internal: new microvm observability hook package#78532
Open
antitree wants to merge 7 commits intowolfi-dev:mainfrom
Open
internal: new microvm observability hook package#78532antitree wants to merge 7 commits intowolfi-dev:mainfrom
antitree wants to merge 7 commits intowolfi-dev:mainfrom
Conversation
This test configuration validates tetragon integration in melange QEMU
builds and is used to verify that tetragon event streaming works
correctly.
The test-tetragon.yaml file:
- Builds a minimal package to test tetragon
- Requires TETRAGON_TEST=1 environment variable
- Requires QEMU_KERNEL_IMAGE to point to kernel with BTF support
- Tests that tetragon daemon starts successfully
- Verifies that events are captured and streamed to logs
Usage:
export TETRAGON_TEST=1
export QEMU_KERNEL_IMAGE=$(pwd)/kernel/x86_64/vmlinuz
melange build test-tetragon.yaml --arch x86_64 --runner qemu \
--signing-key local-melange.rsa \
--keyring-append local-melange.rsa.pub \
--repository-append https://packages.wolfi.dev/os \
--keyring-append https://packages.wolfi.dev/os/wolfi-signing.rsa.pub \
--cache-dir ./melange-cache/
Expected output:
- Log lines with [TETRAGON] prefix showing captured events
- Events appear in real-time during build
- Tetragon daemon runs successfully in VM
Changes: - Add tetragon to runtime dependencies in microvm-init.yaml - Mount eBPF filesystems (debugfs, tracefs, bpf) in both host and chroot environments - Start tetragon daemon with event streaming to console - Add V6 implementation documentation Technical details: - eBPF mounts at /sys/kernel/debug, /sys/kernel/tracing, /sys/fs/bpf (host) - eBPF mounts at /mount/sys/kernel/debug, /mount/sys/kernel/tracing, /mount/sys/fs/bpf (chroot) - Tetragon events exported to /tmp/tetragon/events.log and streamed to console - All process execution events visible during package builds Generated with Claude Code
This version successfully generates TETRAGON process_exec and process_exit events during package builds. Verified with hello-wolfi build showing 14 events. Key working configuration: - Tetragon starts WITHOUT --tracing-policy flag - Default process event collection enabled - While loop streaming method works correctly - Events stream to console throughout build phase Test results: /tmp/phase3-test.log (14 TETRAGON events captured) Note: Custom egress policy (tcp_connect kprobe) currently breaks event generation. This version uses default tetragon behavior only. 🤖 Generated with Claude Code
This package provides an init.d hook for microvm-init that starts eBPF-based observability during VM boot. Events are streamed to console with [OBSERVABILITY] prefix. The hook mounts required eBPF filesystems (debugfs, tracefs, bpf) and starts the observability framework with JSON event export. Package includes: - Runtime dependency on tetragon - Init script: /opt/melange/init.d/50-observability.sh - Event streaming to /tmp/observability/events.log - Console output prefixed with [OBSERVABILITY] Use case: Enables security observability in isolated QEMU build environments for audit, forensics, and supply chain security. Signed-off-by: Mark Manning <mark.manning@chainguard.dev>
Signed-off-by: antitree <antitree@users.noreply.github.com>
Signed-off-by: antitree <antitree@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds an additional observability package to the Melange QEMU runner allowing additional telemetry if desired. It is mostly an internal improvement to help support Melange and not a package that others would normally consume directly. It specifically is designed around the custom way that the Melange QEMU runner's linux init process works today so that it can collect observability information with a background process and send it to STDOUT. It's not expected to work for any other environments.
For new package PRs only
endoflife.date)