Comment by beaugunderson

5 months ago

We have a Python application that we develop inside Docker on macOS using the `python:3.11-slim-bullseye` image that it would be great to generate scap files from for viewing with Stratoshark. I tried installing sysdig in that image but ran into kernel module errors when trying to run it. Should we expect that to work? Am I missing an easier method?

2 comments

beaugunderson

geraldcombs 5 months ago

You might try passing `--modern-bpf` to sysdig. It has traditionally captured syscalls using a kernel module, and it sounds like that's where your errors are coming from. Newer versions have added eBPF support, which doesn't require a kmod but you have to pass in the `--modern-bpf` flag.

beaugunderson 5 months ago

Absolutely nailed it, that worked! Thanks so much for the pointer.