The workspace process logging feature allows you to log all system-level

processes executing in the workspace.

Workspace process logging adds a sidecar container to workspace pods that will

log all processes started in the workspace container (e.g., commands executed in

the terminal or processes created in the background by other processes).

Processes launched inside containers or nested containers within the workspace

are also logged. You can view the output from the sidecar or send it to a

monitoring stack, such as CloudWatch, for further analysis or long-term storage.

Please note that these logs are not recorded or captured by the Coder

organization in any way, shape, or form.

Coder uses [eBPF](https://ebpf.io/) (which we chose for its minimal performance

impact) to perform in-kernel logging and filtering of all exec system calls

originating from the workspace container.

The core of this feature is also open source and can be found in the

[exectrace](https://github.com/coder/exectrace) GitHub repo. The enterprise

component (in the `enterprise/` directory of the repo) is responsible for

starting the eBPF program with the correct filtering options for the specific

workspace.

The host machine must be running a Linux kernel >= 5.8 with the kernel config

`CONFIG_DEBUG_INFO_BTF=y` enabled.

To check your kernel version, run:

uname -r

To validate the required kernel config is enabled, run either of the following

commands on your nodes directly (_not_ from a workspace terminal):

cat /proc/config.gz | gunzip | grep CONFIG_DEBUG_INFO_BTF

cat "/boot/config-$(uname -r)" | grep CONFIG_DEBUG_INFO_BTF

If these requirements are not met, workspaces will fail to start for security

reasons.

Your template must be a Kubernetes template. Workspace process logging is not

compatible with the `sysbox-runc` runtime due to technical limitations, but it

is compatible with our `envbox` template family.

We provide working example templates for Kubernetes, and Kubernetes with

`envbox` (for [Docker support in workspaces](./docker-in-workspaces.md)). You

can view these templates in the

[exectrace repo](https://github.com/coder/exectrace/tree/main/enterprise/templates).

If you have an existing Kubernetes or Kubernetes with `envbox` template that you

would like to add workspace process logging to, follow these steps:

1. Ensure the image used in your template has `curl` installed.

1. Add the following section to your template's `main.tf` file:

<!--

```hcl

```

1. Update the `command` of your workspace container like the following:

<!--

```hcl

```

> **Note:** If you are using the `envbox` template, you will need to update

> the third argument to be

> `"${local.exectrace_init_script}\n\nexec /envbox docker"` instead.

1. Add the following container to your workspace pod spec.

<!--

```hcl

```

> **Note:** `exectrace` requires root privileges and a privileged container

> to attach probes to the kernel. This is a requirement of eBPF.

1. Add the following environment variable to your workspace pod:

<!--

```hcl

```

Once you have made these changes, you can push a new version of your template

and workspace process logging will be enabled for all workspaces once they are

restarted.

To view the process logs for a specific workspace you can use `kubectl` to print

the logs:

kubectl logs pod-name --container exectrace

The raw logs will look something like this:

{

"ts": "2022-02-28T20:29:38.038452202Z",

"level": "INFO",

"msg": "exec",

"fields": {

"labels": {

"user_email": "[email protected]",

"user_id": "5e876e9a-121663f01ebd1522060d5270",

"username": "jessie",

"workspace_id": "621d2e52-a6987ef6c56210058ee2593c",

"workspace_name": "main"

},

"cmdline": "uname -a",

"event": {

"filename": "/usr/bin/uname",

"argv": ["uname", "-a"],

"truncated": false,

"pid": 920684,

"uid": 101000,

"gid": 101000,

"comm": "bash"

}

}

}

If you're using AWS' Elastic Kubernetes Service, you can

[configure your cluster](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-EKS-logs.html)

to send logs to CloudWatch. This allows you to view the logs for a specific user

or workspace.

To view your logs, go to the CloudWatch dashboard (which is available on the

**Log Insights** tab) and run a query similar to the following:

- The sidecar attached to each workspace is a privileged container, so you may

need to review your organization's security policies before enabling this

feature. Enabling workspace process logging does _not_ grant extra privileges

to the workspace container itself, however.

- `exectrace` will log processes from nested Docker containers (including deeply

nested containers) correctly, but Coder does not distinguish between processes

started in the workspace and processes started in a child container in the

logs.

- With `envbox` workspaces, this feature will detect and log startup processes

begun in the outer container (including container initialization processes).

- Because this feature logs **all** processes in the workspace, high levels of

usage (e.g., during a `make` run) will result in an abundance of output in the

sidecar container. Depending on how your Kubernetes cluster is configured, you

may incur extra charges from your cloud provider to store the additional logs.

},

{

"title": "Process Logging",

"description": "Log workspace processes",

"path": "./admin/templates/extending-templates/process-logging.md",

"state": ["enterprise", "premium"]