On Mar 15, 2025, I had the pleasure of presenting at the Cloud Native Community Japan - eBPF Japan Meetup #3, where I introduced Tetragon's implementation of eBPF-based Process Lifecycle Monitoring. I'd like to share a brief overview of my talk in this blog post. About TetragonProcess Lifecycle MonitoringTechnical Deep DiveLooking Forward You can access… Continue reading Inside Tetragon: How eBPF Powers Process Lifecycle Monitoring
TL;DR; I created eBPF-based software in Rust that can monitor the Process lifecycle.π¦π π process 101708: root: /usr/sbin/iptables π₯ exit 101708: root: /usr/sbin/iptables π process 101705: yukinakamura: /usr/bin/cat π₯ exit 101705: yukinakamura: /usr/bin/cat π process 101758: yukinakamura: /usr/bin/sed π₯ exit 101758: yukinakamura: /usr/bin/sed MotivationScopeArchitecture OverviewHow to RunPrerequisitesClone the RepositoryGenerate Struct codesBuild and Run eBPF Programs… Continue reading Tetragon-mini by Rust: eBPF-based process monitoring
TL;DR This guide demonstrates how to implement eBPF Tail Calls using Rust's Aya. π¦π Introduction: Tail CallsRun eBPF Tail Calls programPrerequisitesClone the RepositoryGenerate Struct codesBuildRunCheck logsCheck eBPF Programs and Maps in the KerneleBPF ProgramsLoaded eBPF ProgramsAttached eBPF ProgramseBPF Map for tail callsRust Code HighlightsProgramArray SetupTail CallsState Sharing with PerCpuArrayReferencesWrap up Introduction: Tail Calls Tail calls… Continue reading eBPF Tail Calls with Rust Aya
TL;DR In this post, Iβll walk you through an example of an eBPF Kprobe program using Aya with Rust. π¦π Introduction: KprobesRun eBPF Kprobe tracing programPrerequisitesCheck available KprobesClone the RepositoryGenerate Structs codesBuildRunTestCheck eBPF Program in the KernelCheck with bpftool(Optional) Check with bpftopArgument Handling in KprobesHow to Identify Argument TypesGenerate Struct Codes by aya-toolRead values from… Continue reading Writing eBPF Kprobe Program with Rust Aya
TL;DR In this post, Iβll walk you through an example of an eBPF RawTracepoint program using Aya with Rust. π¦π Introduction: RawTracepoints vs TracepointsArgument HandlingPerformanceRun eBPF RawTracepoint tracing programPrerequisitesCheck available TracepointsClone the RepositoryGenerate Structs codesBuild and RunCheck eBPF Program in the KerneleBPF ProgramAttachment to RawTracepointArgument Handling in RawTracepointsHow to Identify Argument TypesGenerate Struct Codes by… Continue reading Writing eBPF RawTracepoint Program with Rust Aya
TL;DR In this post, I explain how Tetragon detects process creation and termination using eBPF.π IntroductionOverviewkprobes and tracepointseBPF ProgramseBPF MapsTetragon AgentProcess creationeBPF program attached to tracepointWrite data to eBPF MapProcess terminationeBPF program attached to tracepointWrite data to eBPF MapWrap upNext stepRelated posts Introduction I was really impressed when I used Tetragon for the first time.… Continue reading Tetragon Process Lifecycle Observation: eBPF Part
TL;DR This post provides hands-on tutorial onβhow to use a private RUN cache that is defined by RUN --mount=type=cache, sharing=private in Dockerfile. Here is a snippet of Dockerfile. RUN --mount=type=cache,id=private-cache,target=/root/.cache,sharing=private \ echo $(date):" private1 is writing..." && \ echo $(date)": Hello from private1" >> /root/.cache/private.log && \ sleep 10 && \ echo "--- private.log ---------"… Continue reading Use a private RUN cache between builds in BuildKit
Yuki Nakamura's Blog 