The probe builder can be used to automatically build kernel modules for the commercial Sysdig agent. It can run on any host with Docker installed, including (with some preparation) air-gapped hosts.
The description below assumes that we need to build probes for:
- agent 12.0.0 (substitute the version as required)
- for RedHat/CentOS kernels
- for Ubuntu kernels use -k CustomUbuntu option instead of -k CustomCentOS
- for Debian kernels use -k CustomDebian option instead of -k CustomCentOS
To prebuild probes for a particular kernel, you need the headers package for that particular kernel, along with its dependencies.
For RedHat-like OSes (RHEL, CentOS, Fedora, etc.), the required packages are usually:
kernel-<VERSION>.rpm
kernel-devel-<VERSION>.rpm
kernel-core-<VERSION>.rpm
(if present)
For Debian-like OSes (Debian, Ubuntu, etc.), the required packages are usually:
linux-image-<VERSION>.deb
linux-headers-<VERSION>.deb
But please note that the set of required packages varies across distributions and versions, so providing an exhaustive list is not possible here.
You can use the crawler functionality to determine the set of packages for a particular kernel. To use it, pass a distribution name (one of the following) and, optionally, the specific kernel version or its subset.
The output is a list of URLs directly to the kernel packages. For example, to download all the packages needed to build the CentOS 4.18.0-305.10.2.el8_4 kernel, you can run:
# docker run (...) -C CentOS 4.18.0-305.10.2.el8_4 | grep '^ ' | xargs wget -c
(...)
# ls -la
total 61556
drwxr-xr-x 2 root root 4096 Aug 12 15:55 .
drwxr-xr-x 9 root root 4096 Aug 12 15:53 ..
-rw-r--r-- 1 root root 6169556 Jul 20 21:12 kernel-4.18.0-305.10.2.el8_4.x86_64.rpm
-rw-r--r-- 1 root root 37552272 Jul 20 21:12 kernel-core-4.18.0-305.10.2.el8_4.x86_64.rpm
-rw-r--r-- 1 root root 19290066 Aug 12 15:55 kernel-devel-4.18.0-305.10.2.el8_4.x86_64.rpm
Then you can pass the directory containing the kernel files to the probe builder container
(/directory-containing-kernel-packages/
in the examples below).
Distributions supported by the kernel crawler:
- AliyunLinux 2 (Alibaba Cloud Linux 2)
- AliyunLinux 3 (Alibaba Cloud Linux 3)
- AlmaLinux
- AmazonLinux
- AmazonLinux2
- CentOS
- CentOS Stream (8 and 9)
- Debian
- Fedora
- Flatcar
- Oracle6
- Oracle7
- Oracle8
- PhotonOS
- RockyLinux
- Ubuntu
Please note that you do not need to extract or install the kernel packages on the build host. The probe builder works on package files directly and extracts them internally.
git clone https://github.com/draios/probe-builder
git clone https://github.com/draios/agent-libs
docker build -t sysdig-probe-builder probe-builder/
cd agent-libs
git checkout agent/12.0.0
cd ..
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /a-directory-with-some-free-space/:/workspace \
-v $(pwd)/agent-libs:/sysdig \
-v /directory-containing-kernel-packages/:/kernels \
sysdig-probe-builder:latest -B -- \
-p sysdigcloud-probe -v 12.0.0 -k CustomCentOS
Note: this takes a long time but is a one-time task
git clone https://github.com/draios/probe-builder
docker build -t airgap/sysdig-probe-builder probe-builder/
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock airgap/sysdig-probe-builder:latest -P -b airgap/
docker save airgap/sysdig-probe-builder | gzip > builders.tar.gz
If you are going to build probes for Ubuntu kernels, you will also need an ubuntu:latest
image on your airgapped host. You can ship it using a very similar approach:
docker pull ubuntu
docker save ubuntu | gzip > ubuntu.tar.gz
This is left as an exercise for the reader. Note that the packages should not be unpacked or installed.
git clone https://github.com/draios/agent-libs
cd agent-libs
git archive agent/12.0.0 --prefix sysdig/ | gzip > sysdig.tar.gz
Again, exercise for the reader
zcat builders.tar.gz | docker load
tar xzf sysdig.tar.gz
it will create sysdig/ in the current directory
Note: This is a single long command
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /a-directory-with-some-free-space/:/workspace \
-v /wherever-you-unpacked/sysdig/:/sysdig \
-v /directory-containing-kernel-packages/:/kernels \
airgap/sysdig-probe-builder:latest -B -b airgap/ -- \
-p sysdigcloud-probe -v 12.0.0 -k CustomCentOS
The probes will appear in /a-directory-with-some-free-space/output
. That directory can be served over HTTP and the URL to the server used as SYSDIG_PROBE_URL
when loading the module (e.g. agent-kmodule container).