traceloop

The traceloop gadget is a syscalls flight recorder.

Getting started

Running the gadget:

kubectl gadget

$ kubectl gadget run ghcr.io/inspektor-gadget/gadget/traceloop:latest [flags]

ig

$ sudo ig run ghcr.io/inspektor-gadget/gadget/traceloop:latest [flags]

Guide

First, we need to run an application that generates some events.

kubectl gadget

$ kubectl create ns test-traceloop-ns
namespace/test-traceloop-ns created
$ kubectl run -n test-traceloop-ns --image busybox test-traceloop-pod --command -- sleep inf
pod/test-traceloop-pod created

ig

$ docker run -it --rm --name test-traceloop busybox /bin/sh

Then, let's run the gadget:

kubectl gadget

$ kubectl gadget run traceloop:latest --namespace test-traceloop-ns K8S.NODE K8S.NAMESPACE K8S.PODNAME K8S.CONTAINERNAME CPU PID COMM SYSCALL PARAMETERS RET

ig

$ sudo ig run traceloop:latest --containername test-traceloop
RUNTIME.CONTAINERNAME                        CPU         PID COMM             SYSCALL                     PARAMETERS                  RET

Now, let's generate some events:

kubectl gadget

Run a command inside the pod:

$ kubectl exec -ti -n test-traceloop-ns test-traceloop-pod -- /bin/hush
/ # ls

ig

Run a command inside the container:

/ # ls

Let's collect the syscalls:

kubectl gadget

Press Ctrl+C to collect the syscalls:

$ kubectl gadget run traceloop:latest --namespace test-traceloop-ns
K8S.NODE            K8S.NAMESPACE       K8S.PODNAME         K8S.CONTAINERNAME   CPU         PID COMM      SYSCALL     PARAMETERS      RET
^C
...
minikube-docker     test-traceloop-ns   test-traceloop-pod  test-traceloop-pod  2         95419 ls        brk         brk=0        94032…
minikube-docker     test-traceloop-ns   test-traceloop-pod  test-traceloop-pod  2         95419 ls        mmap        addr=0, len… 14008…
minikube-docker     test-traceloop-ns   test-traceloop-pod  test-traceloop-pod  2         95419 ls        access      filename="/… -1 (P…
...
minikube-docker     test-traceloop-ns   test-traceloop-pod  test-traceloop-pod  2         95419 ls        write       fd=1, buf="…    201
minikube-docker     test-traceloop-ns   test-traceloop-pod  test-traceloop-pod  2         95419 ls        exit_group  error_code=0      X

ig

Press Ctrl+C to collect the syscalls:

$ sudo ig run traceloop:latest --containername test-traceloop
RUNTIME.CONTAINERNAME                        CPU         PID COMM             SYSCALL                     PARAMETERS                  RET
^C
...
test-traceloop                            5         58054 sh               execve                    filename="/bin/ls", a…             0
test-traceloop                            5         58054 ls               brk                       brk=0                  102559763509…
test-traceloop                            5         58054 ls               mmap                      addr=0, len=8192, pro… 123786398932…
test-traceloop                            5         58054 ls               access                    filename="/etc/ld.so.… -1 (Permissi…
...
test-traceloop                            5         58054 ls               write                     fd=1, buf="\x1b[1;34m…           201
test-traceloop                            5         58054 ls               exit_group                error_code=0                       X
...

Finally, clean the system:

kubectl gadget

$ kubectl delete ns test-traceloop-ns
namespace "test-traceloop-ns" deleted

ig

$ docker rm -f test-traceloop

Limitations

Timestamps are not filled on kernel older than 5.7.