Skip to content

Commit

Permalink
tetragon: docs, simplify getting started guide
Browse files Browse the repository at this point in the history 
Simplify the getting started guide
  • Loading branch information
@jrfastab
jrfastab committed Oct 6, 2023
1 parent decc786 commit 901ba2b
Show file tree
Hide file tree
Showing 9 changed files with 348 additions and 492 deletions.
4 changes: 2 additions & 2 deletions docs/content/en/docs/concepts/tracing-policy/example.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,8 +115,8 @@ echo eBPF! > /tmp/tetragon
Starting Tetragon with the above `TracingPolicy`, for example putting the
policy in the `example.yaml` file, compiling the project locally and starting
Tetragon with (you can do similar things with container image releases, see the
docker run command in the [Try Tetragon on Linux guide]({{< ref
"/docs/getting-started/try-tetragon-linux#observability-with-tracingpolicy" >}}):
docker run command in the [Try Tetragon on Linux guide]

```shell-session
sudo ./tetragon --bpf-lib bpf/objs --tracing-policy example.yaml
```
Expand Down
9 changes: 9 additions & 0 deletions docs/content/en/docs/getting-started/install-tetragon/_index.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
title: "Quick Install Tetragon"
linkTitle: "Quick Install"
isShownInList: false
weight: 1
description: >
Quick install quide for Tetragon.
---

32 changes: 32 additions & 0 deletions docs/content/en/docs/getting-started/install-tetragon/install-docker.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
---
title: "Try Tetragon locally "
weight: 1
description: "Discover and experiment with Tetragon on your local Linux host"
---

{{< note >}}
This guide has been tested on Ubuntu 22.04 and 22.10 with respectively kernel
`5.15.0` and `5.19.0` on amd64 and arm64 but
[any recent distribution](https://github.com/libbpf/libbpf#bpf-co-re-compile-once--run-everywhere)
shipping with a relatively recent kernel should work. See the FAQ for further details on
the [recommended kernel versions]({{< ref "/docs/faq#what-is-the-minimum-linux-kernel-version-to-run-tetragon" >}}).

Note that you cannot run Tetragon using Docker Desktop on macOS because of a
limitation of the Docker Desktop Linux virtual machine. Learn more about this issue
and how to run Tetragon on a Mac computer in [this section of the FAQ page](/docs/faq/#can-i-run-tetragon-on-mac-computers).
{{< /note >}}

## Start Tetragon

The easiest way to start experimenting with Tetragon is to run it via Docker
using the released container images.

```shell
docker run --name tetragon-container --rm --pull always \
--pid=host --cgroupns=host --privileged \
-v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf \
quay.io/cilium/tetragon-ci:latest
```

This will start Tetragon in a privileged container. Priviliges are required
to load and attach BPF programs. See Installation section for more details.
74 changes: 74 additions & 0 deletions docs/content/en/docs/getting-started/install-tetragon/install-k8s.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
---
title: "Try Tetragon on Kubernetes"
weight: 1
description: "Discover and experiment with Tetragon in a kubernetes environment"
---

### Create a cluster

If you don’t have a Kubernetes Cluster yet, you can use the instructions below to create a Kubernetes cluster locally or using a managed Kubernetes service:

TBD tabplane this...

#### Kind

Run the following command to create the Kubernetes cluster:
```
kind create cluster
```

#### GKE

Run the following command to create a GKE cluster:

```shell
export NAME="$(whoami)-$RANDOM"
gcloud container clusters create "${NAME}" \
--zone us-west2-a \
--num-nodes 1
```

### Deploy Tetragon

To install and deploy Tetragon, run the following commands:

```shell
helm repo add cilium https://helm.cilium.io
helm repo update
helm install tetragon cilium/tetragon -n kube-system
kubectl rollout status -n kube-system ds/tetragon -w
```

By default, Tetragon will filter kube-system events to reduce noise in the
event logs. See concepts and advanced configuration to configure these
parameters.

### Deploy demo application

To explore Tetragon its helpful to have a sample workload. Here wu use the Cilium
HTTP application, but any workload would work equally well.

To use our [demo
application](https://docs.cilium.io/en/v1.11/gettingstarted/http/#deploy-the-demo-application)

```shell
kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.11/examples/minikube/http-sw-app.yaml
```

Before going forward, verify that all pods are up and running - it might take
several seconds for some pods until they satisfy all the dependencies:

```shell
kubectl get pods
```

The output should be similar to:
```
NAME READY STATUS RESTARTS AGE
deathstar-6c94dcc57b-7pr8c 1/1 Running 0 10s
deathstar-6c94dcc57b-px2vw 1/1 Running 0 10s
tiefighter 1/1 Running 0 10s
xwing 1/1 Running 0 10s
```


99 changes: 0 additions & 99 deletions docs/content/en/docs/getting-started/kubernetes-quickstart-guide.md
View file

This file was deleted.

