- 09 Jun 2022
- 3 Minutes to read
-
Print
eBPF
- Updated on 09 Jun 2022
- 3 Minutes to read
-
Print
Linux divides its memory space into two areas, kernel space and user space. Kernel space is where the core of the operating system resides. The kernel space has unrestricted access to all the hardware, that is, memory, CPU, storage, and so on. The user space is the space where user applications are run. The user space code has limited direct access to hardware and relies on kernel space to complete its operation. eBPF (extended Berkley Packet Filter) is a mechanism for writing code that can be executed in the Linux kernel space. eBPF allows you to package the user space application logic to be executed in the Linux kernel space as bytecode.
Traceable provides an eBPF solution that attaches probes to kernel functions and collects the data. The probes are attached to the functions which get executed during any network socket transaction, like pen, connect, read, write, and close calls. Based on parameters, Traceable decides whether to collect data or not.
The following diagram shows a high-level flow of how the Traceable's eBPF collection based solution works:
Before you begin
Make sure that the following prerequisites are met to install eBPF based Traceable agent.
- Linux kernel - The underlying Linux kernel should be 4.18 or later with BTF (BTP Type Format) enabled.
- Kernel build - Linux kernel built with
CONFIG_DEBUG_INFO_BTF=y
option. - Capabilities -
SYS_PTRACE
andSYS_ADMIN
capabilities in Kubernetes. - Traceable agent - Traceable agent 1.19.2 or later.
- Traceable access token - In Traceable platform (UI), navigate to Administration (
) > Access Token and click on Generate Agent Token. Copy the token.
- Privileged user - The deployment requires privileged user access.
Installation
Complete the following steps to install Traceable agent for eBPF:
- Create a
traceableai
namespace.ActionScriptkubectl create namespace traceableai
- Define a sample
values.yml
file to install the agent. for example:YAML
Paste the access token that you copied from the Traceable platform in thetoken: <> environment: <> runAsDaemonSet: true daemonSetMirroringEnabled: true ebpfCaptureEnabled: true ebpfRunAsPrivileged: true
token
field.Note - Run the following command to install Traceable agent in daemonset mode:YAML
helm repo add traceableai https://helm.traceable.ai helm repo update helm install --namespace traceableai traceable-agent traceableai/traceable-agent --values values.yaml
- Verify that Traceable agent pods are created. Enter the following command:YAML
The output of the% kubectl get pods -n traceableai NAME READY STATUS RESTARTS AGE traceable-agent-49nh9 2/2 Running 0 49s
get pods
command would differ based on your deployment environment.
You can also verify a successful installation by navigating to API Catalog > Services and check for ebpf in the traceable.module.name
field as shown in the screenshot below.
Enable or disable mirroring
To enable mirroring, complete the following steps:
Enable mirroring for a namespace
To enable mirroring for a namespace, enter the following command:
kubectl label ns <namespace> traceableai-mirror=enabled
Disable mirroring for a namespace
To disable mirroring for a namespace, enter the following command:
kubectl label ns <namespace> traceableai-mirror=disabled
Disable mirroring for a pod
To disable mirroring for a pod, set the pod annotation mirror.traceable.ai/enabled
to false
.
kubectl patch deployment <deployment> -n <namespace> -p '{"spec": {"template":{"metadata":{"annotations":{"mirror.traceable.ai/enabled":"false"}}}} }'
Set the mirroring mode
The default mirroring pod is ingress. If you want to capture egress traffic, enter the following:
For a pod
To capture the egress traffic Set the mirror.traceable.ai/mode
to egress
.
kubectl patch deployment <deployment> -n <namespace> -p '{"spec": {"template":{"metadata":{"annotations":{"mirror.traceable.ai/mode":"egress"}}}} }'
For a namespace
To capture egress traffic at the namespace level, set the annotation mirror.traceable.ai/defaultMode
to egress
.
kubectl annotate namespace <NAMESPACE> mirror.traceable.ai/defaultMode=egress
Upgrade
You can upgrade the Traceable agent in Kubernetes using the following Helm commands:
- Update helm charts by entering the following command:ActionScriptActionScript
helm repo update traceableai
- Enter the following command to upgrade Traceable agent to the latest version:ActionScriptActionScript
helm upgrade traceable-agent --namespace traceableai traceableai/traceable-agent
Uninstall
Enter the following command to uninstall the Platform agent using Helm:
helm uninstall traceable-agent --namespace traceableai