This is an alternative to building "netatop" kernel module, supported by atop 2.10.0+.
Requires linux kernel 6.3+, event tracing enabled there (ftrace + tracing + uprobes + bpf_events), tracefs mounted at /sys/kernel/tracing (systemd does this automatically), and netatop-bpf.service running.
Lockdown LSM, if used on the system in "confidentiality" mode, must be enabled after sys-kernel-tracing.mount, in order for this to work, otherwise it will block mounting tracefs.
Upstream systemd service runs daemon as root, and creates /var/run/netatop-bpf-socket with 0777 permissions accessible to any user - you might want to restrict that as necessary, if running it for prolonged periods of time.
Pinned Comments
mk-fg commented on 2024-01-23 08:11 (UTC) (edited on 2024-01-24 00:14 (UTC) by mk-fg)
This is an alternative to building "netatop" kernel module, supported by atop 2.10.0+.
Requires linux kernel 6.3+, event tracing enabled there (ftrace + tracing + uprobes + bpf_events), tracefs mounted at /sys/kernel/tracing (systemd does this automatically), and netatop-bpf.service running.
Lockdown LSM, if used on the system in "confidentiality" mode, must be enabled after sys-kernel-tracing.mount, in order for this to work, otherwise it will block mounting tracefs.
Upstream systemd service runs daemon as root, and creates /var/run/netatop-bpf-socket with 0777 permissions accessible to any user - you might want to restrict that as necessary, if running it for prolonged periods of time.