Name		Name	Last commit message	Last commit date
Latest commit History 15 Commits
.github/workflows		.github/workflows
bench		bench
bpf		bpf
ci		ci
cmd/exectrace		cmd/exectrace
enterprise		enterprise
.clang-tidy		.clang-tidy
.editorconfig		.editorconfig
.gitattributes		.gitattributes
.gitignore		.gitignore
.golangci.yaml		.golangci.yaml
.prettierrc		.prettierrc
LICENSE		LICENSE
LICENSE.GPL		LICENSE.GPL
LICENSE.MIT		LICENSE.MIT
LICENSE.enterprise		LICENSE.enterprise
Makefile		Makefile
Makefile.enterprise		Makefile.enterprise
README.md		README.md
bpf.go		bpf.go
bpf_eb.go		bpf_eb.go
bpf_el.go		bpf_el.go
go.mod		go.mod
go.sum		go.sum
go.work		go.work
go.work.sum		go.work.sum
tracer.go		tracer.go
tracer_linux.go		tracer_linux.go
tracer_linux_test.go		tracer_linux_test.go
tracer_other.go		tracer_other.go

Repository files navigation

exectrace

SimpleeBPF-based exec snooping on Linux packaged as a Golibrary.

exectrace loads a pre-compiledeBPF program into the runningkernel to receive details about theexec family of syscalls.

Coder

exectrace provides workspace process logging for Coder v1 andCoder v2 (aka. Coder OSS).

Documentation for how to setup workspace process logging for Coder v1 users canbe foundhere.

Documentation for Coder v2 users can be found inenterprise/README.md.

Requirements

exectrace only supports Go 1.16+ and Linux kernel 5.8+ (due to the use ofBPF_MAP_TYPE_RINGBUF). Additionally, the kernel configCONFIG_DEBUG_INFO_BTF=y is required.

To validate this config is enabled, run either of the following commandsdirectly on the system:

$cat /proc/config.gz| gunzip| grep CONFIG_DEBUG_INFO_BTF

$cat"/boot/config-$(uname -r)"| grep CONFIG_DEBUG_INFO_BTF

Installation

$go get -u github.com/coder/exectrace

Quickstart

You will need root access,CAP_SYS_ADMIN orCAP_BPF, to run eBPF programs onyour system.

Usego run -exec sudo ./cmd/program to compile a program and start it withsudo

$go install -u github.com/coder/exectrace/cmd/exectrace$exectrace --help...$sudo exectrace2021/12/01 16:42:02 Waiting for events..[1188921, comm="node", uid=1002, gid=1003, filename=/bin/sh] /bin/sh -c 'which ps'[1188922, comm="sh", uid=1002, gid=1003, filename=/usr/bin/which] which ps

Usage

exectrace exposes a minimal API surface. Callexectrace.New(nil) and then youcan start reading events from the returnedTracer.

It is important that you close the tracer to avoid leaking kernel resources, sowe recommend implementing a simple signal handler like the one in this example:

package mainimport ("fmt""os""os/signal""syscall""github.com/coder/exectrace")funcmain() {tracer,err:=exectrace.New(nil)iferr!=nil {panic(err)}defertracer.Close()gofunc() {sigs:=make(chan os.Signal,1)signal.Notify(sigs,syscall.SIGINT,syscall.SIGTERM)<-sigstracer.Close()}()for {event,err:=tracer.Read()iferr!=nil {panic(err)}fmt.Printf("%+v\n",event)}}

For a full usage example, refer to thiscomprehensive program that uses the library.

Development

You will need the following:

Docker (the Makefile runs clang within a Docker container for reproducibility)
Golang 1.20+
golangci-lint
prettier
shellcheck

Since the eBPF program is packaged usinggo:embed, you will need to compilethe program and include it in the repo.

If you change the files in thebpf directory, runmake and ensure that youinclude the.o files you changed in your commit (CI will verify that you'vedone this correctly).

Status: stable

This library is ready to use as-is. It has been used in production for years andhas received minimal maintenance over that time period.

In April 2024, a system to send logs from the kernel to userspace was addedwhich can make discovering potential issues in production/development mucheasier.

The API will likely not be further modified as we have no need for additionalfields/features. We will continue to maintain the library as needed.