| title | weight | description |
|---|---|---|
Requirements |
110 |
Requirements for running Inspektor Gadget.
|
Inspektor Gadget uses eBPF to obtain the insights it provides. The
different gadgets provided use different eBPF capabilities. The
capabilities available depend on the version of the kernel running in the
node, as well as whether or not the kernel has
BTF enabled (via
CONFIG_DEBUG_INFO_BTF=y).
The gadgets implementation relies on Compile Once - Run Everywhere (CO-RE) approach. These tools need to have BTF information. This information is collected from three different sources, a fallback mechanism is implemented to try another source if the previous one was not available.
- The kernel already exposes it through
/sys/kernel/btf/vmlinux: the kernel was compiled withCONFIG_DEBUG_INFO_BTF). - It's available in the gadget container image: we ship the BTF information for some well known kernel versions using BTFGen.
- It's downloaded from BTFHub.
In case your kernel does not support CO-RE, we advise you to use an older
version of Inspektor Gadget which provides BCC gadget like
v0.21.0-bcc
This section summarizes the kernel versions and features that are required to run the gadgets. This has been generated by testing different Ubuntu versions and their shipped kernels, hence it's possible that some gadgets work in older kernels than the one mentioned here.
All gadgets require the following:
CONFIG_BPF=yCONFIG_BPF_SYSCALL=y.CONFIG_DEBUG_INFO_BTF=yif the host kernel is not supported by BTFHub.
For all gadgets, the minimum kernel version and additional needed CONFIG_* are
listed in the following table:
| Gadget | Minimum Kernel | Additional CONFIG_* |
|---|---|---|
advise network-policy |
U.U | |
advise seccomp-profile |
U.U | |
audit seccomp |
5.4 | KPROBES |
profile block-io |
U.U | |
profile cpu |
U.U | |
profile tcprtt |
U.U | KPROBES |
snapshot process |
5.10 | |
snapshot socket |
5.10 | |
top block-io |
U.U | KPROBES |
top file |
5.4 | KPROBES |
top tcp |
U.U | KPROBES |
trace bind |
5.4 | KPROBES, KRETPROBES |
trace capabilities |
U.U | KPROBES |
trace dns |
5.4 | |
trace exec |
5.4 | FTRACE_SYSCALLS |
trace fsslower |
5.4 | KPROBES, KRETPROBES |
trace mount |
U.U | FTRACE_SYSCALLS |
trace oomkill |
5.4 | KPROBES |
trace open |
5.4 | FTRACE_SYSCALLS |
trace signal |
5.4 | FTRACE_SYSCALLS |
trace sni |
U.U | |
trace tcp |
U.U | |
trace tcpconnect |
5.8 | KPROBES, KRETPROBES |
trace tcpdrop |
5.18 | |
trace tcpretrans |
4.15 | |
script |
4.9 | |
traceloop |
4.15 | KPROBES |
If the kernel version is U.U, it means we do not have this information at the moment.
| Kubernetes platforms | Support |
|---|---|
| Minikube | ✔️ |
| AKS, EKS, GKS | ✔️ |
| AWS Fargate, Azure Containers instances, GKE Autopilot | ❌ (see #1320) |
| OpenShift | ✔️ |
| Talos | ✔️ |
| Orchestrator | Container manager | Container runtime | Support |
|---|---|---|---|
| docker | containerd | runc | ✔️ |
| nerdctl | containerd | runc | ✔️ |
| Kubernetes | containerd | runc | ✔️ |
| Kubernetes | containerd | wasm | ❌ (see #1899) |
| Kubernetes | containerd | katacontainers | ❌ |
| Kubernetes | CRI-O | runc / crun | Kubernetes v1.20+ (see below) |
| Podman (root) | podman | runc / crun | ✔️ |
| Podman (rootless) | podman | runc / crun | Only with Podman API enabled (see below) |
We only support CRI v1 meaning that only CRI-O v1.20+ (compatible with Kubernetes v1.20+) is supported.
We use Podman API to trace containers. In case we want trace rootless containers, we need to ensure that the Podman API is available via socket as:
$ systemctl start --user podman.socket
# use rootless Podman API socket i.e /run/user/USERID#/podman/podman.sock
$ sudo ig -r podman --podman-socketpath /run/user/$UID/podman/podman.sock list-containers
$ sudo ig -r podman --podman-socketpath /run/user/$UID/podman/podman.sock snapshot process