WingNews logo WingNews
top | item 41102981

Show HN: Trayce – Network tab for Docker containers

138 points| ev_dev3 | 1 year ago |trayce.dev

Trayce (https://github.com/evanrolfe/trayce_gui) is an open source desktop application which monitors HTTP(S) traffic to Docker containers on your machine. It uses EBPF to achieve zero-configuration sniffing of TLS-encrypted traffic.

As a backend developer I wanted something which was similar to Wireshark or the Chrome network tab, but which intercepted requests & responses to my containers for debugging in a local dev environment. Wireshark is a great tool but it seems more geared towards lower level networking tasks. When I'm developing APIs or microservices I dont care about packets, I'm only concerned with HTTP requests and their responses. I also didn't want to have to configure a pre-shared master key to intercept TLS, I wanted it to work out-of-the-box.

Trayce is in beta phase so feedback is very welcome, bug reports too. The frontend GUI is written in Python with the QT framework. The TrayceAgent which is what does the intercepting of traffic is written in Go and EBPF.

29 comments

order

inyorgroove|1 year ago

This tool has really cool potential!

Just one problem I noticed imminently that prevents me from using this, the docker agent container[1] isn't multi-architecture, this will be an issue on Apple Silicon devices. This is something I have some experience setting up if you are looking for help, though will take some research to figure out how to get going in github actions etc.

1: https://github.com/evanrolfe/trayce_agent/

EDIT: quick search found this post, tested on a side project repo it works great: https://depot.dev/blog/multi-platform-docker-images-in-githu...

ev_dev3|1 year ago

Good point, thanks. Its only ever been tested on a Mac with an Intel chip. I will try and sort this out ASAP!

thomasfromcdnjs|1 year ago

I wanted to have a play but crashed when running the container command

    libbpf: sec '.reluprobe/gotls_exit_read_register': relo #5: insn #148 against 'active_go_read_args_map'
    libbpf: prog 'probe_exit_go_tls_read': found map 17 (active_go_read_args_map, sec 30, off 528) for insn #148
    libbpf: Error in bpf_object__probe_loading():Function not implemented(38). Couldn't load trivial BPF program. Make sure your kernel supports BPF (CONFIG_BPF_SYSCALL=y) and/or that RLIMIT_MEMLOCK is set to big enough value.
    libbpf: failed to load object 'main.bpf.o'
failed to load BPF object: function not implemented

ev_dev3|1 year ago

Are you running on Mac or Linux? What linux kernel version do you have in docker, run: `uname -r`. If you are using Mac with Docker Desktop then the first thing I would do is make sure thats on the latest version.

This is a common problem however when trying to run ebpf programs in docker, see "CONFIG_BPF_SYSCALL and RLIMIT_MEMLOCK issues" here: http://andreybleme.com/2022-05-22/running-ebpf-programs-on-d...

Also see "Configuring limits in the container" here too: https://blog.bitsofnetworks.org/debug-bpf-docker-l2tpns/

quibono|1 year ago

+1 - I get the same error. Running on Ubuntu 20.04

upon_drumhead|1 year ago

This is super cool! I'm gonna give this a try shortly.

One thing that we've been craving for our infrastructure is something like Little Snitch for containers. We make extensive use of third party containers and have been very concerned about any sort of data exfiltration attempts via supply chain attacks. We have a pile of iptable rules right now, but they're error prone and difficult to rationalize about. If we had something like Little Snitch where we would get the feed of connections and allow us to approve/reject them, it would make us all sleep a lot better.

Best of luck with your endeavors!

iamcreasy|1 year ago

Cool!

> It uses EBPF to achieve zero-configuration sniffing of TLS-encrypted traffic.

Can someone ELI5 this?

ev_dev3|1 year ago

I won't explain what ebpf is because google can do a better job of that than me but essentially this program hooks into the low-level system calls being made by your programs, so its able to grab un-encrypted network traffic before its encrypted and sent over the network. "zero-configuration" here mean you dont have to do much manual configuration to get this working.

ThaDood|1 year ago

IIRC EBPF is an enhanced version of the Berkeley Packet filter. In this scenario I believe it is being used for sandboxing a low level process to allow for TLS "decryption" on network connections related to Docker.

thebuilderjr|1 year ago

This is super cool. I wonder if there's a way to pipe this data into some analytical store so you could use it as part of a monitoring stack. Have you considered exporting the metrics you collect with this?

sesm|1 year ago

Slightly off topic: is there a developer proxy that has a similar UI? I don't want to wrap the app in docker just see network logs in a nice UI.

zokier|1 year ago

At least conceptually I think the same approach, using ebpf to capture traffic, should work pretty much the same with or without containers. So it could be fairly minor adjustment to get it working outside containers too?

piyushtechsavy|1 year ago

This seems super cool debugging tool. Is this purely for dockerized applications or can also be used with simple microservices.

ancras|1 year ago

Sounds cool. Would it maintain a history of requests which I could filter by time?

esafak|1 year ago

Consider contributing it to macports when it's out of beta.

viralpraxis|1 year ago

Can it be used to trace containers with «host» network driver?

skeptrune|1 year ago

This is an amazing and insanely helpful product

globular-toast|1 year ago

Licence? Assuming GPL if it's using Qt?

ev_dev3|1 year ago

Yes, GPL3. I've added the license to the repo.

alexliu518|1 year ago

Very useful project, keep it up