-
Notifications
You must be signed in to change notification settings - Fork 431
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add traceectl to tracee #4396
base: main
Are you sure you want to change the base?
add traceectl to tracee #4396
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please see comments below.
In addition, please add documentation to traceectl.
As part of the documentation, please also refer to the way the user should start tracee "daemon" (e.g. using NONE output and setting the grpc server address)
What do you think about adding a flag to traceectl version command called |
I believe we wouldn't bother with it. When it's from a released version, it's already short. |
Gonna through this tomorrow. 👍🏻 |
64b8a32
to
21986f0
Compare
cmd/traceectl/pkg/mock/server.go
Outdated
) | ||
|
||
var ( | ||
ExpectedVersion string = "v0.22.0-15-gd09d7fca0d" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update this output when writing test to version command or remove it entirely
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great to me, maybe go over the documentation and review it once more
@ShohamBit @yanivagman what do you think about splitting this? Since we already have a working stream command, we could open a PR with just the base root and stream commands to establish a foundation for the upcoming new commands (each added in separate PRs). This approach would make both implementation and review more manageable. |
Hey @geyslan, great thinking, let's discuss this over with @yanivagman |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First pass...
dd19b43
to
2159616
Compare
Co-authored-by: Yaniv Agman <[email protected]>
Co-authored-by: Yaniv Agman <[email protected]>
Co-authored-by: Yaniv Agman <[email protected]>
Co-authored-by: Yaniv Agman <[email protected]>
Co-authored-by: Yaniv Agman <[email protected]>
Co-authored-by: Yaniv Agman <[email protected]>
Co-authored-by: Yaniv Agman <[email protected]>
Co-authored-by: Yaniv Agman <[email protected]>
Co-authored-by: Yaniv Agman <[email protected]>
Co-authored-by: Yaniv Agman <[email protected]>
Co-authored-by: Yaniv Agman <[email protected]>
Co-authored-by: Yaniv Agman <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By running:
sudo ./dist/tracee --grpc-listen-addr unix:/tmp/tracee.sock
and
sudo go run main.go stream --server /tmp/tracee.sock
These are my current considerations, without diving into the code:
- The table format should be fixed to print formatted, sized and padded columns:
@yanivagman should we bring Tracee table print logic into traceectl, or it should be built from ground up?
TIME EVENT NAME POLICIES PID DATA
11:04:20.943 security_socket_connect 115863 Sockfd: 23, Type: SOCK_DGRAM, Remote_addr: unknown
11:04:20.943 security_inode_unlink 115863 Pathname: /gg/.config/obsidian/Cache/Cache_Data/602073909c0e5ef2_0, Inode: 11410345, Dev: 271581186, Ctime: 1736511144436805063
11:04:21.466 security_inode_unlink 115863 Pathname: /.org.chromium.Chromium.etVvra, Inode: 414968, Dev: 27, Ctime: 1736511155430523925
11:04:21.488 sched_process_exec 2882348 Cmdpath: /usr/bin/docker, Pathname: /usr/bin/docker, Dev: 271581188, Inode: 14959315, Ctime: 1733226421039998680, Inode_mode: 33261, Interpreter_pathname: /usr/lib/ld-linux-x86-64.so.2, Interpreter_dev: 271581188, Interpreter_inode: 14953473, Interpreter_ctime: 1724352647074994761, Argv: docker, context, ls, --format, {{json .}}, Interp: /usr/bin/docker, Stdin_type: S_IFSOCK, Stdin_path: UNIX-STREAM, Invoked_from_kernel: 0, Prev_comm: code, Env:
11:04:21.606 sched_process_exec 2882358 Cmdpath: /bin/sh, Pathname: /usr/bin/bash, Dev: 271581188, Inode: 14942367, Ctime: 1728904355376515843, Inode_mode: 33261, Interpreter_pathname: /usr/lib/ld-linux-x86-64.so.2, Interpreter_dev: 271581188, Interpreter_inode: 14953473, Interpreter_ctime: 1724352647074994761, Argv: /bin/sh, -c, which ps, Interp: /bin/sh, Stdin_type: S_IFSOCK, Stdin_path: UNIX-STREAM, Invoked_from_kernel: 0, Prev_comm: code, Env:
