telegen-sonic is a lightweight eBPF-based telemetry agent for SONiC (Linux 5.x+) that exposes an HTTP API and exports OpenTelemetry metrics.
It compiles a CO-RE (Compile Once – Run Everywhere) tc-ingress program, pins maps under /sys/fs/bpf/telegen-sonic, and collects per-protocol packet/byte stats.
This single container runs:
- The HTTP API server (job control)
- The metrics collector (reads BPF maps and exports OTLP)
- Mirror/ERSPAN provisioning (optionally creates an erspan device as the monitor target)
… autogenerated markdown …
- eBPF tc ingress classifier (CO-RE) with per-CPU maps
- OpenTelemetry metrics (
bpf.packets,bpf.bytes) - Pinned maps:
/sys/fs/bpf/telegen-sonic/{stats_percpu,if_stats_percpu} - Job control API: start/stop status endpoints
- Mirroring:
- ERSPAN v2 provisioning (preferred in production)
- Placeholder mode for CI/dev (no privileged ops required)
Runtime (recommended):
- Linux kernel 5.x+ with BTF available at
/sys/kernel/btf/vmlinux - Container capabilities:
CAP_NET_ADMIN,CAP_BPF(or--privileged) tcandipavailable in the container image/sys/fs/bpfmounted in the container for pinning- OTLP endpoint (default
localhost:4317)
Build (if building from source):
clang,llvm,bpftool,libelf-dev,libbpf-dev- Go 1.23+
# Build eBPF objects + agent + CLI
make build
# Build multi-arch container and push to GHCR (requires buildx)
make dockerThe repo ships GitHub Actions to build/push images to GHCR and to run
govulncheck.
A resilient workflow step discovers/installsbpftoolon runners where the exactlinux-tools-$KRELpackage is not present.
docker run --rm -d --network host --cap-add NET_ADMIN --cap-add BPF -v /sys/fs/bpf:/sys/fs/bpf -v /sys/kernel/btf:/sys/kernel/btf:ro -e OTEL_EXPORTER_OTLP_ENDPOINT="collector:4317" ghcr.io/platformbuilds/telegen-sonic:latestThe agent listens on 127.0.0.1:8080 inside the container and starts the metrics collector automatically.
curl -sS -X POST http://127.0.0.1:8080/jobs/start -H 'Content-Type: application/json' -d '{
"port": "Ethernet0",
"direction": "ingress"
}'Typical response:
{
"job_id": "9b4e87cb-...",
"status": "starting",
"interface": "erspan0"
}curl -sS http://127.0.0.1:8080/jobs/<job_id>curl -sS -X POST http://127.0.0.1:8080/jobs/<job_id>/stopThe agent exports:
bpf.packets(Counter) — packets observed by tc ingress, attributes:proto,ifindex(optional)bpf.bytes(Histogram) — bytes observed by tc ingress, attributes:proto,ifindex(optional)
proto values: ipv4, ipv6, icmp6, other.
Configure the collector via environment:
-e OTEL_EXPORTER_OTLP_ENDPOINT="host:4317"By default the agent attempts ERSPAN v2 provisioning (requires ip and CAP_NET_ADMIN). If ERSPAN is not configured or fails, it falls back to placeholder mode which returns a stable interface name (e.g., erspan0) but performs no privileged operations—useful for CI/dev.
| Variable | Required | Default | Description |
|---|---|---|---|
TELEGEN_MIRROR_MODE |
no | erspan |
erspan or placeholder |
TELEGEN_ERSPAN_NAME |
no | erspan0 |
Netdev name to create/reuse |
TELEGEN_ERSPAN_DEV |
no | spec.Port |
Source device/port to mirror |
TELEGEN_ERSPAN_REMOTE |
yes* | Remote IPv4 (ERSPAN tunnel destination) | |
TELEGEN_ERSPAN_LOCAL |
yes* | Local IPv4 (ERSPAN tunnel source) | |
TELEGEN_ERSPAN_KEY |
no | 10 |
ERSPAN key (session id) |
TELEGEN_ERSPAN_TTL |
no | 64 |
Outer IP TTL |
TELEGEN_ERSPAN_TOS |
no | inherit |
TOS/DSCP (e.g., inherit or numeric) |
* Only required when TELEGEN_MIRROR_MODE=erspan.
docker run --rm -d --network host --cap-add NET_ADMIN --cap-add BPF -v /sys/fs/bpf:/sys/fs/bpf -v /sys/kernel/btf:/sys/kernel/btf:ro -e OTEL_EXPORTER_OTLP_ENDPOINT="collector:4317" -e TELEGEN_MIRROR_MODE=erspan -e TELEGEN_ERSPAN_REMOTE=192.0.2.100 -e TELEGEN_ERSPAN_LOCAL=192.0.2.10 -e TELEGEN_ERSPAN_DEV=Ethernet0 -e TELEGEN_ERSPAN_KEY=42 ghcr.io/platformbuilds/telegen-sonic:latestdocker run --rm -it -e TELEGEN_MIRROR_MODE=placeholder ghcr.io/platformbuilds/telegen-sonic:latest- Works across 5.x kernels when BTF is available (
/sys/kernel/btf/vmlinux). - If BTF is missing, either provide a matching BTF file (BTFHub) or enable BTF in the SONiC image. As a last resort, compile on-box.
Recommended container flags:
--cap-add NET_ADMIN --cap-add BPF -v /sys/fs/bpf:/sys/fs/bpf -v /sys/kernel/btf:/sys/kernel/btf:roBinaries embed:
main.version—release/mark-v{major}-{minor}-{bugfix}on tag builds (e.g.,v1.2.3→release/mark-v1-2-3), otherwisedev.main.commit— short Git SHAmain.date— UTC build time
# Run unit tests
make test
# Format & lint
make fmt
make lintpkg/monitor/attach_test.go— stubstcand uses an env override for object pathpkg/monitor/mirror_test.go— stubsipand exercises erspan/placeholder flowspkg/monitor/collect_test.go— constructor & helpers (no kernel access required)