140 changes: 140 additions & 0 deletions docs/content/en/docs/getting-started/tetragon-execution.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
---
title: "Execution monitoring"
weight: 2
description: "Execution Traces with Tetragon"
---

At the core of Tetragon is the tracking of all executions in a kubernetes cluster,
virtual machines, and baremetal systems. This creates the foundation that allows
Tetragon to attribute all system behavior back to a specific binary and its
associated metadata (container, pod, node, and cluster).

## Observe Tetragon Execution Events

Tetragon exposes the execution trace over JSON logs and GRPC stream. The user
can then observe all executions in the system.

The following command can be used to observe exec events.

{{< tabpane >}}
{{< tab header="K8s" >}}
kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents -o compact
{{< /tab >}}
{{< tab header="Docker" >}}
docker exec tetragon-container tetra getevents -o compact
{{< /tab >}}
{{< tab header="Systemd" >}}
{{< /tab >}}
{{< /tabpane >}}

This will print a compact form of the exec logs. For an example we do the following
with the demo application.

```
kubectl exec -ti xwing -- bash -c 'curl https://ebpf.io/applications/#tetragon
```
The CLI will print a compact form of the event to the terminal

```
🚀 process default/xwing /bin/bash -c "curl https://ebpf.io/applications/#tetragon"
🚀 process default/xwing /usr/bin/curl https://ebpf.io/applications/#tetragon
💥 exit default/xwing /usr/bin/curl https://ebpf.io/applications/#tetragon 60
```

The compact exec event contains the event type, the pod name, the binary and the args. The exit event will include the return code, in the case of curl `60` above.

For the complete exec event in JSON format remove the compact option.

{{< tabpane >}}
{{< tab header="K8s" >}}
kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents
{{< /tab >}}
{{< tab header="Docker" >}}
docker exec tetragon-container tetra getevents
{{< /tab >}}
{{< tab header="Systemd" >}}
{{< /tab >}}
{{< /tabpane >}}

This will include a lot more details related the binary and event. A full example of the above curl is hown here,

```
{
"process_exec": {
"process": {
"exec_id": "Z2tlLWpvaG4tNjMyLWRlZmF1bHQtcG9vbC03MDQxY2FjMC05czk1OjEzNTQ4Njc0MzIxMzczOjUyNjk5",
"pid": 52699,
"uid": 0,
"cwd": "/",
"binary": "/usr/bin/curl",
"arguments": "https://ebpf.io/applications/#tetragon",
"flags": "execve rootcwd",
"start_time": "2023-10-06T22:03:57.700327580Z",
"auid": 4294967295,
"pod": {
"namespace": "default",
"name": "xwing",
"container": {
"id": "containerd://551e161c47d8ff0eb665438a7bcd5b4e3ef5a297282b40a92b7c77d6bd168eb3",
"name": "spaceship",
"image": {
"id": "docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6",
"name": "docker.io/tgraf/netperf:latest"
},
"start_time": "2023-10-06T21:52:41Z",
"pid": 49
},
"pod_labels": {
"app.kubernetes.io/name": "xwing",
"class": "xwing",
"org": "alliance"
},
"workload": "xwing"
},
"docker": "551e161c47d8ff0eb665438a7bcd5b4",
"parent_exec_id": "Z2tlLWpvaG4tNjMyLWRlZmF1bHQtcG9vbC03MDQxY2FjMC05czk1OjEzNTQ4NjcwODgzMjk5OjUyNjk5",
"tid": 52699
},
"parent": {
"exec_id": "Z2tlLWpvaG4tNjMyLWRlZmF1bHQtcG9vbC03MDQxY2FjMC05czk1OjEzNTQ4NjcwODgzMjk5OjUyNjk5",
"pid": 52699,
"uid": 0,
"cwd": "/",
"binary": "/bin/bash",
"arguments": "-c \"curl https://ebpf.io/applications/#tetragon\"",
"flags": "execve rootcwd clone",
"start_time": "2023-10-06T22:03:57.696889812Z",
"auid": 4294967295,
"pod": {
"namespace": "default",
"name": "xwing",
"container": {
"id": "containerd://551e161c47d8ff0eb665438a7bcd5b4e3ef5a297282b40a92b7c77d6bd168eb3",
"name": "spaceship",
"image": {
"id": "docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6",
"name": "docker.io/tgraf/netperf:latest"
},
"start_time": "2023-10-06T21:52:41Z",
"pid": 49
},
"pod_labels": {
"app.kubernetes.io/name": "xwing",
"class": "xwing",
"org": "alliance"
},
"workload": "xwing"
},
"docker": "551e161c47d8ff0eb665438a7bcd5b4",
"parent_exec_id": "Z2tlLWpvaG4tNjMyLWRlZmF1bHQtcG9vbC03MDQxY2FjMC05czk1OjEzNTQ4NjQ1MjQ1ODM5OjUyNjg5",
"tid": 52699
}
},
"node_name": "gke-john-632-default-pool-7041cac0-9s95",
"time": "2023-10-06T22:03:57.700326678Z"
}
```

## What's next
Loading

0 comments on commit 901ba2b

Please sign in to comment.