January 16, 2026
Pipe dreams vs CEL screams
psc: The ps utility, with an eBPF twist and container context
New 'ps' tool claims kernel-level truth; commenters say 'just use grep'
TLDR: psc scans processes with kernel-level visibility and Google’s CEL filters, aiming to beat fragile grep chains and spot hidden activity. Commenters pushed back, arguing plain old pipes or JSON plus jq are simpler, and demanded clearer output examples—security fans love it, minimalists aren’t convinced.
Meet psc, a new command-line tool that promises x-ray vision into your computer’s running stuff. It looks past the usual /proc directory and peers straight into the kernel using eBPF (a way to safely run code inside the operating system), then filters with Google’s CEL (a simple rule language). The pitch: cleaner queries, full container context, and fewer hacks—no more fragile “grep all the things” chains. But the comments came in hot. One skeptic asked the obvious: what’s the trade-off for this power? Another wanted to see actual output—is psc printing a list, a table, JSON? Without that, some felt the promise was a little… theoretical. The thread erupted into a classic pipes vs policy language showdown. Fans of old-school shell magic argued, “A couple of pipes is easier,” pointing to psc’s quote-heavy filters like a meme-worthy “quote soup.” Others questioned why CEL was embedded at all: just print JSON and let users pipe to jq, the beloved command-line filter. Then came the mic drop: someone showed that vanilla ps already handles the first example elegantly, dunking on the marketing with a “ps already does this” vibe. Between security hardliners cheering kernel-level visibility and minimalists defending their trusty grep, this turned into a command-line culture war—with bonus jokes about “grep -v grep” and “quotes per second.”
Key Points
- •psc is a process scanner that uses eBPF iterators and Google CEL to query system state with full container context.
- •It bypasses the /proc filesystem by reading kernel data structures, aiming to resist LD_PRELOAD and userland rootkit manipulation.
- •psc requires root privileges to load eBPF programs and supports detailed queries on processes, file descriptors, and sockets.
- •It provides container-aware filtering by runtime (docker, containerd, crio, podman), ID, name, image, and labels, enabling host-level debugging.
- •Building psc requires Linux kernel 5.8+, Go 1.25+, Clang/LLVM, libbpf, kernel headers, and bpftool; instructions are provided for Debian/Ubuntu and Fedora/RHEL.