cubostratus - Blazingly fast Linux syscall collector

  •        3

cubostratus is a high performance Linux syscall collector. It acquires the syscall flow from the rock solid sysdig driver and emits it to Kafka brokers for later ingestion, storage and analysis.

https://github.com/rabbitstack/cubostratus

Tags
Implementation
License
Platform

   




Related Projects

tenus - Linux networking in Golang

  •    Go

tenus is a Golang package which allows you to configure and manage Linux network devices programmatically. It communicates with Linux Kernel via netlink to facilitate creation and configuration of network devices on the Linux host. The package also allows for more advanced network setups with Linux containers including Docker. tenus uses runc's implementation of netlink protocol. The package only works with newer Linux Kernels (3.10+) which are shipping reasonably new netlink protocol implementation, so if you are running older kernel this package won't be of much use to you I'm afraid. I have developed this package on Ubuntu Trusty Tahr which ships with 3.13+ and verified its functionality on Precise Pangolin with upgraded kernel to version 3.10. I could worked around the netlink issues by using ioctl syscalls, but I decided to prefer "pure netlink" implementation, so suck it old Kernels.

tenus - Linux networking in Go

  •    Go

tenus is a Golang package which allows you to configure and manage Linux network devices programmatically. It communicates with Linux Kernel via netlink to facilitate creation and configuration of network devices on the Linux host. The package also allows for more advanced network setups with Linux containers including Docker. tenus uses runc's implementation of netlink protocol. The package only works with newer Linux Kernels (3.10+) which are shipping reasonably new netlink protocol implementation, so if you are running older kernel this package won't be of much use to you I'm afraid. I have developed this package on Ubuntu Trusty Tahr which ships with 3.13+ and verified its functionality on Precise Pangolin with upgraded kernel to version 3.10. I could worked around the netlink issues by using ioctl syscalls, but I decided to prefer "pure netlink" implementation, so suck it old Kernels.

contained.af - A stupid game for learning about containers, capabilities, and syscalls.

  •    Javascript

A game for learning about containers, capabilities, and syscalls. To add a question edit this file: frontend/js/questions.js.

ctop - A command line / text based Linux Containers monitoring tool that works just like you expect.

  •    Python

A command line / text based Linux Containers monitoring tool that works just like you expect.ctop will help you see what's going on at the container level. Basically, containers are a logical group of processes isolated using kernel's cgroups and namespaces. Recently, they have been made popular by Docker and they are also heavily used under the hood by systemd and a load of container tools like lxc, rocket, lmctfy and many others.

cinf - Command line tool to view namespaces and cgroups, useful for low-level container prodding

  •    Go

The cinf package docs are also available online. The following sections show basic usage. For a complete end-to-end usage, see the walkthrough.


pipework - Software-Defined Networking tools for LXC (LinuX Containers)

  •    Shell

Pipework lets you connect together containers in arbitrarily complex scenarios. Pipework uses cgroups and namespace and works with "plain" LXC containers (created with lxc-start), and with the awesome Docker.If you use VirtualBox, you will have to update your VM network settings. Open the settings panel for the VM, go the the "Network" tab, pull down the "Advanced" settings. Here, the "Adapter Type" should be pcnet (the full name is something like "PCnet-FAST III"), instead of the default e1000 (Intel PRO/1000). Also, "Promiscuous Mode" should be set to "Allow All".

mocker - A crappy imitation of Docker, written in 100% Python

  •    Python

A proof-of-concept imitation of Docker, written in 100% Python. Using Kernel Namespaces, cgroups and network namespaces/iproute2 for Linux. I keep hearing statements like "Docker is basically just cgroups", "Docker is just chroot on steroids", which is totally incorrect.

containers-from-scratch - Writing a container in a few lines of Go code, as seen at DockerCon 2017 and on O'Reilly Safari

  •    Go

You need root permissions for this to work. Also note that the Go code uses some syscall definitions that are only available when building with GOOS=linux.

cilium - HTTP, gRPC, and Kafka Aware Security and Networking for Containers with BPF and XDP

  •    Go

Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. Cilium is integrated into common orchestration frameworks such as Kubernetes and Mesos. A new Linux kernel technology called BPF is at the foundation of Cilium. It supports dynamic insertion of BPF bytecode into the Linux kernel at various integration points such as: network IO, application sockets, and tracepoints to implement security, networking and visibility logic. BPF is highly efficient and flexible. To learn more about BPF, read more in our extensive BPF and XDP Reference Guide.

systemd-docker - Wrapper for "docker run" to handle systemd quirks

  •    Go

This is a wrapper for docker run so that you can sanely run Docker containers under systemd. The key thing that this wrapper does is move the container process from the cgroups setup by Docker to the service unit's cgroup. This handles a bunch of other quirks so please read through documentation to get an understanding of all the implications of running Docker under systemd. Using this wrapper you can manage containers through systemctl or the docker CLI and everything should just stay in sync. Additionally you can leverage all the cgroup functionality of systemd and systemd-notify.

lxc - LXC - Linux Containers

  •    C

LXC is the well-known and heavily tested low-level Linux container runtime. It is in active development since 2008 and has proven itself in critical production environments world-wide. Some of its core contributors are the same people that helped to implement various well-known containerization features inside the Linux kernel. LXC's main focus is system containers. That is, containers which offer an environment as close as possible as the one you'd get from a VM but without the overhead that comes with running a separate kernel and simulating all the hardware.

contained.af - A stupid game for learning about containers, capabilities, and syscalls.

