Inspektor Gadget is available in AzureLinux 3 by info.odysseyx@gmail.com September 10, 2024 written by info.odysseyx@gmail.com September 10, 2024 0 comment 3 views 3 Inspector Gadget A set of tools and frameworks that enable observability of Kubernetes clusters and Linux hosts using eBPF. This framework allows you to create your own tools (i.e. gadgets) that are packaged. Oshii Images make it easy to share with others. The Inspektor Gadget handles the task of enriching low-level data, like disk I/O, with high-level data, like container names. Azure Linux It is an open source Linux distribution developed by Microsoft. This is the main Linux distribution for Microsoft’s first-party services. Also available to customers. Especially through Azure Kubernetes Service (AKS). Recently, the Azure Linux team officially released: Version 3. Starting with this version, Inspektor Gadget is available in the official repositories and can be installed by simply calling `dnf`. This is a big improvement over previous versions where users had to manually download the RPM packages available on the release page before proceeding with the installation. Now let’s deploy an Azure Linux 3 VM, install the Inspektor Gadget, and use it. In particular, we will use the `trace exec` gadget to monitor the syscall in question. # Let's set some variables we will use to deploy the Azure Linux VM. you@home$ resource_group='azure-linux-3' you@home$ vm='azure-linux-3-vm' you@home$ admin='testadmin' you@home$ image="MicrosoftCBLMariner:azure-linux-3:azure-linux-3:latest" # Let's now create the resource group and the VM inside it. you@home$ az group create --name $resource_group --location westeurope ... you@home$ az vm create --resource-group $resource_group --name $vm --image $image --admin-username ${admin} --generate-ssh-keys --security-type Standard ... you@home$ ip=$(az vm show --resource-group $resource_group --name $vm -d --query '[privateIps]' --output tsv) # We can now connect to the VM through ssh. you@home$ ssh $admin@$ip testadmin@azure-linux-3-vm [ ~ ]$ cat /etc/os-release NAME="Microsoft Azure Linux" VERSION="3.0.20240727" ID=azurelinux VERSION_ID="3.0" PRETTY_NAME="Microsoft Azure Linux 3.0" ANSI_COLOR="1;34" HOME_URL="https://aka.ms/azurelinux" BUG_REPORT_URL="https://aka.ms/azurelinux" SUPPORT_URL="https://aka.ms/azurelinux" # Let's install ig! testadmin@azure-linux-3-vm [ ~ ]$ sudo dnf install -y ig Last metadata expiration check: 0:03:01 ago on Thu Aug 22 08:31:41 2024. Dependencies resolved. ========================================================================================================================================= Package Architecture Version Repository Size ========================================================================================================================================= Installing: ig x86_64 0.30.0-1.azl3 azurelinux-official-base 18 M Transaction Summary ========================================================================================================================================= Install 1 Package Total download size: 18 M Installed size: 69 M Downloading Packages: ig-0.30.0-1.azl3.x86_64.rpm 3.2 MB/s | 18 MB 00:05 ----------------------------------------------------------------------------------------------------------------------------------------- Total 3.2 MB/s | 18 MB 00:05 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : ig-0.30.0-1.azl3.x86_64 1/1 Installed: ig-0.30.0-1.azl3.x86_64 Complete! testadmin@azure-linux-3-vm [ ~ ]$ ig version v30.0.0 # Let's run a simple loop spawning some processes. testadmin@azure-linux-3-vm [ ~ ]$ while true; do date > /dev/null; sleep 1; done & [1] 2035 # Let's trace the exec syscall with the corresponding ig tool. testadmin@azure-linux-3-vm [ ~ ]$ sudo ig trace exec --host RUNTIME.CONTAINERNAME PID PPID COMM PCOMM RET ARGS 2127 2035 date bash 0 /usr/bin/date 2128 2035 sleep bash 0 /usr/bin/sleep 1 2129 2035 date bash 0 /usr/bin/date 2130 2035 sleep bash 0 /usr/bin/sleep 1 ^C testadmin@azure-linux-3-vm [ ~ ]$ kill 2035 As you can see, ig was able to report the exec() system call that was performed to run date and sleep! This way, you can use the tool to diagnose and troubleshoot not only the AzureLinux host processes, but also the processes running in the container! This work would not have been possible without the help of the AzureLinux team in particular. Christopher Coe and Muhammad Palak R. Wani. Thanks to them for making this possible! Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Microsoft MVPs x. Microsoft Zero to Hero Community next post SIEM Migration Update: Now Migrate with contextual depth in translations with Microsoft Sentinel! You may also like Restoring an MS SQL 2022 DB from a ANF SnapShot October 10, 2024 Your guide to Intune at Microsoft Ignite 2024 October 10, 2024 Partner Blog | Build your team’s AI expertise with upcoming Microsoft partner skilling opportunities October 10, 2024 Attend Microsoft Ignite from anywhere in the world! October 10, 2024 Get tailored support with the new Partner Center AI assistant (preview) October 10, 2024 What’s new with Microsoft Credentials? October 10, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.