Monitor Your Containers With Csysdig

DZone 's Guide to

Monitor Your Containers With Csysdig

This is the second part of our series about Sysdig. This tutorial will show how you can use Csysdig, the ncurses based GUI that ships with Sysdig.

· Cloud Zone ·
Free Resource

This is the second part of our series about Sysdig. Whereas our previous blog post focused on capturing data with the sysdig command-line utility, this tutorial will show how you can use Csysdig, the ncurses based GUI that ships with Sysdig. It's worth mentioning that Csysdig goes beyond what most monitoring tools provide in terms of functionalities, by giving you the ability to perform various actions directly from its interface. As an example, you can start a shell inside of a container, display logs, kill a container and many more.


As a prerequisite, we assume you followed our first tutorial on Sysdig.  If so, both Sysdig and Csysdig should be installed on your system. Also, a capture file called monitoring-wordpress.scap should already exist.

Command-line Options

If you enter the csysdig command with the -h option, the list of command-line options is displayed as in the following output:



Note that the above output was truncated for brevity.

Let's look at some of the most important flags:

  • -r. You can analyze an existing trace file by entering the csysdig command followed by the -r flag and the name of the capture file:

This will display the default view that lists the processes for the period in which the events were captured:

Processes during given period

  • -d. If you don't use the -r flag, then you can run Csysdig with the -d flag to specify the delay between updates, expressed in milliseconds.
  • -pcontainer. Configures Csysdig to display data in a container-friendly format:

NET container
☞ For the scope of this tutorial, you'll use the capture file created in the previous tutorial - monitoring-wordpress.scap.

What Is a View?

At first glance, the Csysdig interface looks similar to the one provided by tools such as htop. However, Csysdig is based on the concept of views, which offers a larger array of functionalities and makes it easily customizable.

Under the hood, a view is a Lua script that makes use of the Sysdig processing engine to determine how metrics are collected, processed, and displayed.

The views are usually placed in the /usr/share/sysdig/chisels and ~/.chisels directories.

Enter the following commands to display the list of views:



Note that the above output was truncated for brevity.

You can also access the list of views from inside of Csysdig, by pressing the F2 key:

Accessing list of views

You will see the list of views and a detailed description of the highlighted view:

Highlighted views

Use the arrow keys to navigate to a different view:

Navigate to a different view

☞ When navigating through various Csysdig screens, keep in mind the following principles:

  • F2 switches to a different view
  • Enter drills down into the active selection
  • Backspace navigates to the previous screen

The Containers View

Continuing with our example, we selected the Containers view and applied it with the Enter key:

Containers view

This provides a brief overview of the three containers running on your machine. Next, you can follow these steps to get in-depth information:

  1. Navigate to the first container in the list and press the Enterkey. You will be presented with the list of processes running in this container. At the top of the screen, Sysdig shows the list of active filters. This means you can retrieve the same information stringing these filters in the command-line.
Retrieving files by multiple fields
  1. With Csysdig, you can dig even further. Select a process from the list and then press the Enter key again. This will display the list of threads for the selected process.
Selecting a process from list
  1. From here, you have two options:
    Option A: Press the Enter key
    A.1 You will be presented with the list of files that were accessed by this thread during the period in which you captured events:
Entry point 1

As you can see, the list of filters is getting pretty long. Imagine doing this without a GUI.
A.2 Csysdig allows you to retrieve even more detailed information. Select the .htaccess file and press the F5 key. This shows the inputs and the outputs for the selected file.

 inputs and the outputs for the selected file

Option B: Press the F5 key

  • B.1 This shows the I/O activity of the selected process.
I/O activity of selected processes
  • B.2 If you press the F2 key, Csysdig allows you to select the format in which the data is formatted:
Selecting format in which data is formatted
  • B.3 Select Printable ASCII. Then, you can use the arrow keys to navigate through this view:
Selecting printable ASCII

The screenshot above shows the activity of the selected process. As you can see, it accepted an incoming connection initiated by ApacheBench, read from the .htaccess file and so on.

☞ Similarly to the Containers view, you can access any other view.

The Actions Panel

As mentioned, Csysdig lets you perform actions directly from its interface. In this section, we'll look at some examples of you can use Csysdig's actions panel.

The sysdig container is pretty barebones and, out of the box, it lacks the utilities needed to make the most of the actions panel. For simplicity's sake, we'll analyze the capture file on the host.

  1. On the host, list the active containers with:

  1. Copy the trace file to the host by running the docker cp command followed by the source and the destination path. The source path is formed by concatenating the ID of the container and the path inside of the consider, separated by :. In our example, the source path is 0cd95a6d2e4f:/monitoring-wordpress.scap but yours will be different.

    Containers for whole schema

Now that you've copied the trace file to the host, we'll walk you through two of the most useful action panels.

The Action Panel for Containers

  1. On the host, start Csysdig with the following command:

  1. Navigate to the Containers view and then press the F8 key. On the left side, you will see the list of available actions:
Containers for whole machine
  1. As an example, let's start a shell inside of the wordpress container by pressing the b key.
  2. At this point, you can perform whatever actions you want:
Performing commands on root
  1. When you're done, enter the exit command, and you will be taken back to the GUI.
  2. From here, you can press the l key to display Docker logs:
Displaying Docker logs

Similarly, you can invoke the rest of the commands.

The Action Panel for Processes

  1. In the main view, highlight a process and then press the F8 key. This will display a different set of actions:
Processes on whole machine

From here, you can choose whatever action you want to perform by pressing the corresponding hotkey.

Configure Csysdig

In this section, we'll show how you can customize Csysdig to your preferences. The following example will:

  • Change the hotkey that triggers the docker pause command.
  • Add the docker ps command to the list of available commands and assign a hotkey to it.
  1. On the host, open (as root) the /usr/share/sysdig/chisels/v_containers.lua file. As an example, if your editor of choice is vi, then you should enter the following command:

  1. Set the hotkey for the docker pause command to p:
Setting hotkey for Docker pause
  1. At the bottom of the file, add a new command by pasting the following snippet into the actions object:

With these updates, your /usr/share/sysdig/chisels/v_containers.lua should look similar to the following:
Hotkey updates

  1. Save the file. If you're using vi, type :wq! and then press the Enter key.
An in-depth explanation of how you can write more complex views and actions is outside of the scope of this tutorial.  Refer to the Csysdig View Format Reference page to further your knowledge.
  1. Start Csysdig and then navigate to the Containers view. From there, press the F8 key to display the list of actions:

    Containers for whole machine

Note that the list of actions has been updated!��

  1. Press the p key to pause the container. You'll see the following confirmation message:

In the output above, the id of our container is 67c012a9e92b. Yours will be different.

  1. You can use the new command you've just added to check if everything went well. Type the o key, and you'll see something similar to this output:
Final output

Hooray, your container has been paused!

cloud native, container, docker, kubernetes

Published at DZone with permission of Sudip Sengupta . See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}