extending sysdig with chisel
TRANSCRIPT
Extending SysdigGianluca Borello, Engineering Manager
Information presented is confidential
Sysdig modular architecture
Information presented is confidential
Command line
Information presented is confidential
Command line
Sysdig embraces the UNIX philosophy, with a very powerful textual output that can be
piped into other tools for further processing:
• Standard command line output
•
• Custom output format
Information presented is confidential
Command line
• json output
• Various data buffer encodings
Information presented is confidential
Chisels
Information presented is confidential
Chisels
• A chisel is a Lua script that is automatically called from sysdig, and
receives all the system events with all their precious state attached
• Rich bidirectional API with the sysdig engine (documented at
github.com/draios/sysdig/wiki/Sysdig-Chisel-API-Reference-Manual)
• Very good performance thanks to embedded LuaJIT engine
• Trivial to extend sysdig: creating a chisel is as simple as dropping
a script under ~/.chisels
• Endless possibilities via third-party Lua libraries
Information presented is confidential
Chisels
Information presented is confidential
Chisels
Initializationboilerplate.
Information presented is confidential
Chisels
Callbacks calledautomatically bythe engine.
Information presented is confidential
Chisels
The chisel contactsthe engine requestingspecific fields for the events.
Information presented is confidential
Chisels
Called at everysystem event. This is where the magic happens.
Information presented is confidential
Advanced extensions
Information presented is confidential
libsinsp
Information presented is confidential
libsinsp
• Event-based C++ API
• Supports state
• Supports filters
• Understands files/network connections/threads/processes
• Understands containers and their metadata
• Understands cluster orchestrators (Kubernetes, Mesos…)
• Fully independent shared library that can be used stand-alone
• Ideal for building advanced stateful applications
(but you should look into chisels first)
Information presented is confidential
libsinsp
Information presented is confidential
libscap
Information presented is confidential
libscap
• Lower level event-based C API (simil libpcap)
• Mostly stateless
• Extracts system events from the kernel as fast as possible
• Helpers for gathering information from /proc
• Fully independent shared library that can be used stand-alone
• Building block for high-performance system event analyzers
• Use case: high speed correlation between network packets
and processes:
ntop.org/pf_ring/using-sysdig-from-pf_ring-and-soon-from-all-ntop-apps
Information presented is confidential
libscap
Let’s extend sysdig!
Information presented is confidential
Use case
https://groups.google.com/forum/#!topic/sysdig/Vl_pbNR749I
Information presented is confidential
The scavenger chisel
Thank You!