Real-time system failure detection using eBPF.
git clone https://github.com/linnix-os/linnix.git && cd linnix
./quickstart.shLinnix monitors real-time system events with <1% CPU overhead using eBPF.
Optional: Run demo scenarios to see detection in action:
# Enable demo mode in docker-compose.yml
sed -i 's/# command: \["cognitod"/command: ["cognitod"/' docker-compose.yml
# Restart to run 5 demo scenarios
docker-compose restart cognitodDemo scenarios:
- Fork bomb - detects >10 forks/second for 2s
- Memory leak - detects gradual RSS growth pattern
- CPU spike - detects sustained high CPU (>50% for 5s)
- Runaway tree - detects high CPU parent+child processes
- Short-lived jobs - detects exec/exit cycle patterns
Dashboard: http://localhost:3000 | API: http://localhost:3000/alerts
Linnix can detect 5 different failure patterns (when demo mode is enabled):
| Scenario | Detection Rule | Trigger |
|---|---|---|
| Fork bomb | forks_per_sec | >10 forks/second for 2s |
| Memory leak | subtree_rss_mb | Gradual growth pattern |
| CPU spike | subtree_cpu_pct | >50% CPU for 5s |
| Runaway tree | High CPU subtree | Parent+child >90% CPU |
| Short-lived jobs | Rapid exec/exit | Process churn detection |
How? eBPF monitors at the kernel level (fork, exec, exit events). Rules engine analyzes patterns and alerts in real-time.
All detection rules are configurable in configs/rules.yaml
git clone https://github.com/linnix-os/linnix.git && cd linnix
docker-compose up -d- Dashboard: http://localhost:3000
- API: http://localhost:3000/alerts
- Prometheus: http://localhost:3000/metrics
# Download and install (runs as your user - no sudo needed)
curl -fsSL https://raw.githubusercontent.com/linnix-os/linnix/main/install.sh | bash
# Or manually:
wget https://github.com/linnix-os/linnix/releases/latest/download/cognitod-linux-amd64
chmod +x cognitod-linux-amd64
# Grant capabilities (one-time, requires sudo)
sudo setcap cap_bpf+eip cap_perfmon+eip cognitod-linux-amd64
# Run (no sudo needed)
./cognitod-linux-amd64Requirements:
- Linux 5.8+ with BTF enabled (
ls /sys/kernel/btf/vmlinux) - Docker (for containerized deployment) - no sudo needed if in docker group
- 2+ vCPU, 4GB+ RAM (8GB if using LLM)
Security: Linnix uses minimal Linux capabilities (CAP_BPF + CAP_PERFMON) instead of root. See SECURITY.md.
Uninstall:
# Stop user service
systemctl --user stop linnix-cognitod
systemctl --user disable linnix-cognitod
# Or stop system service (if installed system-wide)
sudo systemctl stop linnix-cognitod
sudo systemctl disable linnix-cognitodRun simulated system failures to test detection rules:
# Run all 5 demo scenarios
docker exec linnix-cognitod cognitod --demo all
# Or run specific scenarios
docker exec linnix-cognitod cognitod --demo fork-storm
docker exec linnix-cognitod cognitod --demo cpu-spike
docker exec linnix-cognitod cognitod --demo memory-leak
docker exec linnix-cognitod cognitod --demo runaway-tree
docker exec linnix-cognitod cognitod --demo short-jobsWatch demo output:
docker logs -f linnix-cognitod | grep -i demo
curl -N http://localhost:3000/stream # Watch alerts in real-timeMonitors at the kernel level using eBPF:
- Process lifecycle: fork, exec, exit
- CPU/memory telemetry from scheduler
- File descriptor tracking
- Network connection monitoring
<1% CPU overhead - no polling /proc, direct kernel events via perf buffers.
Built-in pattern detection catches:
- Fork storms - rapid process spawning (>10/sec)
- Memory leaks - gradual RSS growth (>50MB/10s)
- CPU thrashing - processes stuck in loops
- FD exhaustion - files not closed (approaching limit)
- Runs llama.cpp with 3B quantized model
- Analyzes patterns the rules engine flags
- Completely optional - rules engine works standalone
- No external API calls (privacy-first)
┌──────────────────────────────────────────────────────────────┐
│ Kernel Space (eBPF) │
├──────────────────────────────────────────────────────────────┤
│ fork hook → exec hook → exit hook → CPU/mem sampling │
└────────────────────────┬─────────────────────────────────────┘
│ Perf buffers
▼
┌──────────────────────────────────────────────────────────────┐
│ User Space (cognitod) │
├──────────────────────────────────────────────────────────────┤
│ • Event processing • Process tree tracking │
│ • State management • Rules engine │
│ • HTTP/SSE API • Prometheus metrics │
└────────────────────────┬─────────────────────────────────────┘
│
┌───────────────┼───────────────┐
│ │ │
▼ ▼ ▼
┌─────────┐ ┌──────────┐ ┌─────────────┐
│ CLI │ │ LLM │ │ Prometheus │
│ Stream │ │(Optional)│ │ Grafana │
└─────────┘ └──────────┘ └─────────────┘