diff options
| author |   We-unite <3205135446@qq.com> | 2024-08-07 19:08:59 +0800 |
|---|---|---|
| committer | We-unite <3205135446@qq.com> | 2024-08-07 19:08:59 +0800 |
| commit | ea32e017e579f168d87732893335c38d539ac2f1 (patch) | |
| tree | 96a893ae0ffd4c5186e1c87f2fd7c60a125e970a /src/organize.go | |
| parent | 2104c8ac26f320eacc3fa04d608843c3bf0fdc57 (diff) | |
| download | godo-collector.tar.gz godo-collector.zip | |
Print err in stderr, Find out docker rootfs.collector
When I use godo, error infomation comes along with other output, so
change all err report into stderr. And I listen to `pivot_root` sys-
call to find out the root file system of dockers. However, I'm afraid
of causing too more delay, so don't check rootfs of ppid and record
in the pid. Besides, the method to deal with pivot_root is hardcoded,
which may causes crush.
Shall I listen to the chdir syscall to find out exact cwd? Maybe It's
useful to the pivot_root?
Next step: Find out appropriate data stracture, and add more file
operations to be watched. This task must be completed this week.
Diffstat (limited to 'src/organize.go')
| -rw-r--r-- | src/organize.go | 81 |
1 files changed, 49 insertions, 32 deletions
diff --git a/src/organize.go b/src/organize.go index 12119ad..293371b 100644 --- a/src/organize.go +++ b/src/organize.go | |||
| @@ -2,6 +2,7 @@ package main | |||
| 2 | 2 | ||
| 3 | import ( | 3 | import ( |
| 4 | "fmt" | 4 | "fmt" |
| 5 | "os" | ||
| 5 | "regexp" | 6 | "regexp" |
| 6 | "strconv" | 7 | "strconv" |
| 7 | "strings" | 8 | "strings" |
| @@ -21,14 +22,15 @@ var ok bool | |||
| 21 | var event Event | 22 | var event Event |
| 22 | var pEvent *Event | 23 | var pEvent *Event |
| 23 | var eventId, argc int | 24 | var eventId, argc int |
| 24 | var errs [6]error | 25 | |
| 26 | // var errs [6]error | ||
| 25 | 27 | ||
| 26 | // 要用的正则匹配列表 | 28 | // 要用的正则匹配列表 |
| 27 | var ( | 29 | var ( |
| 28 | syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?$`) | 30 | syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?subj=(.*?):(.*?):(.*?):(.*?) .*?$`) |
| 29 | execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) | 31 | execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) |
| 30 | argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) | 32 | argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) |
| 31 | pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):.*?name="(.*?)"`) | 33 | pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)"`) |
| 32 | cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) | 34 | cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) |
| 33 | proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`) | 35 | proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`) |
| 34 | eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`) | 36 | eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`) |
| @@ -47,22 +49,22 @@ func orgnaze() { | |||
| 47 | break | 49 | break |
| 48 | } | 50 | } |
| 49 | rawEvent = raw.(libaudit.RawAuditMessage) | 51 | rawEvent = raw.(libaudit.RawAuditMessage) |
| 52 | // fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data) | ||
| 50 | 53 | ||
| 51 | switch rawEvent.Type { | 54 | switch rawEvent.Type { |
| 52 | case auparse.AUDIT_SYSCALL: | 55 | case auparse.AUDIT_SYSCALL: |
| 53 | go syscallRaw(rawEvent) | 56 | syscallRaw(rawEvent) |
