The previous tools we have looked at have all relied on making API calls to Docker or reading metrics from LXC. Sysdig works differently by hooking itself into the hosts machine's kernel while this approach does go against Docker's philosophy of each service being run in its own isolated container, the information you can get by running Sysdig only for a few minutes far outweighs any arguments about not using it.
In this chapter, we will look at the following topics:
- How to install Sysdig and Csysdig on the host machine
- Basic usage and how to query your containers in real time
- How to capture logs so they can be queried later
Before we start to get into Sysdig, let's first understand what it is. When I first heard about the tool, I thought to myself that it sounded too good to be true; the website describes the tool as follows:
"Sysdig is open source, system-level exploration: capture system state and activity from a running Linux instance, then save, filter and analyze. Sysdig is scriptable in Lua and includes a command line interface and a powerful interactive UI, csysdig, that runs in your terminal. Think of sysdig as strace + tcpdump + htop + iftop + lsof + awesome sauce. With state of the art container visibility on top."
This is quite a claim as all the tools that it is claiming to be as powerful were all in a set of goto commands to run when looking into problems, so I was a little skeptical at first.
As any one who has had to try and track down a haywire process of try and track down an issue that isn't being very verbose in its error logs on a Linux server will know that using tools such as strace, lsof, and tcpdump can get complicated very quickly and it normally involves capturing a whole lot of data and then using a combination of several tools to slowly, and manually, trace the problem by reducing the amount of data you captured.
Imagine my delight when Sysdig's claims turned out to be true. It made me wish I had the tool back when I was a front line engineer; it would have made my life a lot easier.
Sysdig comes in two different flavors, first is the Open Source version available at http://www.sysdig.org/; this comes with an ncurses interface so that you can easily access and query data from a terminal-based GUI.
Note
Wikipedia describes ncurses (new curses) as a programming library that provides an API that allows the programmer to write text-based user interfaces in a terminal-independent manner. It is a toolkit for developing "GUI-like" application software that runs under a terminal emulator. It also optimizes screen changes in order to reduce the latency experienced when using remote shells.
There is also a commercial service that allows you to stream your Sysdig to their externally hosted service; this version has a web-based interface for viewing and querying your data.
In this chapter, we will be concentrating on the open source version.