sysdig简介

2019-05-13
linux

sysdig简介

功能

Sysdig 就是 system(系统)+dig(挖掘)的组合。Sysdig 是一个开源系统发掘工具,用于系统级别的勘察和排障,我们也可以把它看作一系列传统的 unix 系统工具的组合,主要包括:

  • strace:追踪某个进程产生和接收的系统调用。
  • tcpdump:分析网络数据,监控原始网络通信。
  • lsof: list opened files, 列出打开的文件。
  • top:监控系统性能工具。
  • htop :交互式的进程浏览器,可以用来替换 top 命令。
  • iftop :主要用来显示本机网络流量情况及各相互通信的流量集合。
  • lua:一个小巧的脚本语言。该语言的设计目的是为了嵌入应用程序中,从而为应用程序提供灵活的扩展和定制功能。

安装

基础应用

  • https://sysdig.com/blog/linux-troubleshooting-cheatsheet/

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    By default, sysdig prints the information for each captured event  on a single line, with the following format:
    *%evt.num %evt.time %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.info
    第一列是事件序号,它是自动增长的;
    第二列是发生事件的时间戳;
    第三列是 CPU ID;
    第四列是命令;
    第五列是线程 ID;
    第六列是事件方向,比如进入 ioctl 函数为 >,离开为 <;
    第七列是事件名称(比如 ioctl);
    第八列是事件参数。

  • sysdig

    1
    2
    3
    4
    5
    6
    7
    11546 14:19:40.970329079 0 sshd (987) < clock_gettime 
    11547 14:19:40.970329630 2 <NA> (136) > switch next=4466(sysdig) pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0 
    11548 14:19:40.970330354 0 sshd (987) > select 
    11549 14:19:40.970330796 2 sysdig (4466) > switch next=136 pgft_maj=0 pgft_min=1893 vm_size=174596 vm_rss=11472 vm_swap=0 
    11550 14:19:40.970331781 2 <NA> (136) > switch next=4466(sysdig) pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0 
    11551 14:19:40.970331966 0 sshd (987) < select res=2 
    11553 14:19:40.970333077 0 sshd (987) > rt_sigprocmask

比较原来的指令

  • strace who sysdig proc.name=who

  • sysdig proc.name=cellapp

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    456887 14:30:33.707997040 5 cellapp (5851) < open fd=-2(ENOENT) name=/home/jhlin/mf/tw2/res/entities/common/cdata/xiang_yin_shop_datamodule.so flags=1(O_RDONLY) mode=0 
    456888 14:30:33.707998038 5 cellapp (5851) > open 
    456889 14:30:33.707998999 5 cellapp (5851) < open fd=-2(ENOENT) name=/home/jhlin/mf/bigworld/res/entities/common/cdata/xiang_yin_shop_datamodule.so flags=1(O_RDONLY) mode=0 
    456890 14:30:33.708000166 5 cellapp (5851) > open 
    456891 14:30:33.708002470 5 cellapp (5851) < open fd=11(<f>/home/jhlin/mf/tw2/res/entities/common/cdata/xiang_yin_shop_data.py) name=/home/jhlin/mf/tw2/res/entities/common/cdata/xiang_yin_shop_data.py flags=1(O_RDONLY) mode=0 
    456892 14:30:33.708003755 5 cellapp (5851) > fstat fd=11(<f>/home/jhlin/mf/tw2/res/entities/common/cdata/xiang_yin_shop_data.py) 
    456893 14:30:33.708004286 5 cellapp (5851) < fstat res=0 
    456894 14:30:33.708005567 5 cellapp (5851) > open 
    456895 14:30:33.708007452 5 cellapp (5851) < open fd=12(<f>/home/jhlin/mf/tw2/res/entities/common/cdata/xiang_yin_shop_data.pyc) name=/home/jhlin/mf/tw2/res/entities/common/cdata/xiang_yin_shop_data.pyc flags=1(O_RDONLY) mode=0 
    456896 14:30:33.708008563 5 cellapp (5851) > fstat fd=12(<f>/home/jhlin/mf/tw2/res/entities/common/cdata/xiang_yin_shop_data.pyc) 
    ^C456897 14:30:33.708008858 5 cellapp (5851) < fstat res=0

  • lsof /var/log/syslog sysdig -c lsof “fd.name=/var/log/syslog”

  • sysdig -c lsof “fd.name=/var/log/syslog”
    COMMAND PID TID USER FD TYPE NAME
    rsyslogd 1609 1609 root 2 file /var/log/syslog
    in:imuxsock 1609 1610 root 2 file /var/log/syslog
    in:imklog 1609 1611 root 2 file /var/log/syslog
    rs:main 1609 1612 root 2 file /var/log/syslog
  • tcpdump -i eth0 sysdig fd.ip=192.168.45.95
1
2
3
4
1568372 14:35:33.768123566 0 dbmgr (5668) < recvfrom res=-11(EAGAIN) data= tuple=NULL 
1569303 14:35:33.768834258 0 cellapp (5851) > recvfrom fd=3(<4u>192.168.45.95:53266->192.168.45.95:51474) size=1472 
1569305 14:35:33.768840078 0 cellapp (5851) < recvfrom res=15 data=X...[w>=#.. v,7 tuple=192.168.45.95:53266->192.168.45.95:51474 
1569310 14:35:33.768858036 0 cellapp (5851) > recvfrom fd=3(<4u>192.168.45.95:53266->192.168.45.95:51474) size=1472

chisels凿子 有内建部分

  • sysdig -cl 查看有什么内容

  • sysdig –i topprocs_cpu 查询 topprocs_cpu的内容

    1
    2
    3
    4
    5
    6
    7
    Category: CPU Usage
    -------------------
    topprocs_cpu    Top processes by CPU usage

    Show the top process defined by the highest CPU utilization. This chisel is com
    patible with containers using the sysdig -pc or -pcontainer argument, otherwise
     no container information will be shown.

  • sysdig -c topprocs_net 执行topprocs_net

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    Bytes               Process             PID                 
    --------------------------------------------------------------------------------
    357.76KB            cellapp             5993
    298.25KB            baseapp             5995
    216.51KB            sshd                923
    90.71KB             xterm               5949
    57.19KB             cellappmgr          5669
    45.91KB             cellapp             5851
    10.15KB             message_logger      2487
    6.56KB              xterm               5763
    3.80KB              sshd                987
    340B                baseappmgr          5670
    65B                 sshd                2578
    13B                 node                2581

Sysdig 应用实例