add container-monitor example

.github/workflows/format.yml

@@ -12,7 +12,7 @@ jobs:
     name: Format
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
     - uses: actions/setup-python@v6
       with:
         python-version: "3.x"

.github/workflows/python-publish.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-python@v6
         with:

BCC-Examples/container-monitor/README.md

@@ -0,0 +1,49 @@
+# Container Monitor TUI
+
+A beautiful terminal-based container monitoring tool that combines syscall tracking, file I/O monitoring, and network traffic analysis using eBPF.
+
+## Features
+
+- 🎯 **Interactive Cgroup Selection** - Navigate and select cgroups with arrow keys
+- 📊 **Real-time Monitoring** - Live graphs and statistics
+- 🔥 **Syscall Tracking** - Total syscall count per cgroup
+- 💾 **File I/O Monitoring** - Read/write operations and bytes with graphs
+- 🌐 **Network Traffic** - RX/TX packets and bytes with live graphs
+- ⚡ **Efficient Caching** - Reduced /proc lookups for better performance
+- 🎨 **Beautiful TUI** - Clean, colorful terminal interface
+
+## Requirements
+
+- Python 3.7+
+- pythonbpf
+- Root privileges (for eBPF)
+
+## Installation
+
+```bash
+# Ensure you have pythonbpf installed
+pip install pythonbpf
+
+# Run the monitor
+sudo $(which python) container_monitor.py
+```
+
+## Usage
+
+1. **Selection Screen**: Use ↑↓ arrow keys to navigate through cgroups, press ENTER to select
+2. **Monitoring Screen**: View real-time graphs and statistics, press ESC or 'b' to go back
+3. **Exit**: Press 'q' at any time to quit
+
+## Architecture
+
+- `container_monitor.py` - Main BPF program combining all three tracers
+- `data_collector.py` - Data collection, caching, and history management
+- `tui. py` - Terminal user interface with selection and monitoring screens
+
+## BPF Programs
+
+- **vfs_read/vfs_write** - Track file I/O operations
+- **__netif_receive_skb/__dev_queue_xmit** - Track network traffic
+- **raw_syscalls/sys_enter** - Count all syscalls
+
+All programs filter by cgroup ID for per-container monitoring.

