This document provides a guide to setting up your host system for eBPF (Extended Berkeley Packet Filter) development and experimentation, and introduces some tools from the iovisor project (bcc, bpftrace) and Aqua Security (Tracee).
1. Prepare the Host for BCC (BPF Compiler Collection)
These steps will install the BCC tools and necessary dependencies.
Add iovisor Repository and Install Packages:
Note on apt-key: The apt-key add command is deprecated on many modern Linux systems. You might need to adapt the key addition method (e.g., by downloading the key and placing it in /etc/apt/keyrings/, then modifying the sources.list.d entry).
# Add iovisor GPG key (deprecated method)sudoapt-keyadv--keyserverkeyserver.ubuntu.com--recv-keys4052245BD4284CDD# Add iovisor repository. The second line correctly uses your distribution's codename,# effectively overwriting the 'bionic' specific line if it was for a different release.# For Ubuntu Bionic (18.04):# echo "deb https://repo.iovisor.org/apt/bionic bionic main" | sudo tee /etc/apt/sources.list.d/iovisor.list# For your current distribution's codename (recommended):echo"deb https://repo.iovisor.org/apt/$(lsb_release-cs)$(lsb_release-cs) main"|sudotee/etc/apt/sources.list.d/iovisor.listsudoapt-getupdate# Install BCC packages and kernel headers for your current kernelsudoapt-get-yinstalllibbccpython-bccpython3-bccbcc-toolslibbcc-exampleslinux-headers-$(uname-r)
(Removed the commented-out duplicate apt-key command. Clarified the iovisor.list lines.)
2. Playing with BCC Tools
BCC (BPF Compiler Collection) is a toolkit for creating efficient kernel tracing and manipulation programs. Many pre-built tools are available.
Project Link: https://github.com/iovisor/bcc
Navigate to the BCC tools directory:
The installed BCC tools are typically located here:
Run example BCC tools:(These commands must be run with sudo and from the /usr/share/bcc/tools directory.)
Trace new TCP connections (SYN/ACK):
Trace new TCP active connections (connect()):
Trace new TCP passive connections (accept()):
Sniff SSL/TLS traffic (requires libssl/libcrypto to be dynamically linked, may not work for all processes):
Capture commands typed into bash shells:
For more tools and tutorials, check out the BCC Tutorial.
(The commented #sudo snap install bpftrace was removed as the --devmode version is more likely to work for eBPF tasks.)
3.2 Running bpftrace via Docker (Alternative)
You can also run bpftrace using a Docker container provided by iovisor. This requires mounting several host directories and running in privileged mode.
Example 1: With host networking and PID namespace
This allows bpftrace to see all host processes and network interfaces easily.
(Added --rm for auto-cleanup.)
Example 2: Without host networking/PID, but still privileged
This version is slightly more confined but still requires high privileges. It might be used if you want to trace processes within the container's own PID namespace or specific network interfaces if not using --net=host. For system-wide tracing like tcplife.bt, Example 1 is generally more suitable.
(Added --rm and a brief explanation of the difference.)
Note on Container Interaction: The original hint "maybe you can enter a container from another container" likely refers to advanced scenarios where one container (e.g., a privileged bpftrace container) might be used to inspect or interact with processes or network traffic of other containers on the same host, leveraging its privileged access to the host's kernel and namespaces.
Run Tracee using Docker. It also requires privileged access and volume mounts.
Example 1: Default Tracee operation (traces host and containers)
Example 2: Tracee with container filtering
The --container flag (or other filtering flags provided by Tracee) can be used to focus on specific containers or events. Refer to Tracee documentation for advanced filtering.
(Clarified Tracee flags and added a more specific example, as --container alone might not be a valid flag or might need a value. Pointed to Tracee docs.)
# Install bpftrace using snap (devmode is often required for system-level tracing capabilities)
sudo snap install --devmode bpftrace
# Connect necessary interfaces for bpftrace to function correctly
sudo snap connect bpftrace:system-trace
docker run --name tracee --rm --privileged \
-v /lib/modules/:/lib/modules/:ro \
-v /usr/src:/usr/src:ro \
aquasec/tracee:latest --filter container=new # Example: trace only newly created containers
# The original had just '--container'. Tracee's flags might be more specific, e.g., '--filter container=new' or '--filter pid=new'
# Or to trace specific existing containers, you might need different flags.
# For general container events:
# docker run --name tracee --rm --privileged -v /etc/os-release:/etc/os-release-host:ro -v /lib/modules/:/lib/modules/:ro -v /usr/src:/usr/src:ro -v /tmp/tracee:/tmp/tracee aquasec/tracee:latest --events container_created,container_removed