11:04:21.607 sched_process_exec 2882358 Cmdpath: /usr/bin/which, Pathname: /usr/bin/which, Dev: 271581188, Inode: 14943707, Ctime: 1704474426940012677, Inode_mode: 33261, Interpreter_pathname: /usr/lib/ld-linux-x86-64.so.2, Interpreter_dev: 271581188, Interpreter_inode: 14953473, Interpreter_ctime: 1724352647074994761, Argv: which, ps, Interp: /usr/bin/which, Stdin_type: S_IFSOCK, Stdin_path: UNIX-STREAM, Invoked_from_kernel: 0, Prev_comm: sh, Env:
11:04:21.610 sched_process_exec 2882359 Cmdpath: /bin/sh, Pathname: /usr/bin/bash, Dev: 271581188, Inode: 14942367, Ctime: 1728904355376515843, Inode_mode: 33261, Interpreter_pathname: /usr/lib/ld-linux-x86-64.so.2, Interpreter_dev: 271581188, Interpreter_inode: 14953473, Interpreter_ctime: 1724352647074994761, Argv: /bin/sh, -c, /usr/bin/ps -ax -o pid=,ppid=,pcpu=,pmem=,command=, Interp: /bin/sh, Stdin_type: S_IFSOCK, Stdin_path: UNIX-STREAM, Invoked_from_kernel: 0, Prev_comm: code, Env:
11:04:21.611 sched_process_exec 2882359 Cmdpath: /usr/bin/ps, Pathname: /usr/bin/ps, Dev: 271581188, Inode: 14943410, Ctime: 1715642853292467628, Inode_mode: 33261, Interpreter_pathname: /usr/lib/ld-linux-x86-64.so.2, Interpreter_dev: 271581188, Interpreter_inode: 14953473, Interpreter_ctime: 1724352647074994761, Argv: /usr/bin/ps, -ax, -o, pid=,ppid=,pcpu=,pmem=,command=, Interp: /usr/bin/ps, Stdin_type: S_IFSOCK, Stdin_path: UNIX-STREAM, Invoked_from_kernel: 0, Prev_comm: sh, Env:
11:04:21.627 security_socket_connect 2584510 Sockfd: 276, Type: SOCK_DGRAM, Remote_addr: unknown
- The json format should be achieved by marshalling the event
timestamp:{seconds:1736854808 nanos:154023619} id:sched_process_exec name:"sched_process_exec" policies:{matched:""} context:{process:{unique_id:{value:215105539} host_pid:{value:2908571} pid:{value:2908571} real_user:{id:{value:1000}} thread:{start_time:{seconds:1736854808 nanos:148659901} name:"git" unique_id:{value:215105539} host_tid:{value:2908571} tid:{value:2908571} syscall:"execve"} ancestors:{unique_id:{value:601716279} host_pid:{value:2676683} pid:{value:2676683}}}} data:{name:"cmdpath" str:"/usr/bin/git"} data:{name:"pathname" str:"/usr/bin/git"} data:{name:"dev" u_int32:271581188} data:{name:"inode" u_int64:14965375} data:{name:"ctime" u_int64:1733226427044068397} data:{name:"inode_mode" u_int32:33261} data:{name:"interpreter_pathname" str:"/usr/lib/ld-linux-x86-64.so.2"} data:{name:"interpreter_dev" u_int32:271581188} data:{name:"interpreter_inode" u_int64:14953473} data:{name:"interpreter_ctime" u_int64:1724352647074994761} data:{name:"argv" str_array:{value:"/usr/bin/git" value:"-c" value:"core.quotepath=false" value:"-c" value:"color.ui=false" value:"rev-parse" value:"--verify" value:"--end-of-options" value:"2908479^{commit}"}} data:{name:"interp" str:"/usr/bin/git"} data:{name:"stdin_type" str:"S_IFSOCK"} data:{name:"stdin_path" str:"UNIX-STREAM"} data:{name:"invoked_from_kernel" int32:0} data:{name:"prev_comm" str:"code"} data:{name:"env" str_array:{}} 8:""
It's being appended with spaces and it doesn't pass in json lint.
I don't see why we should construct the output of it by ourselves. @ShohamBit @yanivagman Am I missing something?
- After the above printed, it panicked:
Error receiving streamed event
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x86b067]
goroutine 1 [running]:
github.com/aquasecurity/tracee/cmd/traceectl/cmd.streamEvents(0xddd6e0, {0xc000156600, 0x0, 0x2})
/home/gg/code/tracee/cmd/traceectl/cmd/stream.go:77 +0x427
github.com/aquasecurity/tracee/cmd/traceectl/cmd.init.func10(0xddd6e0?, {0xc000156600?, 0x4?, 0x97d1e9?})
/home/gg/code/tracee/cmd/traceectl/cmd/stream.go:24 +0x18
github.com/spf13/cobra.(*Command).execute(0xddd6e0, {0xc0001565e0, 0x2, 0x2})
/root/go/pkg/mod/github.com/spf13/[email protected]/command.go:989 +0xa91
github.com/spf13/cobra.(*Command).ExecuteC(0xddce40)
/root/go/pkg/mod/github.com/spf13/[email protected]/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(...)
