Skip to content

processes: add cgroup_path column on Linux#7728

Merged
directionless merged 5 commits intoosquery:masterfrom
artemist-work:processes-cgroup
Aug 17, 2022
Merged

processes: add cgroup_path column on Linux#7728
directionless merged 5 commits intoosquery:masterfrom
artemist-work:processes-cgroup

Conversation

@artemist-work
Copy link
Copy Markdown
Contributor

@artemist-work artemist-work commented Aug 11, 2022

This will read the full cgroup path out of /proc for each process in the process table. I've tested this with cgroup v2 (unified hierarchies) but have not yet tested it with cgroup v1 (where each group type has a separate hierarchy). On cgroup v1 it should report the first cgroup it's in but that may not be consistently the same type. Proper cgroup v1 support would require a different schema as each process can be in 13 different hierarchies.

This does involve several string copies but I couldn't find a clean way of doing it with fewer.

@artemist-work artemist-work marked this pull request as ready for review August 11, 2022 19:47
@artemist-work artemist-work requested review from a team as code owners August 11, 2022 19:47
@artemist-work artemist-work mentioned this pull request Aug 12, 2022
Open
directionless
directionless reviewed Aug 12, 2022
View reviewed changes
alessandrogario
alessandrogario requested changes Aug 13, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@alessandrogario alessandrogario left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great feature, and will make the processes table incredibly useful for hosts with running containers!

@mike-myers-tob mike-myers-tob added Linux ready for review Pull requests that are ready to be reviewed by a maintainer containers labels Aug 15, 2022
@mike-myers-tob mike-myers-tob changed the title processes: add cgroup_path column on Linux processes: add cgroup_path column on Linux Aug 15, 2022
@mike-myers-tob mike-myers-tob added this to the 5.6.0 milestone Aug 15, 2022
@artemist-work
Copy link
Copy Markdown
Contributor Author

artemist-work commented Aug 15, 2022

Okay, I added some unit tests tests and cleaned up /proc/<pid>/cgroup parsing to use fewer copies. It's still a bit strange since C++ functions always seem to do precisely what you don't want them to do.

alessandrogario
alessandrogario requested changes Aug 15, 2022
View reviewed changes
@artemist-work
Copy link
Copy Markdown
Contributor Author

artemist-work commented Aug 16, 2022

My latest patch should remove the time penalty if cgroup is not used but build seems to be failing. I can't pinpoint the exact bug and I seem to not have permission to rerun

@directionless directionless merged commit a469e63 into osquery:master Aug 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@directionless directionless directionless left review comments

@alessandrogario alessandrogario alessandrogario approved these changes

Assignees

No one assigned

Labels

containers Linux ready for review Pull requests that are ready to be reviewed by a maintainer virtual tables

Projects

None yet

Milestone

5.6.0

Development

Successfully merging this pull request may close these issues.

4 participants

@artemist-work @directionless @alessandrogario @mike-myers-tob