| 54 | case auparse.AUDIT_EXECVE: | 57 | case auparse.AUDIT_EXECVE: |
| 55 | go execve(rawEvent) | 58 | execve(rawEvent) |
| 56 | case auparse.AUDIT_CWD: | 59 | case auparse.AUDIT_CWD: |
| 57 | go cwd(rawEvent) | 60 | cwd(rawEvent) |
| 58 | case auparse.AUDIT_PATH: | 61 | case auparse.AUDIT_PATH: |
| 59 | go path(rawEvent) | 62 | path(rawEvent) |
| 60 | case auparse.AUDIT_PROCTITLE: | 63 | case auparse.AUDIT_PROCTITLE: |
| 61 | go proctitle(rawEvent) | 64 | proctitle(rawEvent) |
| 62 | case auparse.AUDIT_EOE: | 65 | case auparse.AUDIT_EOE: |
| 63 | go eoe(rawEvent) | 66 | eoe(rawEvent) |
| 64 | default: | 67 | default: |
| 65 | // ATTENTION: 这里也需要做防护 | ||
| 66 | } | 68 | } |
| 67 | } | 69 | } |
| 68 | } | 70 | } |
| @@ -74,28 +76,34 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { | |||
| 74 | 76 | ||
| 75 | var exit int | 77 | var exit int |
| 76 | var a [4]uint64 | 78 | var a [4]uint64 |
| 79 | var subj [4]string | ||
| 77 | // 捕获基础信息 | 80 | // 捕获基础信息 |
| 78 | match := syscallRegex.FindSubmatch(rawEvent.Data) | 81 | match := syscallRegex.FindSubmatch(rawEvent.Data) |
| 79 | event.timestamp, errs[0] = getTimeFromStr(string(match[1])) | 82 | event.timestamp, _ = getTimeFromStr(string(match[1])) |
| 80 | eventId, errs[1] = strconv.Atoi(string(match[2])) | 83 | eventId, _ = strconv.Atoi(string(match[2])) |
| 81 | event.syscall, errs[2] = strconv.Atoi(string(match[3])) | 84 | event.syscall, _ = strconv.Atoi(string(match[3])) |
| 82 | if string(match[4]) == "" { | 85 | if string(match[4]) == "" { |
| 83 | // exit没捕获到 | 86 | // exit没捕获到 |
| 84 | exit = 0 | 87 | exit = 0 |
| 85 | } else { | 88 | } else { |
| 86 | exit, errs[3] = strconv.Atoi(string(match[4])) | 89 | exit, _ = strconv.Atoi(string(match[4])) |
| 90 | } | ||
| 91 | event.ppid, _ = strconv.Atoi(string(match[5])) | ||
| 92 | event.pid, _ = strconv.Atoi(string(match[6])) | ||
| 93 | |||
| 94 | // 几个subj,说不定会有用 | ||
| 95 | for i := 0; i < 4; i++ { | ||
| 96 | subj[i] = string(match[7+i]) | ||
| 87 | } | 97 | } |
| 88 | event.ppid, errs[4] = strconv.Atoi(string(match[5])) | ||
| 89 | event.pid, errs[5] = strconv.Atoi(string(match[6])) | ||
| 90 | 98 | ||
| 91 | // 捕获参数 | 99 | // 捕获参数 |
| 92 | if !argsRegex.Match(rawEvent.Data) { | 100 | if !argsRegex.Match(rawEvent.Data) { |
| 93 | fmt.Printf("Error: don't get args in syscall event!\n") | 101 | fmt.Fprintf(os.Stderr, "Error: don't get args in syscall event!\n") |
| 94 | return | 102 | return |
| 95 | } | 103 | } |
| 96 | argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1) | 104 | argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1) |
| 97 | for i := 0; i < 4; i++ { | 105 | for i := 0; i < 4; i++ { |
| 98 | a[i], errs[0] = strconv.ParseUint(string(argsMatch[i][3]), 16, 64) | 106 | a[i], _ = strconv.ParseUint(string(argsMatch[i][3]), 16, 64) |
| 99 | } | 107 | } |
| 100 | 108 | ||
| 101 | switch syscallTable[event.syscall] { | 109 | switch syscallTable[event.syscall] { |
| @@ -128,7 +136,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { | |||
| 128 | argv: make([]string, 0), | 136 | argv: make([]string, 0), |
| 129 | cwd: "", | 137 | cwd: "", |
| 130 | syscallParam: a, | 138 | syscallParam: a, |
| 131 | pathName: "", | 139 | srcPath: "", |
| 132 | }) | 140 | }) |
| 133 | case "write": | 141 | case "write": |