  •    Javascript

A stupid game for learning about capabilities and syscalls, WIP.To add a question edit this file: static/js/questions.js.

the-internet - The code of our Internet simulator

  •    Go

The simulation is intended to run inside nested unprivileged LXC containers. As a result, a kernel with full support for unprivileged containers is required, that is any kernel >= 3.13 with all the options required by LXC enabled (see lxc-checkconfig). Additionally, unprivileged qdisc operations requires a >= 3.16 kernel to work, so if you want to get the simulated latencies and speeds, you need to run a very recent kernel.

bcc - BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more

  •    Python

BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1 and above. One of the more interesting features in this cycle is the ability to attach eBPF programs (user-defined, sandboxed bytecode executed by the kernel) to kprobes. This allows user-defined instrumentation on a live kernel image that can never crash, hang or interfere with the kernel negatively.

gvisor - Container Runtime Sandbox

  •    Go

gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers. gVisor takes a distinct approach to container sandboxing and makes a different set of technical trade-offs compared to existing sandbox technologies, thus providing new tools and ideas for the container security landscape.

cgroups - cgroups package for Go

  •    Go

Go package for creating, managing, inspecting, and destroying cgroups. The resources format for settings on the cgroup uses the OCI runtime-spec found here. This creates a new cgroup using a static path for all subsystems under /test.

zircon - Zircon Kernel, Core Drivers, and Services

  •    C++

Zircon is the core platform that powers the Fuchsia OS. Zircon is composed of a microkernel (source in kernel/...) as well as a small set of userspace services, drivers, and libraries (source in system/...) necessary for the system to boot, talk to hardware, load userspace processes and run them, etc. Fuchsia builds a much larger OS on top of this foundation. The Zircon Kernel provides syscalls to manage processes, threads, virtual memory, inter-process communication, waiting on object state changes, and locking (via futexes).

RancherOS - Tiny Linux distro that runs the entire OS as Docker containers

  •    Go

RancherOS is a minimalist Linux distribution perfect for running Docker containers. It runs Docker directly on top of the kernel and delivers Linux services as containers. It includes only the services needed to run Docker. RancherOS reduces the hassle with updating, patching, and maintaining your container host operating system.

fibratus - Tool for exploration and tracing of the Windows kernel

  •    Python

Fibratus is a tool which is able to capture the most of the Windows kernel activity - process/thread creation and termination, context switches, file system I/O, registry, network activity, DLL loading/unloading and much more. The kernel events can be easily streamed to a number of output sinks like AMQP message brokers, Elasticsearch clusters or standard output stream. You can use filaments (lightweight Python modules) to extend Fibratus with your own arsenal of tools and so leverage the power of the Python's ecosystem. Download the latest release (Windows installer). The changelog and older releases can be found here.

Docker-Secure-Deployment-Guidelines - Deployment checklist for securely deploying Docker

  •    

Within today’s growing cloud-based IT market, there is a strong demand for virtualisation technologies. Unfortunately most virtualisation solutions are not flexible enough to meet developer requirements and the overhead implied by the use of full virtualisation solutions becomes a burden on the scalability of the infrastructure. Docker reduces that overhead by allowing developers and system administrators to seamlessly deploy containers for applications and services required for business operations. However, because Docker leverages the same kernel as the host system to reduce the need for resources, containers can be exposed to significant security risks if not adequately configured. The following itemised list suggests hardening actions that can be undertaken to improve the security posture of the containers within their respective environment. It should be noted that proposed solutions only apply to deployment of Linux Docker containers on Linux-based hosts, using the most recent release of Docker at the time of this writing (1.4.0, commit 4595d4f, dating 11/12/14). Part of the content below is based on publications from Jérôme Petazzoni [1] and Daniel J Walsh [2]. This document aims at adding on to their recommendations and how they can specifically be implemented within Docker. Note: Most of suggested command line options can be stored and used in a similar manner inside a Dockerfile for automated image building. Docker 1.3 now supports cryptographic signatures [3] to ascertain the origin and integrity of official repository images. This feature is however still a work in progress as Docker will issue a warning but not prevent the image from actually running. Furthermore, it does not apply to non-official images. In general, ensure that images are only retrieved from trusted repositories and that the --insecure-registry=[] command line option is never used.






We have large collection of open source products. Follow the tags from Tag Cloud >>


Open source products are scattered around the web. Please provide information about the open source projects you own / you use. Add Projects.