Add process group id to execve events (#950) (#1035)#1044
Merged
Conversation
* Add process group id to execve events (#950) * added PRGP to execve exit event sysdig-CLA-1.0-contributing-entity: Amir Rossert sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com * Fixed PGRP extraction from /proc sysdig-CLA-1.0-contributing-entity: Amir Rossert sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com * Added the ability to filter by PGRP sysdig-CLA-1.0-contributing-entity: Amir Rossert sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com * Fixed indentation sysdig-CLA-1.0-contributing-entity: Amir Rossert sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com * fixed kernel version check sysdig-CLA-1.0-contributing-entity: Amir Rossert sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com * added `pgrp` to `sinsp_thread_manager::dump_threads_to_file` & `sinsp_thread_manager::thread_to_scap` sysdig-CLA-1.0-contributing-entity: Amir Rossert sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com * Replaced obsolete `task_pgrp_nr` with `task_pgrp_nr_ns` sysdig-CLA-1.0-contributing-entity: Amir Rossert sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com * Renamed `pgrp` to `pgid` sysdig-CLA-1.0-contributing-entity: Amir Rossert sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com * Handle `getpgid` arguments and update internal state when this system call is executed sysdig-CLA-1.0-contributing-entity: Amir Rossert sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com * Add missing header file
mstemm
added a commit
that referenced
this pull request
Feb 21, 2018
#1044 created a new block type PL_BLOCK_TYPE_V8 that stored the pgid in capture files. We want that block type to be supported in open source sysdig, and to be known to the agent, but not generated by the agent yet. So we'll change libscap to keep the current block number at V7 for now. A later PR will undo this change, causing the driver to generate captures with block type V8. At that time, open source sysdig will be widely available and users can read the captures.
mstemm
added a commit
that referenced
this pull request
Feb 21, 2018
#1044 changed the event number for execve events from 18 to 19, in order to add the pgid to the exit event. We want that event to be supported in open source sysdig, and to be known to the agent, but not generated by the agent yet. So we'll change the driver event table to use version 18 for execve events instead of 19. A later PR will undo this change, causing the driver to generate execve events with version 19. At that time, open source sysdig will be widely available and users can read the events in captures.
mstemm
added a commit
that referenced
this pull request
Feb 22, 2018
#1044 created a new block type PL_BLOCK_TYPE_V8 that stored the pgid in capture files. We want that block type to be supported in open source sysdig, and to be known to the agent, but not generated by the agent yet. So we'll change libscap to keep the current block number at V7 for now and to write blocks with the format used by V7 instead of V8. A later PR will undo this change, causing the driver to generate captures with block type V8. At that time, open source sysdig will be widely available and users can read the captures.
mstemm
added a commit
that referenced
this pull request
Feb 22, 2018
#1044 changed the event number for execve events from 18 to 19, in order to add the pgid to the exit event. We want that event to be supported in open source sysdig, and to be known to the agent, but not generated by the agent yet. So we'll change the driver event table to use version 18 for execve events instead of 19. A later PR will undo this change, causing the driver to generate execve events with version 19. At that time, open source sysdig will be widely available and users can read the events in captures.
mstemm
added a commit
that referenced
this pull request
Feb 23, 2018
#1044 created a new block type PL_BLOCK_TYPE_V8 that stored the pgid in capture files. We want that block type to be supported in open source sysdig, and to be known to the agent, but not generated by the agent yet. So we'll change libscap to keep the current block number at V7 for now and to write blocks with the format used by V7 instead of V8. A later PR will undo this change, causing the driver to generate captures with block type V8. At that time, open source sysdig will be widely available and users can read the captures.
mstemm
added a commit
that referenced
this pull request
Feb 23, 2018
#1044 changed the event number for execve events from 18 to 19, in order to add the pgid to the exit event. We want that event to be supported in open source sysdig, and to be known to the agent, but not generated by the agent yet. So we'll change the driver event table to use version 18 for execve events instead of 19, and to return only those fields present in execve version 18. A later PR will undo this change, causing the driver to generate execve events with version 19. At that time, open source sysdig will be widely available and users can read the events in captures.
bertocci
pushed a commit
that referenced
this pull request
Mar 8, 2018
#1044 created a new block type PL_BLOCK_TYPE_V8 that stored the pgid in capture files. We want that block type to be supported in open source sysdig, and to be known to the agent, but not generated by the agent yet. So we'll change libscap to keep the current block number at V7 for now and to write blocks with the format used by V7 instead of V8. A later PR will undo this change, causing the driver to generate captures with block type V8. At that time, open source sysdig will be widely available and users can read the captures.
