search

draios / sysdig

Linux system exploration and troubleshooting tool with first class support for containers
http://www.sysdig.com/
Other
7.72k stars 726 forks source link

Kernel module Vs eBPF probe #1889

Closed chkp-amitd closed 1 year ago

chkp-amitd commented 2 years ago

Hi, I have encountered this paragraph on Sysdig documentation: Falco and sysdig operate on top of the same data source: system calls. This data source is collected using either a kernel module or an eBPF probe. The two methods are equivalent in functionality, but the kernel module is a tiny bit more efficient, while the eBPF approach is safer and more modern.

My questions:

  1. Are these two options supported on all environments? What are the requirements for each collector?
  2. Can I check for a specific installation which option is valid and which one is recommended?
  3. Do I always have to build either the kernel module or the probe or can I use pre-compiled collector?
  4. Is there any documentation regarding which pre-compiled collector is available for which kernel version?

Thanks for your help!

krisnova commented 2 years ago

Falco and Sysdig are confusingly tightly coupled projects. You can find substantially more information in the Falco documentation about how the various drivers work and how you can leverage them as needed.

https://falco.org/blog/choosing-a-driver/

FedeDP commented 2 years ago

Hi!

Are these two options supported on all environments? What are the requirements for each collector?

Kind of; the minimum kernel version is different; have a look here: https://github.com/falcosecurity/libs#drivers-officially-supported-architectures

Can I check for a specific installation which option is valid and which one is recommended?

There is no "valid" option, ie: they are both valid where supported. The kmod is still the most used probably, because of its better performances. At the same time, eBPF cannot crash your system :) That's up to the user to choose the best one!

Do I always have to build either the kernel module or the probe or can I use pre-compiled collector? Is there any documentation regarding which pre-compiled collector is available for which kernel version?

What do you mean by collector?

chkp-amitd commented 2 years ago

Hi. Thank you for you reply. By "collector" I mean either kernel module or eBPF.

Do I always have to build either the kernel module or the probe or can I use pre-compiled collector? Is there any documentation or repository from which I can learn which pre-compiled kernel module or eBPF is available for which kernel version?

Thanks!

FedeDP commented 2 years ago

The prebuilt drivers are hosted on an s3 bucket, namely download.draios.com with prefix scap-drivers. There is no frontend; you can use awscli to list them :)

Like:

aws s3 ls s3://download.draios.com/scap-drivers --recursive --human-readable --summarize  --no-sign-request

You can see that they are in subfolders (ie: the driverversion); you should look for the correct driverversion matching your sysdig release; the latest is: e5c53d648f3c4694385bbe488e7d47eaa36c229a -> https://github.com/draios/sysdig/blob/0.29.0/cmake/modules/falcosecurity-libs.cmake#L32

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.