This tool is an experiment made to run runtime profiling on a container. The goal is to identify which files has been used given an image.
The technical approach is inspired from https://github.com/containers/oci-seccomp-bpf-hook.
It leverages OCI prestart hook with Podman to attach an eBPF program in the lsm/file_open to profile every opened file.
- Linux kernel > 6.12
- Go 1.25+
git- Linux (root privileges required for the OCI hook / eBPF parts)
- Kernel with eBPF + LSM support enabled
git clone https://github.com/axel7083/oci-hook-lsm-file-open
cd oci-hook-lsm-file-opengo mod download
make install
Once installed, you can use the custom annotation to trigger the OCI hook.
podman run --annotation="oci-demo-hook=$(pwd)/fedora.profiling.json" fedoraThe profiling result being a JSON dump, it is pretty hard to use. Leveraging bubbletea a TUI framework, we can use it to have a pretty nice experience to visualize the results.
The tool need 2 mandatory arguments
--image: the image reference (E.g. fedora:latest) to use as reference--report: the report generated by the oci-hook binary
If something is not working, you may use journalctl to debug the different binaries
There are 3 binaries created after running make install
oci-hook: this binary is called by podman when the proper annotation is specifiedlsm-file-open: this binary is called by theoci-hookdetached, it will load the eBPF program, then sendSIGUSR1to the parent process (oci-hook) to notify the eBPF program is ready.report-generator: this binary is an utility tool to visualize the result of the runtime profiling.
Depending on where it is installed, you can directly use the absolute path, by default after running make install it will be in ./bin folder of this repository.
journalctl -t $(pwd)/bin/oci-hook -fSimilar to oci-hook, we can see the logs of the lsm-file-open using journalctl.
journalctl -t $(pwd)/bin/lsm-file-open -f