Jisu Kim  Jaehyun Nam

Vol. 13,  No. 9, pp. 404-412, Sep.  2024
https://doi.org/10.3745/TKIPS.2024.13.9.404

Container eBPF monitoring Observability

PDF

The adoption of cloud environments has revolutionized application deployment and management, with microservices architecture and container technology serving as key enablers of this transformation. However, these advancements have introduced new challenges, particularly the necessity to precisely understand service interactions and conduct detailed analyses of internal processes within complex service environments such as microservices. Traditional monitoring techniques have proven inadequate in effectively analyzing these complex environments, leading to increased interest in eBPF (extended Berkeley Packet Filter) technology as a solution. eBPF is a powerful tool capable of real-time event collection and analysis within the Linux kernel, enabling the monitoring of various events, including file system activities within the kernel space. This paper proposes a container activity analysis system based on eBPF, which monitors events occurring in the kernel space of both containers and host systems in real-time and analyzes the collected data. Furthermore, this paper conducts a comparative analysis of prominent eBPF-based container monitoring systems (Tetragon, Falco, and Tracee), focusing on aspects such as event detection methods, default policy application, event type identification, and system call blocking and alert generation. Through this evaluation, the paper identifies the strengths and weaknesses of each system and determines the necessary features for effective container process monitoring and restriction. In addition, the proposed system is evaluated in terms of container metadata collection, internal activity monitoring, and system metadata integration, and the effectiveness and future potential of eBPF-based monitoring systems.