bertocci
pushed a commit
that referenced
this pull request
Mar 8, 2018
#1044 changed the event number for execve events from 18 to 19, in order to add the pgid to the exit event. We want that event to be supported in open source sysdig, and to be known to the agent, but not generated by the agent yet. So we'll change the driver event table to use version 18 for execve events instead of 19, and to return only those fields present in execve version 18. A later PR will undo this change, causing the driver to generate execve events with version 19. At that time, open source sysdig will be widely available and users can read the events in captures.
bertocci
pushed a commit
that referenced
this pull request
Mar 8, 2018
#1044 created a new block type PL_BLOCK_TYPE_V8 that stored the pgid in capture files. We want that block type to be supported in open source sysdig, and to be known to the agent, but not generated by the agent yet. So we'll change libscap to keep the current block number at V7 for now and to write blocks with the format used by V7 instead of V8. A later PR will undo this change, causing the driver to generate captures with block type V8. At that time, open source sysdig will be widely available and users can read the captures.
bertocci
pushed a commit
that referenced
this pull request
Mar 8, 2018
#1044 changed the event number for execve events from 18 to 19, in order to add the pgid to the exit event. We want that event to be supported in open source sysdig, and to be known to the agent, but not generated by the agent yet. So we'll change the driver event table to use version 18 for execve events instead of 19, and to return only those fields present in execve version 18. A later PR will undo this change, causing the driver to generate execve events with version 19. At that time, open source sysdig will be widely available and users can read the events in captures.
mstemm
added a commit
that referenced
this pull request
Mar 16, 2018
#1044 added tracking of a process's process group id (pgid). However, this change didn't compeltely handle process group ids in a namespace. When reading process information from /proc, it was using the process group id from the global namespace. When tracking execve()s and setpgid()s it would take the pgid from the namespace of the calling process. To fix this, define the pgid to be the pgid from its current pid namespace. And to make this clear, rename it to vpgid everywhere. This commit handles renaming the variable at the scap/sinsp levels. Other changes will fix setpgid() handling to handle cases when it's called in a pid namespace.
mstemm
added a commit
that referenced
this pull request
Mar 28, 2018
#1044 added tracking of a process's process group id (pgid). However, this change didn't compeltely handle process group ids in a namespace. When reading process information from /proc, it was using the process group id from the global namespace. When tracking execve()s and setpgid()s it would take the pgid from the namespace of the calling process. To fix this, define the pgid to be the pgid from its current pid namespace. And to make this clear, rename it to vpgid everywhere. This commit handles renaming the variable at the scap/sinsp levels. Other changes will fix setpgid() handling to handle cases when it's called in a pid namespace.
mstemm
pushed a commit
that referenced
this pull request
Mar 29, 2018
* Rename pgid to vpgid to reflect it's in-namespace #1044 added tracking of a process's process group id (pgid). However, this change didn't compeltely handle process group ids in a namespace. When reading process information from /proc, it was using the process group id from the global namespace. When tracking execve()s and setpgid()s it would take the pgid from the namespace of the calling process. To fix this, define the pgid to be the pgid from its current pid namespace. And to make this clear, rename it to vpgid everywhere. This commit handles renaming the variable at the scap/sinsp levels. Other changes will fix setpgid() handling to handle cases when it's called in a pid namespace. * Rename the proc.pgid filtercheck to proc.vpgid This reflects its real meaning (from the namespace) * Removing event parsing for setpgid This means that if a setpgid occurs, the pgid of the process won't be in-sync again until the next execve(), where the process's pgid is returned by the driver in the exit event. However, we expect that this will cover most cases, and is dramatically simpler. * Fix logic for setting vpgid Comment was right, but test was backwards.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We had to revert an earlier commit of these changes as they were interfering with the operation of other sysdig products. I reverted that commit and put the changes back in this PR. We'll merge this PR when we can coordinate the timing of the related products.
Add process group id to execve events (Add process group id to execve events #950)
added PRGP to execve exit event
sysdig-CLA-1.0-contributing-entity: Amir Rossert
sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com
Fixed PGRP extraction from /proc
sysdig-CLA-1.0-contributing-entity: Amir Rossert
sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com
Added the ability to filter by PGRP
sysdig-CLA-1.0-contributing-entity: Amir Rossert
sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com
Fixed indentation
sysdig-CLA-1.0-contributing-entity: Amir Rossert
sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com
fixed kernel version check
sysdig-CLA-1.0-contributing-entity: Amir Rossert
sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com
added
pgrptosinsp_thread_manager::dump_threads_to_file&sinsp_thread_manager::thread_to_scapsysdig-CLA-1.0-contributing-entity: Amir Rossert
sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com
Replaced obsolete
task_pgrp_nrwithtask_pgrp_nr_nssysdig-CLA-1.0-contributing-entity: Amir Rossert
sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com
Renamed
pgrptopgidsysdig-CLA-1.0-contributing-entity: Amir Rossert
sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com
Handle
getpgidarguments and update internal state when this system call is executedsysdig-CLA-1.0-contributing-entity: Amir Rossert
sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com
Add missing header file