diff options
author | We-unite <3205135446@qq.com> | 2024-08-05 14:56:57 +0800 |
---|---|---|
committer | We-unite <3205135446@qq.com> | 2024-08-05 14:56:57 +0800 |
commit | 2c2975d032b1c26fd0094c8d3aa568251b5c9c6a (patch) | |
tree | fca1b95df9caadd6608a4572685ef9c78cca82b8 /src/basefunc.go | |
parent | f29dff60ef36ef9903df4f767393bcba2ac3ce83 (diff) | |
download | godo-2c2975d032b1c26fd0094c8d3aa568251b5c9c6a.tar.gz godo-2c2975d032b1c26fd0094c8d3aa568251b5c9c6a.zip |
The fds problem may comes from slow consumption
There are some possible reasons that have been thought:
- auditd lost. Each time I use `auditctl -b xxx` or `auditctl
--reset-lost`, there are always a big number of losts. at first i
thought it means how many auditd info was lost throw the net, or
how many was thrown because of the audit info queue in the kernel
was full. However, form the src code of kernel, it actually means
how much is thrown away as there's no listener of auditd info. In
other words, audit is a userspace-kernel function, but not two
independent parts.
- audit backlog size. As the above.
But when i only listen to the syscall "open", i can almost always
hear the info in the docker. So I think this may be because the
audit info production is flooding, while in this program i check this
and that, causes too much time, the consumption is far slower.
Next step, I will use the MVC, all recvd info will be push into the
database, and add a new independent part to make database clean and
clear.
The key problem is, a process can open file1 as fd 3, write, close,
and open file2 as fd 3, write, close: which means i must figure out
which file to write when "write" event comes. Now i check the
pid/fd/close_time in database to choose which is written, but find
and check doc also use lots of time. Maybe, use two collections, one
is fds that records files not closed, the other records closed files?
Besides, as clone/fork/pthread_create all uses syscall clone, but
their flags are different. Maybe i can also use `pid/tgid` pair to
distinguish between process and thread. Good idea.
Be quick, your internship has passed a half. What kinds of answer
will you hand in?
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions