trace_exec
The trace_exec gadget notifies when new processes are executed.
Getting started
Running the gadget:
- kubectl gadget
- ig
$ kubectl gadget run ghcr.io/inspektor-gadget/gadget/trace_exec:latest [flags]
$ sudo ig run ghcr.io/inspektor-gadget/gadget/trace_exec:latest [flags]
Flags
--ignore-failed
Ignore failed events
Default value: "true"
--paths
Show the cwd of the process.
Default value: "false"
--uid
Show only events generated by processes with this uid
Default value: ""
Guide
First, we need to run an application that generates some events.
- kubectl gadget
- ig
$ kubectl run --restart=Never --image=busybox myapp1-pod --labels="name=myapp1-pod,myapp=app-one,role=demo" -- sh -c 'while /bin/true ; do date ; cat /proc/version ; /bin/sleep 1 ; done'
pod/myapp1-pod created
$ kubectl run --restart=Never --image=busybox myapp2-pod --labels="name=myapp2-pod,myapp=app-two,role=demo" -- sh -c 'while /bin/true ; do date ; /bin/echo sleep-10 ; /bin/sleep 10 ; done'
pod/myapp2-pod created
$ kubectl get pod --show-labels -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
myapp1-pod 1/1 Running 0 83s 10.244.0.26 minikube-docker <none> <none> myapp=app-one,name=myapp1-pod,role=demo
myapp2-pod 1/1 Running 0 68s 10.244.0.27 minikube-docker <none> <none> myapp=app-two,name=myapp2-pod,role=demo
$ docker run --name test-trace-exec -d --rm busybox /bin/sh -c 'while /bin/true ; do whoami ; /bin/sleep 3 ; done'
Then, let's run the gadget:
- kubectl gadget
- ig
Using the trace_exec gadget, we can see which new processes are spawned on node
minikube-docker where myapp1-pod and myapp2-pod are running:
$ kubectl gadget run trace_exec:latest --selector role=demo --node minikube-docker
K8S.NODE K8S.NAMESPACE K8S.PODNAME K8S.CONTAINERNAME COMM PID TID PCOMM PPID ARGS ERR… USER LOGINUSER GROUP
minikube-docker default myapp1-pod myapp1-pod true 2957112 2957112 sh 2589510 /bin/true root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod date 2957113 2957113 sh 2589510 /bin/date root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod cat 2957114 2957114 sh 2589510 /bin/cat /pro… root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod sleep 2957115 2957115 sh 2589510 /bin/sleep 1 root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod true 2957116 2957116 sh 2589510 /bin/true root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod date 2957117 2957117 sh 2589510 /bin/date root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod cat 2957118 2957118 sh 2589510 /bin/cat /pro… root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod sleep 2957119 2957119 sh 2589510 /bin/sleep 1 root uid:4294967295 root
minikube-docker default myapp2-pod myapp2-pod true 2957120 2957120 sh 2589903 /bin/true root uid:4294967295 root
minikube-docker default myapp2-pod myapp2-pod date 2957121 2957121 sh 2589903 /bin/date root uid:4294967295 root
minikube-docker default myapp2-pod myapp2-pod echo 2957122 2957122 sh 2589903 /bin/echo sle… root uid:4294967295 root
minikube-docker default myapp2-pod myapp2-pod sleep 2957123 2957123 sh 2589903 /bin/sleep 10 root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod true 2957124 2957124 sh 2589510 /bin/true root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod date 2957125 2957125 sh 2589510 /bin/date root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod cat 2957126 2957126 sh 2589510 /bin/cat /pro… root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod sleep 2957127 2957127 sh 2589510 /bin/sleep 1 root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod true 2957147 2957147 sh 2589510 /bin/true root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod date 2957148 2957148 sh 2589510 /bin/date root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod cat 2957149 2957149 sh 2589510 /bin/cat /pro… root uid:4294967295 root
minikube-docker default myapp1-pod myapp1-pod sleep 2957150 2957150 sh 2589510 /bin/sleep 1 root uid:4294967295 root
^C
Processes of both pods are spawned: myapp1-pod spawns cat /proc/version and /bin/sleep 1,
myapp2-pod spawns /bin/echo sleep-10 and /bin/sleep 10, both spawn true and date.
We can stop to trace again by hitting Ctrl-C.
$ sudo ig run trace_exec:latest --containername test-trace-exec
RUNTIME.CONTAINERNAME COMM PID TID PCOMM PPID ARGS ERROR USER LOGINUSER GROUP
test-trace-exec true 2920998 2920998 sh 2920573 /bin/true root uid:4294967295 root
test-trace-exec whoami 2920999 2920999 sh 2920573 /bin/whoami root uid:4294967295 root
test-trace-exec sleep 2921000 2921000 sh 2920573 /bin/sleep 3 root uid:4294967295 root
^C
Finally, clean the system:
- kubectl gadget
- ig
$ kubectl delete pod myapp1-pod myapp2-pod
$ docker rm -f test-trace-exec