|
| 1 | +# CLAUDE.md |
| 2 | + |
| 3 | +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. |
| 4 | + |
| 5 | +## Project Overview |
| 6 | + |
| 7 | +bpfshoot is a containerized BPF (Berkeley Packet Filter) troubleshooting toolkit built on Debian Bookworm. It provides pre-built BPF tools for system observability, performance analysis, and network troubleshooting using libbpf CO-RE (Compile Once - Run Everywhere) technology. |
| 8 | + |
| 9 | +## Architecture |
| 10 | + |
| 11 | +The project consists of: |
| 12 | +- **Dockerfile**: Container build that installs BCC (BPF Compiler Collection) v0.35.0 and builds libbpf-tools |
| 13 | +- **Makefile**: Build automation supporting multi-architecture Docker builds (x86_64, ARM64) |
| 14 | +- **GitHub Actions**: Automated CI/CD pipeline for multi-arch builds and Docker Hub publishing |
| 15 | + |
| 16 | +The container includes: |
| 17 | +- BCC libbpf-tools (pre-built from source) |
| 18 | +- Complete BPF development toolchain (clang, llvm, libelf-dev) |
| 19 | +- Network diagnostic tools (iproute2, net-tools) |
| 20 | +- System monitoring tools (linux-perf) |
| 21 | + |
| 22 | +## Key Technical Details |
| 23 | + |
| 24 | +- Uses libbpf CO-RE technology - no kernel headers or debug filesystem mounts required |
| 25 | +- Requires Linux kernel 5.15+ with BPF support |
| 26 | +- Must run with `--privileged` flag for BPF program loading |
| 27 | +- Repository: `johnlin/bpfshoot` on Docker Hub |
| 28 | + |
| 29 | +## Common Commands |
| 30 | + |
| 31 | +### Building the Container |
| 32 | +```bash |
| 33 | +# Build for x86_64 |
| 34 | +make build-x86 |
| 35 | + |
| 36 | +# Build for ARM64 |
| 37 | +make build-arm64 |
| 38 | + |
| 39 | +# Build multi-architecture (both x86_64 and ARM64) |
| 40 | +make build-all |
| 41 | + |
| 42 | +# Build and push to registry |
| 43 | +make all |
| 44 | +``` |
| 45 | + |
| 46 | +### Running the Container |
| 47 | +```bash |
| 48 | +# Run interactively with privileged access (required for BPF) |
| 49 | +docker run -it --rm --privileged --name bpfshoot johnlin/bpfshoot:latest |
| 50 | +``` |
| 51 | + |
| 52 | +### Inside the Container |
| 53 | +```bash |
| 54 | +# Navigate to BCC tools |
| 55 | +cd /bcc/libbpf-tools |
| 56 | + |
| 57 | +# Run BPF programs (examples) |
| 58 | +./opensnoop # Trace file opens |
| 59 | +./execsnoop # Trace process execution |
| 60 | +./tcpconnect # Trace TCP connections |
| 61 | +``` |
| 62 | + |
| 63 | +## GitHub Actions CI/CD |
| 64 | + |
| 65 | +The repository includes automated workflows that: |
| 66 | +- Build multi-architecture Docker images (linux/amd64, linux/arm64) |
| 67 | +- Automatically tag images based on branch, PR, semver, and SHA |
| 68 | +- Push to Docker Hub on main branch commits and tags |
| 69 | +- Generate build attestations for security |
| 70 | + |
| 71 | +Required secrets in GitHub repository: |
| 72 | +- `DOCKER_USERNAME`: johnlin |
| 73 | +- `DOCKER_PASSWORD`: Docker Hub access token |
| 74 | + |
| 75 | +## Development Notes |
| 76 | + |
| 77 | +- All BPF programs require privileged container execution (`--privileged` flag) |
| 78 | +- The environment is designed for defensive security analysis and system monitoring |
| 79 | +- BCC tools are pre-compiled and ready to use in `/bcc/libbpf-tools/` |
| 80 | +- Container hostname is set to `bptshoot` for identification |
| 81 | +- Uses CO-RE technology for kernel portability across different Linux distributions |
0 commit comments