Support major/minor device numbers for fd events [SMAGENT-1316] #1315
Conversation
userspace/libsinsp/parsers.cpp
Outdated
| ASSERT(parinfo->m_len == sizeof(uint32_t)); | ||
| flags = *(uint32_t *)parinfo->m_val; | ||
|
|
||
| parinfo = evt->get_param(4); |
There was a problem hiding this comment.
Please take a look at https://github.com/draios/sysdig/wiki/Modify-a-pre-existent-event-or-block-entry and patch the changes to this function to safely access event parameters that may be not available when reading older captures.
There was a problem hiding this comment.
I'd like to add the device field to scap files as well. Am I correct that this will require introducing SCAP_FILE_V3?
There was a problem hiding this comment.
No, as for updates of pre-existent events, changing the block entry version is no longer required. In the same document I've linked to you above there's a section describing the high level changes that you'll need to make.
To test the result, you can create captures with and without the new field and verify (with a debug-enabled sysdig build) that you're able to read them with both the new and the old code.
anoop-sysd
changed the title
userspace/libsinsp/logger.cpp
Outdated
| #include "sinsp.h" | ||
| #include "sinsp_int.h" | ||
|
|
||
| const size_t ENCODE_LEN = 6; |
There was a problem hiding this comment.
this is @bertocci 's patch I picked up as a part of the PR (some logging fixes for mountedfs_reader)
There was a problem hiding this comment.
would it make sense to have a separate review for that since it seems several of the comments pertained to that?
driver/bpf/filler_helpers.h
Outdated
| { | ||
| struct file *file; | ||
| struct dentry *dentry; | ||
| unsigned major = MAJOR(dev); |
There was a problem hiding this comment.
presumably the definition of this function MAJOR matches the below get_device_major?
There was a problem hiding this comment.
Nope, the get_device_*() were wrong. Fixed.
| struct dentry *dentry; | ||
| unsigned major = MAJOR(dev); | ||
| unsigned minor = MINOR(dev); | ||
| return (minor & 0xff) | (major << 8) | ((minor & ~0xff) << 12); |
There was a problem hiding this comment.
who picks up this encoding?
There was a problem hiding this comment.
MAJOR and MINOR revert the encoding done by makedev, this is all part of the ABI (sys/types.h, st_dev encoding in struct stat). The kernel stores the device as a single 32-bit number which we decode (in various places) to a major:minor pair.
userspace/libsinsp/logger.cpp
Outdated
| { | ||
| if(log_output_type & (sinsp_logger::OT_STDOUT | sinsp_logger::OT_STDERR)) | ||
| // Store these values and clear them so we can do other bit tests | ||
| bool include_ts = (log_output_type & OT_NOTS) == 0; |
There was a problem hiding this comment.
kind of weird to do a numerical comparison here and not below? might be consistent to just do !(log_output_type & OT_NOTS)
why not just make a copy of the whole log_output_type and perform the tests against that?
userspace/libsinsp/logger.cpp
Outdated
| time_t rawtime = (time_t)ts.tv_sec; | ||
| struct tm* time_info = gmtime(&rawtime); | ||
| snprintf(m_tbuf, sizeof(m_tbuf), "%.2d-%.2d %.2d:%.2d:%.2d.%.6d ", | ||
| snprintf(&m_tbuf[prefix_len], sizeof(m_tbuf), "%.2d-%.2d %.2d:%.2d:%.2d.%.6d ", |
There was a problem hiding this comment.
shouldn't this be sizeof(m_tbuf) - prefix_len?
userspace/libsinsp/logger.cpp
Outdated
| (int)ts.tv_usec); | ||
| msg.insert(0, m_tbuf, 22); | ||
| // 22 including trailing space "10-31 23:59:59.123456 " | ||
| prefix_len += 22; |
There was a problem hiding this comment.
snprintf returns the number of characters written. it would be safer to use that directly. we can assert it's as expected if necessary
userspace/libsinsp/logger.cpp
Outdated
| const char *sinsp_logger::encode_severity(const severity sev) | ||
| { | ||
| // All severity strings should be ENCODE_LEN chars long | ||
| static const std::string pre("SEV"); |
There was a problem hiding this comment.
