1# Special Filtering 2 3Some tools have special filtering capabitilies, the main use case is to trace 4processes running in containers, but those mechanisms are generic and could 5be used in other cases as well. 6 7## Filtering by cgroups 8 9Some tools have an option to filter by cgroup by referencing a pinned BPF hash 10map managed externally. 11 12Examples of commands: 13 14``` 15# ./opensnoop --cgroupmap /sys/fs/bpf/test01 16# ./execsnoop --cgroupmap /sys/fs/bpf/test01 17# ./tcpconnect --cgroupmap /sys/fs/bpf/test01 18# ./tcpaccept --cgroupmap /sys/fs/bpf/test01 19# ./tcptracer --cgroupmap /sys/fs/bpf/test01 20``` 21 22The commands above will only display results from processes that belong to one 23of the cgroups whose id, returned by `bpf_get_current_cgroup_id()`, is in the 24pinned BPF hash map. 25 26The BPF hash map can be created by: 27 28``` 29# bpftool map create /sys/fs/bpf/test01 type hash key 8 value 8 entries 128 \ 30 name cgroupset flags 0 31``` 32 33To get a shell in a new cgroup, you can use: 34 35``` 36# systemd-run --pty --unit test bash 37``` 38 39The shell will be running in the cgroup 40`/sys/fs/cgroup/unified/system.slice/test.service`. 41 42The cgroup id can be discovered using the `name_to_handle_at()` system call. In 43the examples/cgroupid, you will find an example of program to get the cgroup 44id. 45 46``` 47# cd examples/cgroupid 48# make 49# ./cgroupid hex /sys/fs/cgroup/unified/system.slice/test.service 50``` 51 52or, using Docker: 53 54``` 55# cd examples/cgroupid 56# docker build -t cgroupid . 57# docker run --rm --privileged -v /sys/fs/cgroup:/sys/fs/cgroup \ 58 cgroupid cgroupid hex /sys/fs/cgroup/unified/system.slice/test.service 59``` 60 61This prints the cgroup id as a hexadecimal string in the host endianness such 62as `77 16 00 00 01 00 00 00`. 63 64``` 65# FILE=/sys/fs/bpf/test01 66# CGROUPID_HEX="77 16 00 00 01 00 00 00" 67# bpftool map update pinned $FILE key hex $CGROUPID_HEX value hex 00 00 00 00 00 00 00 00 any 68``` 69 70Now that the shell started by systemd-run has its cgroup id in the BPF hash 71map, bcc tools will display results from this shell. Cgroups can be added and 72removed from the BPF hash map without restarting the bcc tool. 73 74This feature is useful for integrating bcc tools in external projects. 75 76## Filtering by mount by namespace 77 78The BPF hash map can be created by: 79 80``` 81# bpftool map create /sys/fs/bpf/mnt_ns_set type hash key 8 value 4 entries 128 \ 82 name mnt_ns_set flags 0 83``` 84 85Execute the `execsnoop` tool filtering only the mount namespaces 86in `/sys/fs/bpf/mnt_ns_set`: 87 88``` 89# tools/execsnoop.py --mntnsmap /sys/fs/bpf/mnt_ns_set 90``` 91 92Start a terminal in a new mount namespace: 93 94``` 95# unshare -m bash 96``` 97 98Update the hash map with the mount namespace ID of the terminal above: 99 100``` 101FILE=/sys/fs/bpf/mnt_ns_set 102if [ $(printf '\1' | od -dAn) -eq 1 ]; then 103 HOST_ENDIAN_CMD=tac 104else 105 HOST_ENDIAN_CMD=cat 106fi 107 108NS_ID_HEX="$(printf '%016x' $(stat -Lc '%i' /proc/self/ns/mnt) | sed 's/.\{2\}/&\n/g' | $HOST_ENDIAN_CMD)" 109bpftool map update pinned $FILE key hex $NS_ID_HEX value hex 00 00 00 00 any 110``` 111 112Execute a command in this terminal: 113 114``` 115# ping kinvolk.io 116``` 117 118You'll see how on the `execsnoop` terminal you started above the call is logged: 119 120``` 121# tools/execsnoop.py --mntnsmap /sys/fs/bpf/mnt_ns_set 122[sudo] password for mvb: 123PCOMM PID PPID RET ARGS 124ping 8096 7970 0 /bin/ping kinvolk.io 125``` 126