Open is well, but we're back to original question.

It's the check(cooked Event) function that causes fileopen crushed,
and now I'am sorry to say that i've forgot why i add this function,
maybe to check ppid and pid in database in just one function but not
the head of each function. However, the check in each function isn't
deleted. I discover it by comparing source code with 5d244e3. In
theory this would only result in the increase of delay. How does it
affect on the fileopen and causes failure? No one knows.

The same to kernel connector. If we still add delay while pid exits,
the connector will say "Error recv: no enough buffer space", but if
we delete the delay, all modules work well. What actually makes the
delay in pid exit causes no enouth buffer of connector? How outra-
geous it is!

Now I've come back to the original question: when i start and use
docker quickly(`start && exec && exit` in just one command), the file
open/write/close is faithfully recorded; but if i use interactive
shell and use vim to change file in docker, nothing happens.

Why? Why? Why?

3 files changed, 9 insertions, 37 deletions

diff --git a/connector/hello.c b/connector/hello.c
index 5240c15..c0fc633 100644
--- a/connector/hello.c
+++ b/connector/hello.c
@@ -8,11 +8,10 @@
 #include <signal.h>
 #include <linux/netlink.h>
 #include <linux/connector.h>
-// #include <linux/cn_proc.h>
+#include <linux/cn_proc.h>
 #include <unistd.h>
 #include <errno.h>
 #include <time.h>
-#include "cn_proc.h"
 
 typedef struct __attribute__((aligned(NLMSG_ALIGNTO)))
 {
@@ -55,16 +54,16 @@ void Now()
 
 void printEvent()
 {
-    union unnamed *procEvent = &proc_msg.proc_ev.event_data;
+    // union unnamed *procEvent = &proc_msg.proc_ev.event_data;
     switch (proc_msg.proc_ev.what)
     {
     case PROC_EVENT_FORK:
         Now();
-        printf("Fork\t%6d\t%6d\t%6d\t%6d\n", procEvent->fork.parent_pid, procEvent->fork.parent_tgid, procEvent->fork.child_pid, procEvent->fork.child_tgid);
+        printf("Fork\t%6d\t%6d\t%6d\t%6d\n", proc_msg.proc_ev.event_data.fork.parent_pid, proc_msg.proc_ev.event_data.fork.parent_tgid, proc_msg.proc_ev.event_data.fork.child_pid, proc_msg.proc_ev.event_data.fork.child_tgid);
         break;
     case PROC_EVENT_EXIT:
         Now();
-        printf("Exit\t%6d\t%6d\t%6d\t%6d\n", procEvent->exit.process_pid, procEvent->exit.process_tgid, procEvent->exit.exit_code, procEvent->exit.exit_signal);
+        printf("Exit\t%6d\t%6d\t%6d\t%6d\n", proc_msg.proc_ev.event_data.exit.process_pid, proc_msg.proc_ev.event_data.exit.process_tgid, proc_msg.proc_ev.event_data.exit.exit_code, proc_msg.proc_ev.event_data.exit.exit_signal);
         break;
     case PROC_EVENT_EXEC:
     default:
diff --git a/src/deal.go b/src/deal.go
index 3119fff..ae69003 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -55,31 +55,25 @@ func deal() {
                         break
                 }
 
-                // fmt.Printf("%v\n", cooked)
-
                 switch cooked.tag {
                 case NEWPID:
                         dealNewPid(cooked)
                 case EXECVE:
-                        check(cooked)
                         dealExecve(cooked)
                 case PIDEXIT:
-                        check(cooked)
                         deletePid(cooked)
                 case FILEOPEN:
-                        check(cooked)
                         fileOpen(cooked)
                 case FILEWRITE:
-                        check(cooked)
                         fileWrite(cooked)
                 case FILECLOSE:
-                        check(cooked)
                         fileClose(cooked)
                 }
         }
 }
 
 func deletePid(cooked Event) {
+        // TODO: 是否还需要延时？
         // time.Sleep(1 * time.Second)
         mongoMutex.Lock()
         // 先从老爹那里销户
@@ -197,6 +191,7 @@ func dealExecve(cooked Event) {
 }
 
 func fileOpen(cooked Event) {
+        fmt.Printf("Open: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
         // 查看是否记录了该进程
         res, err := pidCol.Finddoc(bson.M{"pid": cooked.pid})
         if err != nil {
@@ -228,6 +223,7 @@ func fileOpen(cooked Event) {
 }
 
 func fileClose(cooked Event) {
+        fmt.Printf("Close: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
         // 直接看文件表有无记录
         res, err := fdCol.Finddoc(bson.M{
                 "pid":             cooked.pid,
@@ -248,6 +244,7 @@ func fileClose(cooked Event) {
 }
 
 func fileWrite(cooked Event) {
+        fmt.Printf("Write: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
         // 直接看文件表有无记录
         res, err := fdCol.Finddoc(bson.M{
                 "pid":             cooked.pid,
@@ -266,27 +263,3 @@ func fileWrite(cooked Event) {
                 "close_timestamp": bson.M{"$exists": false},
         }, bson.M{"$push": bson.M{"written": cooked.timestamp}})
 }
-
-func check(cooked Event) {
-        // 检查进程是否需要记录
-        // 有无父进程在观察中
-        docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
-        if err != nil || len(docRes) != 1 {
-                return
-        }
-
-        // 自身是否已经记录
-        docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
-        if err != nil {
-                fmt.Printf("Err finding: %v\n", err)
-                return
-        }
-        if len(docRes) == 0 {
-                pidCol.InsertOne(bson.M{
-                        "ppid":            cooked.ppid,
-                        "pid":             cooked.pid,
-                        "children":        []bson.M{},
-                        "start_timestamp": cooked.timestamp,
-                })
-        }
-}
diff --git a/src/godo.go b/src/godo.go
index c332c86..cbd9e0a 100644
--- a/src/godo.go
+++ b/src/godo.go
@@ -147,7 +147,7 @@ func checkProc(pCooked *Event) {
         fileName := fmt.Sprintf("/proc/%d/cmdline", pCooked.pid)
         fd, err := os.Open(fileName)
         if err != nil {
-                fmt.Printf("Err opening file %s: %v\n", fileName, err)
+                fmt.Printf("Err: %v\n", err)
                 return
         }