These should be defined along side the enum where we define the severities, and probably can be put in an array we can directly index.
userspace/libsinsp/logger.cpp
Outdated
|
|
||
| if (str.length() < ENCODE_LEN) | ||
| { | ||
| return static_cast<severity>(SEV_MAX+1); |
There was a problem hiding this comment.
SEV_MAX + 1 ? so not really the max? perhaps SEV_UNSPECIFIED or something?
userspace/libsinsp/logger.cpp
Outdated
|
|
||
| // Try from max->min because we expect fewer logs for crit, error, etc. | ||
| const std::string prefix = str.substr(0, ENCODE_LEN); | ||
| for (int ii = SEV_MAX; ii >= SEV_MIN; ii--) |
|
@mattpag , I added the code to save/restore device ids in scap files and to get them during the initial /proc scan, please take a look. I'm not a fan of how the /proc scan code turned out (esp. with the hash table), suggestions appreciated |
gnosek
force-pushed
the
nfs
branch
2 times, most recently
from
dfe8832 to
a5ea3cc
Compare
|
@mattpag , I tested recording scap files with old/new driver/sysdig combinations (except for old/old) and the reading them back with old/new versions:
everything works fine (where possible, i.e. can't expect fd.dev.* to work on a scap file captured with old sysdig, regardless of the driver version) Any further comments? |
| mode = open_modes_to_scap(val, mode); | ||
| res = bpf_val_to_ring(data, mode); | ||
| if (res != PPM_SUCCESS) | ||
| return res; |
There was a problem hiding this comment.
We have single-line conditionals without braces {} in the same function as single-line conditionals with braces (line 168). Please just include braces around all your conditionals.
| { | ||
| dev = 0; | ||
| } | ||
| res = bpf_val_to_ring(data, dev); |
There was a problem hiding this comment.
It seems like you're overwriting the value of res assigned on line 2216 without checking it. Please check res against PPM_SUCCESS at the end of the mode block.
driver/bpf/fillers.h
Outdated
| * Device | ||
| */ | ||
| if (retval < 0 || !bpf_get_fd_dev_ino(retval, &dev, &ino)) | ||
| { |
There was a problem hiding this comment.
Again, here we have braces around a single-line conditional, while above we don't. Please use braces around all conditionals for consistency and safety.
(I understand that some of this code was C&P, but at least with this change we can avoid making the problem worse ;)
There was a problem hiding this comment.
Please keep in mind this is kernel code, and so it should respect the kernel coding conventions (as specified on the top of https://github.com/draios/sysdig/blob/dev/coding_conventions.md). Kernel coding conventions use no braces for single statements block. For all this code I've tried to respect them. You can use the convenient and thorough checkpatch.pl script in the kernel sources, which will suggest you the right formatting changes for a given file (some suggestions are non actionable for external code like ours, but most are).
I can also see a few formatting errors slipped in with the last batch of changes when getsockopt support was implemented in this code.
There was a problem hiding this comment.
good point about checkpatch.pl, I forgot about it. Now the PR is checkpatch-clean except for some long lines. I'll clean up getsockopt with a separate PR.
gnosek
force-pushed
the
nfs
branch
3 times, most recently
from
e399a35 to
0fb14de
Compare
gnosek
force-pushed
the
nfs
branch
2 times, most recently
from
c09da10 to
e5c8f56
Compare
gnosek
changed the title
The encoding is compatible with st_dev in (userspace) struct stat
* fd.dev=DEVICE (st_dev compatible layout) * fd.dev.major=MAJOR (major device number, decimal) * fd.dev.minor=MINOR (minor device number, decimal)
Add fd.dev, fd.dev.major and fd.dev.minor filters to enable filtering by underlying device, or e.g. just limit the events reported to physical disks (
fd.dev.major > 0)