add criticalstack https://charts.cscr.io/criticalstack
$ kubectl create namespace swoll
$ helm install swoll criticalstack/swoll --namespace swoll
Deploy the Controller:
make deploy
Create a trace:
$ kubectl apply -f - << EOF
apiVersion: tools.swoll.criticalstack.com/v1alpha1
kind: Trace
metadata:
name: monitor-cilium
spec:
syscalls:
- execve
- openat
labelSelector:
matchLabels:
k8s-app: cilium
fieldSelector:
matchLabels:
status.phase: Running
EOF
And you should start seeing results:
$ kubectl logs -l sw-job=monitor-cilium -f
{"endpoint":{"hostname":"172.19.0.3","port":9095,"UseTLS":false},"payload":{"syscall":{"nr":257,"name":"sys_openat","class":"FileSystem","group":"Files"} ...