BCC-Examples/container-monitor/container_monitor.py

@@ -0,0 +1,220 @@
+"""Container Monitor - TUI-based cgroup monitoring combining syscall, file I/O, and network tracking."""
+
+from pythonbpf import bpf, map, section, bpfglobal, struct, BPF
+from pythonbpf.maps import HashMap
+from pythonbpf.helper import get_current_cgroup_id
+from ctypes import c_int32, c_uint64, c_void_p
+from vmlinux import struct_pt_regs, struct_sk_buff
+
+from data_collection import ContainerDataCollector
+from tui import ContainerMonitorTUI
+
+
+# ==================== BPF Structs ====================
+
+
+@bpf
+@struct
+class read_stats:
+    bytes: c_uint64
+    ops: c_uint64
+
+
+@bpf
+@struct
+class write_stats:
+    bytes: c_uint64
+    ops: c_uint64
+
+
+@bpf
+@struct
+class net_stats:
+    rx_packets: c_uint64
+    tx_packets: c_uint64
+    rx_bytes: c_uint64
+    tx_bytes: c_uint64
+
+
+# ==================== BPF Maps ====================
+
+
+@bpf
+@map
+def read_map() -> HashMap:
+    return HashMap(key=c_uint64, value=read_stats, max_entries=1024)
+
+
+@bpf
+@map
+def write_map() -> HashMap:
+    return HashMap(key=c_uint64, value=write_stats, max_entries=1024)
+
+
+@bpf
+@map
+def net_stats_map() -> HashMap:
+    return HashMap(key=c_uint64, value=net_stats, max_entries=1024)
+
+
+@bpf
+@map
+def syscall_count() -> HashMap:
+    return HashMap(key=c_uint64, value=c_uint64, max_entries=1024)
+
+
+# ==================== File I/O Tracing ====================
+
+
+@bpf
+@section("kprobe/vfs_read")
+def trace_read(ctx: struct_pt_regs) -> c_int32:
+    cg = get_current_cgroup_id()
+    count = c_uint64(ctx.dx)
+    ptr = read_map.lookup(cg)
+    if ptr:
+        s = read_stats()
+        s.bytes = ptr.bytes + count
+        s.ops = ptr.ops + 1
+        read_map.update(cg, s)
+    else:
+        s = read_stats()
+        s.bytes = count
+        s.ops = c_uint64(1)
+        read_map.update(cg, s)
+
+    return c_int32(0)
+
+
+@bpf
+@section("kprobe/vfs_write")
+def trace_write(ctx1: struct_pt_regs) -> c_int32:
+    cg = get_current_cgroup_id()
+    count = c_uint64(ctx1.dx)
+    ptr = write_map.lookup(cg)
+
+    if ptr:
+        s = write_stats()
+        s.bytes = ptr.bytes + count
+        s.ops = ptr.ops + 1
+        write_map.update(cg, s)
+    else:
+        s = write_stats()
+        s.bytes = count
+        s.ops = c_uint64(1)
+        write_map.update(cg, s)
+
+    return c_int32(0)
+
+
+# ==================== Network I/O Tracing ====================
+
+
+@bpf
+@section("kprobe/__netif_receive_skb")
+def trace_netif_rx(ctx2: struct_pt_regs) -> c_int32:
+    cgroup_id = get_current_cgroup_id()
+    skb = struct_sk_buff(ctx2.di)
+    pkt_len = c_uint64(skb.len)
+
+    stats_ptr = net_stats_map.lookup(cgroup_id)
+
+    if stats_ptr:
+        stats = net_stats()
+        stats.rx_packets = stats_ptr.rx_packets + 1
+        stats.tx_packets = stats_ptr.tx_packets
+        stats.rx_bytes = stats_ptr.rx_bytes + pkt_len
+        stats.tx_bytes = stats_ptr.tx_bytes
+        net_stats_map.update(cgroup_id, stats)
+    else:
+        stats = net_stats()
+        stats.rx_packets = c_uint64(1)
+        stats.tx_packets = c_uint64(0)
+        stats.rx_bytes = pkt_len
+        stats.tx_bytes = c_uint64(0)
+        net_stats_map.update(cgroup_id, stats)
+
+    return c_int32(0)
+
+
+@bpf
+@section("kprobe/__dev_queue_xmit")
+def trace_dev_xmit(ctx3: struct_pt_regs) -> c_int32:
+    cgroup_id = get_current_cgroup_id()
+    skb = struct_sk_buff(ctx3.di)
+    pkt_len = c_uint64(skb.len)
+
+    stats_ptr = net_stats_map.lookup(cgroup_id)
+
+    if stats_ptr:
+        stats = net_stats()
+        stats.rx_packets = stats_ptr.rx_packets
+        stats.tx_packets = stats_ptr.tx_packets + 1
+        stats.rx_bytes = stats_ptr.rx_bytes
+        stats.tx_bytes = stats_ptr.tx_bytes + pkt_len
+        net_stats_map.update(cgroup_id, stats)
+    else:
+        stats = net_stats()
+        stats.rx_packets = c_uint64(0)
+        stats.tx_packets = c_uint64(1)
+        stats.rx_bytes = c_uint64(0)
+        stats.tx_bytes = pkt_len
+        net_stats_map.update(cgroup_id, stats)
+
+    return c_int32(0)
+
+
+# ==================== Syscall Tracing ====================
+
+
+@bpf
+@section("tracepoint/raw_syscalls/sys_enter")
+def count_syscalls(ctx: c_void_p) -> c_int32:
+    cgroup_id = get_current_cgroup_id()
+    count_ptr = syscall_count.lookup(cgroup_id)
+
+    if count_ptr:
+        new_count = count_ptr + c_uint64(1)
+        syscall_count.update(cgroup_id, new_count)
+    else:
+        syscall_count.update(cgroup_id, c_uint64(1))
+
+    return c_int32(0)
+
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"
+
+
+# ==================== Main ====================
+
+if __name__ == "__main__":
+    print("🔥 Loading BPF programs...")
+
+    # Load and attach BPF program
+    b = BPF()
+    b.load()
+    b.attach_all()
+
+    # Get map references and enable struct deserialization
+    read_map_ref = b["read_map"]
+    write_map_ref = b["write_map"]
+    net_stats_map_ref = b["net_stats_map"]
+    syscall_count_ref = b["syscall_count"]
+
+    read_map_ref.set_value_struct("read_stats")
+    write_map_ref.set_value_struct("write_stats")
+    net_stats_map_ref.set_value_struct("net_stats")
+
+    print("✅ BPF programs loaded and attached")
+
+    # Setup data collector
+    collector = ContainerDataCollector(
+        read_map_ref, write_map_ref, net_stats_map_ref, syscall_count_ref
+    )
+
+    # Create and run TUI
+    tui = ContainerMonitorTUI(collector)
+    tui.run()