Building Sysdig

Below versions of Sysdig are available in respective distributions at the time of creation of these build instructions:

• Ubuntu 20.04 has 0.26.4
• Ubuntu 22.04 has 0.27.1
• Ubuntu 24.04 has 0.36.0

The instructions provided below specify the steps to build Sysdig version 0.38.0 on Linux on IBM Z for following distributions:

• RHEL (8.8, 8.10, 9.2, 9.4)
• Ubuntu (20.04, 22.04, 24.04)

General Notes:

• When following the steps below please use a standard permission user unless otherwise specified.
• A directory /<source_root>/ will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it.

Step 1: Build using script

If you want to build Sysdig using manual steps, go to step 2.

Use the following commands to build Sysdig using the build script. Please make sure you have wget installed.

wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Sysdig/0.38.0/build_sysdig.sh

# Run bash build_sysdig.sh 
bash build_sysdig.sh  [Provide -t option for executing build with tests] 

In case of error, check logs for more details or go to Step 2 to follow manual build steps.

Step 2: Install dependencies

export SOURCE_ROOT=/<source_root>/

• RHEL (8.8, 8.10, 9.2, 9.4)

  sudo yum install -y wget tar patch gcc gcc-c++ git bpftool clang cmake pkg-config elfutils-libelf-devel kernel-devel kmod llvm perl
  

• Ubuntu (20.04)

  sudo apt-get update
  sudo apt-get install -y git g++ linux-headers-generic cmake libelf-dev pkg-config kmod patch wget
  

• Ubuntu (22.04, 24.04)

  sudo apt-get update
  sudo apt-get install -y git g++ linux-headers-generic cmake libelf-dev pkg-config kmod g++-11 clang llvm wget zlib1g patch wget
  sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-11 11
  sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-11 11
  

• Install clang-14 and llvm-14 (For Ubuntu-20.04 only)

  cd $SOURCE_ROOT
  sudo apt-get update 
  sudo apt install -y lsb-release wget software-properties-common gnupg
  wget https://apt.llvm.org/llvm.sh
  sed -i 's,add-apt-repository "${REPO_NAME}",add-apt-repository "${REPO_NAME}" -y,g' llvm.sh
  chmod +x llvm.sh
  sudo ./llvm.sh 14
  rm ./llvm.sh
  
  export CC=clang-14
  export CXX=clang++-14
  sudo ln -sf /usr/bin/clang-14 /usr/bin/clang
  sudo ln -sf /usr/bin/clang++-14 /usr/bin/clang++
  sudo update-alternatives --install /usr/bin/llvm-config llvm-config /usr/bin/llvm-config-14 200
  sudo update-alternatives --install /usr/bin/llvm-strip  llvm-strip  /usr/bin/llvm-strip-14 200 
  

• Install bpftool (For Ubuntu only)

  cd $SOURCE_ROOT
  git clone --recurse-submodules https://github.com/libbpf/bpftool.git
  cd bpftool && cd src
  CLANG=Nope make   #For Ubuntu 20.04
  make              #For Ubuntu 22.04, 24.04
  sudo make install
  

Some features uses "skeletons" (feature-clang-bpf-co-re compilation option) which require kernel 5.15 or more recent, to compile bpftool, hence CLANG-flag is set to CLANG=Nope while compiling for Kernel versions < 5.15. Refer to this.

Step 3: Download source code

cd $SOURCE_ROOT
git clone https://github.com/draios/sysdig.git
cd sysdig
git checkout 0.38.0
mkdir build

# For RHEL 9.x and Ubuntu-24.04, due to kernel issues, need to upgrade the drivers
sed -i 's,7.0.0+driver,7.1.0+driver,g' $SOURCE_ROOT/sysdig/cmake/modules/driver.cmake
sed -i 's,9f2a0f14827c0d9d1c3d1abe45b8f074dea531ebeca9859363a92f0d2475757e,ec493d549d7dc6d9a5534e91e0350aa06827f91c7119818d88c22e8a2820f416,g' $SOURCE_ROOT/sysdig/cmake/modules/driver.cmake

Step 4: Configure, build and install Sysdig

Step 4.1: Configure

cd $SOURCE_ROOT/sysdig/build
cmake -DCREATE_TEST_TARGETS=ON -DUSE_BUNDLED_DEPS=ON -DSYSDIG_VERSION=0.38.0 ..

Step 4.2: Build Sysdig

cd $SOURCE_ROOT/sysdig/build
sed -i 's,c-ares.haxx.se/download/,github.com/c-ares/c-ares/releases/download/cares-1_19_1/,g' ./c-ares-prefix/src/c-ares-stamp/download-c-ares.cmake
sed -i 's,c-ares.haxx.se/download/,github.com/c-ares/c-ares/releases/download/cares-1_19_1/,g' ./falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs/cmake/modules/cares.cmake
make
sudo make install

Step 5: Insert Sysdig driver module

#Unload any existing module
sudo rmmod scap || true

#Insert Sysdig kernel module
cd $SOURCE_ROOT/sysdig/build/driver/
sudo insmod scap.ko

Step 6: Testing (Optional)

• Some test cases may fail due to big-endian architecture of s390x. Apply patch -

cd $SOURCE_ROOT/sysdig/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs
wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Sysdig/0.38.0/patch/sysdig.patch
patch -p1 < sysdig.patch
rm -f sysdig.patch

• To run the whole unit test suite

cd $SOURCE_ROOT/sysdig/build/
make run-unit-test-libsinsp

All the test cases should pass.

Step 7: Validate installation (optional)

• Validate Sysdig's version

  sysdig --version
  

  The output should be:

  sysdig version 0.38.0
  

• Validate sysdig and csysdig binaries

  sudo /usr/local/bin/sysdig
  sudo /usr/local/bin/csysdig
  

Note:

• Refer to this for more information on running Sysdig as a non-root user.

Reference:

• http://www.sysdig.com/
• https://github.com/draios/sysdig
• https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-from-the-Source-Code