/root/go/pkg/mod/github.com/spf13/[email protected]/command.go:1041
github.com/aquasecurity/tracee/cmd/traceectl/cmd.Execute()
/home/gg/code/tracee/cmd/traceectl/cmd/root.go:78 +0x1a
main.main()
/home/gg/code/tracee/cmd/traceectl/main.go:9 +0xf
exit status 2
- Running it without server flag make it attempts to connect to a predefined default path:
sudo go run main.go stream
Error calling Stream: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial unix /var/run/tracee.sock: connect: no such file or directory"
It's lacking error handling.
- Output of
sudo go run main.go stream -h
Stream Management:
Stream events directly from tracee to the preferred output format.
Usage:
traceectl stream [policies...] [flags]
Flags:
-f, --format string Specify the output format for streamed events (json|table). Defaults to table. (default "table")
-h, --help help for stream
Global Flags:
-o, --output string Specify the output format
--server string Server connection path or address.
for unix socket <socket_path> (default: /tmp/tracee.sock)
for tcp <IP:Port> (default "/var/run/tracee.sock")
- What should the --output format flag change, since we already have the --format flag to choose it. Shouldn't it be a flag to write to any output specified independently of the format?
- If --server is not set, it should be default for only one single protocol/type. Perhaps it might have a parsing to check for "unix:sock.path" and "tcp:IP:port".
- Create a Makefile
This will make the development process simpler regarding building, debugging, etc. You can mirror what we have in Tracee.
- Squash commits of the same subject
This will help you to stack related changes in proper commits and the reviewers as well. In this PR I believe 2 or 3 commits will fit (1. for the new tool coming, 2. for doc changes, 3. for tests).
Description
This PR introduces
traceectl
, a new CLI tool for interacting with Tracee. It implements basic commands for communication with Tracee via gRPC.Key Changes
traceectl
CLI tool.version
metrics
stream
event
042349a fix more issues
59e6e3c fix lint problom in traceectl
0618d49 made changes to the docs of traceectl
144cf90 resolve client creation code
0c5a8d2 fix stream code
d08c7d7 fix root command
dcd71ed fix event command code
e1eef96 tidy formmatter pkg
c55d1a9 fix flag pkg
df3501d fix client pkg
4866b0c Update cmd/traceectl/cmd/event.go
f0ec9fe Update cmd/traceectl/cmd/event.go
ee84109 Update docs/docs/traceectl/index.md
8046da8 Update docs/docs/traceectl/index.md
9680bb9 Update docs/docs/traceectl/flags/server.md
62da87d Update cmd/traceectl/cmd/event.go
2815df6 Update docs/docs/traceectl/flags/format.md
c8a1b92 Update docs/docs/traceectl/commands/version.md
93fa420 Update cmd/traceectl/cmd/event.go
a58c7ea Update cmd/traceectl/cmd/event.go
216c76e Update cmd/traceectl/cmd/event.go
a1cc925 Update cmd/traceectl/cmd/event.go
90b8ef4 added docs to mkdocs file
d717339 change default socket to /var/run/tracee.sock
795f2d9 change make bulid to go build, remove install
6dd5960 modified code to align with new status flag code, fix minor issues
0f816ba added server flag code
71db0a9 added error msg for not supported output format
30fbfe1 added docs to traceectl flags
3cfff2b ** make formt flag global**
21ac45f added metrics docs
13549c7 added stream doc
b3ed5ac added doc for event
a026f34 added version command doc
997a267 ** add white space to make the server connection a separate block.**
9184a1c added basic documantion for traceectl
0673944 support output
6fca72e fix event and remove printer pkg
b0f43a7 add support to json
77dce12 moved printer stream code to stream
d68b359 fix client and root
f33a9fa fix mock server and client
d085ca1 fix formatter
3997a6f fix client code
b3baff0 remove not support code by tracee
f27998e change design for traceectl
c1bafdf Add traceectl to tracee
4866b0c Update cmd/traceectl/cmd/event.go
f0ec9fe Update cmd/traceectl/cmd/event.go
ee84109 Update docs/docs/traceectl/index.md
8046da8 Update docs/docs/traceectl/index.md
9680bb9 Update docs/docs/traceectl/flags/server.md
62da87d Update cmd/traceectl/cmd/event.go
2815df6 Update docs/docs/traceectl/flags/format.md
c8a1b92 Update docs/docs/traceectl/commands/version.md
93fa420 Update cmd/traceectl/cmd/event.go
a58c7ea Update cmd/traceectl/cmd/event.go
216c76e Update cmd/traceectl/cmd/event.go
a1cc925 Update cmd/traceectl/cmd/event.go
Testing
Compile and run Tracee with gRPC:
Run
traceectl
:cd ./cmd/traceectl sudo go run main.go stream --server /tmp/tracee.sock
This displays the help command.
Current Limitations
metrics
: JSON output is not yet supported.stream
: Only the basestream
command is supported. Streams events directly from Tracee.Related Issues
traceectl
#4419Note: This PR was accidentally closed previously and is now being resubmitted.