Skip to content
/ double-slit-experiment Public

Identify containers at runtime and observe them. No container runtime required. Read only access to the kernel.

License

Apache-2.0 license
16 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

krisnova/double-slit-experiment

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits

cmake-build-debug/CMakeFiles

cmake-build-debug/CMakeFiles

 
 

cmd

cmd

 
 

probe

probe

 
 

system

system

 
 

userspace

userspace

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

Repository files navigation

Linux Telemetry

The Double Slit Experiment

Taken from an interesting physics anomaly where the behavior of a physical system mutates simply by being observed.

The thesis behind the project is that meaningful well thought out telemetry could change the behavior of broader systems.

Install

git clone git@github.com:kris-nova/double-slit-experiment.git
cd double-slit-experiment
make
./dse --help

Running

./dse run | uniq

Note: See userspace/profile.go for filters and configuration for now.

About

This is a library of abstractions build around Go and eBPF code.

The library will aggregate events from the Linux kernel at runtime using eBPF.

The abstractions are ObservationPoint's. These are aggregate systems in Go built around tracepoints in the Linux kernel.

  • ProcessExecuted An event for every process executed on the system
  • ContainerEvent An event for any new container (docker, kubernetes, etc) started on the system
  • SocketStateChange An event for any change in a socket on the system
  • SignalDelivered An event for every Linux signal delivered to a process on the system

Each ObservationPoint returns one or more events that each implement the Event interface.

// Event is a generic event for all
// ObservationPoint systems.
type Event interface {
	JSON() ([]byte, error)
	String() string
	Name() string
}

Filters

The Double Slit Experiment has two types of filters that can be applied to various Observation Points.

  • SelectFunction() Select ANY that match this condition
  • DropFunction() Drop ANY that match this condition

Filters are managed different for each Observation Point, however drop functions drop as soon as a match is found.

Select functions are active, meaning they will drop any data that does not match the select.

Consider the following stream of data where all integers 0 through 9 were sent through systems select() and drop().

package main

func main() {
	data := []int{0, 1, 2, 3, 4, 5, 6, 7, 8, 9}
	for _, n := range data {
		selectFunction(n)
		dropFunction(n)
    }
}

Select functions will return data that matches a condition (similar to Unix's grep by Ken Thompson).

package main 

func selectSeven(n int) bool {
    return n == 7
}
// output: _, _, _, _, _, _, _, 7, _, _,

Drop functions will drop data that matches a condition.

func dropSeven(n int) {
	return n != 7
}
// output: 0, 1, 2, 3, 4, 5, 6, _, 8, 9

About

Identify containers at runtime and observe them. No container runtime required. Read only access to the kernel.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

16 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages