Identify containers at runtime and observe them. No container runtime required. Read only access to the kernel.
APACHE-2.0 License
The Double Slit Experiment
Taken from an interesting physics anomaly where the behavior of a physical system mutates simply by being observed.
The thesis behind the project is that meaningful well thought out telemetry could change the behavior of broader systems.
git clone [email protected]:kris-nova/double-slit-experiment.git
cd double-slit-experiment
make
./dse --help
./dse run | uniq
Note: See userspace/profile.go
for filters and configuration for now.
This is a library of abstractions build around Go and eBPF code.
The library will aggregate events from the Linux kernel at runtime using eBPF.
The abstractions are ObservationPoint
's. These are aggregate systems in Go built around tracepoints in the Linux kernel.
Each ObservationPoint
returns one or more events that each implement the Event
interface.
// Event is a generic event for all
// ObservationPoint systems.
type Event interface {
JSON() ([]byte, error)
String() string
Name() string
}
The Double Slit Experiment has two types of filters that can be applied to various Observation Points.
Filters are managed different for each Observation Point, however drop
functions drop as soon as a match is found.
Select functions are active, meaning they will drop any data that does not match the select.
Consider the following stream of data where all integers 0 through 9 were sent through systems select()
and drop()
.
package main
func main() {
data := []int{0, 1, 2, 3, 4, 5, 6, 7, 8, 9}
for _, n := range data {
selectFunction(n)
dropFunction(n)
}
}
Select functions will return data that matches a condition (similar to Unix's grep
by Ken Thompson).
package main
func selectSeven(n int) bool {
return n == 7
}
// output: _, _, _, _, _, _, _, 7, _, _,
Drop functions will drop data that matches a condition.
func dropSeven(n int) {
return n != 7
}
// output: 0, 1, 2, 3, 4, 5, 6, _, 8, 9