| 134 | eventTable.Store(eventId, &Event{ | 142 | eventTable.Store(eventId, &Event{ |
| @@ -142,7 +150,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { | |||
| 142 | argv: make([]string, 0), | 150 | argv: make([]string, 0), |
| 143 | cwd: "", | 151 | cwd: "", |
| 144 | syscallParam: a, | 152 | syscallParam: a, |
| 145 | // pathName: "", | ||
| 146 | }) | 153 | }) |
| 147 | case "close": | 154 | case "close": |
| 148 | // 文件关闭 | 155 | // 文件关闭 |
| @@ -157,8 +164,18 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { | |||
| 157 | argv: make([]string, 0), | 164 | argv: make([]string, 0), |
| 158 | cwd: "", | 165 | cwd: "", |
| 159 | syscallParam: a, | 166 | syscallParam: a, |
| 160 | // pathName: "", | ||
| 161 | }) | 167 | }) |
| 168 | case "pivot_root": | ||
| 169 | if subj[2] == "container_runtime_t" { | ||
| 170 | eventTable.Store(eventId, &Event{ | ||
| 171 | tag: PIVOTROOT, | ||
| 172 | timestamp: event.timestamp, | ||
| 173 | syscall: event.syscall, | ||
| 174 | ppid: event.ppid, | ||
| 175 | pid: event.pid, | ||
| 176 | syscallParam: a, | ||
| 177 | }) | ||
| 178 | } | ||
| 162 | } | 179 | } |
| 163 | } | 180 | } |
| 164 | 181 | ||
| @@ -168,14 +185,14 @@ func execve(rawEvent libaudit.RawAuditMessage) { | |||
| 168 | } | 185 | } |
| 169 | 186 | ||
| 170 | match := execveRegex.FindSubmatch(rawEvent.Data) | 187 | match := execveRegex.FindSubmatch(rawEvent.Data) |
| 171 | eventId, errs[0] = strconv.Atoi(string(match[1])) | 188 | eventId, _ = strconv.Atoi(string(match[1])) |
| 172 | argc, errs[1] = strconv.Atoi(string(match[2])) | 189 | argc, _ = strconv.Atoi(string(match[2])) |
| 173 | tmp, ok = eventTable.Load(eventId) | 190 | tmp, ok = eventTable.Load(eventId) |
| 174 | if !ok { | 191 | if !ok { |
| 175 | return | 192 | return |
| 176 | } | 193 | } |
| 177 | pEvent = tmp.(*Event) | 194 | pEvent = tmp.(*Event) |
| 178 | if errs[0] == nil && errs[1] == nil && argsRegex.Match(rawEvent.Data) { | 195 | if argsRegex.Match(rawEvent.Data) { |
| 179 | match := argsRegex.FindAllSubmatch(rawEvent.Data, -1) | 196 | match := argsRegex.FindAllSubmatch(rawEvent.Data, -1) |
| 180 | for i := 0; i < argc; i++ { | 197 | for i := 0; i < argc; i++ { |
| 181 | if len(match[i][2]) == 0 { | 198 | if len(match[i][2]) == 0 { |
| @@ -196,7 +213,7 @@ func cwd(rawEvent libaudit.RawAuditMessage) { | |||
| 196 | } | 213 | } |
| 197 | 214 | ||
| 198 | match := cwdRegex.FindSubmatch(rawEvent.Data) | 215 | match := cwdRegex.FindSubmatch(rawEvent.Data) |
| 199 | eventId, errs[0] = strconv.Atoi(string(match[1])) | 216 | eventId, _ = strconv.Atoi(string(match[1])) |
| 200 | tmp, ok = eventTable.Load(eventId) | 217 | tmp, ok = eventTable.Load(eventId) |
| 201 | if !ok { | 218 | if !ok { |
| 202 | return | 219 | return |
| @@ -211,7 +228,7 @@ func proctitle(rawEvent libaudit.RawAuditMessage) { | |||
| 211 | 228 | ||
| 212 | var cmdline string | 229 | var cmdline string |
| 213 | match := proctitleRegex.FindSubmatch(rawEvent.Data) | 230 | match := proctitleRegex.FindSubmatch(rawEvent.Data) |
| 214 | eventId, errs[0] = strconv.Atoi(string(match[1])) | 231 | eventId, _ = strconv.Atoi(string(match[1])) |
| 215 | tmp, ok = eventTable.Load(eventId) | 232 | tmp, ok = eventTable.Load(eventId) |
| 216 | if !ok { | 233 | if !ok { |
| 217 | return | 234 | return |
| @@ -236,14 +253,13 @@ func eoe(rawEvent libaudit.RawAuditMessage) { | |||
| 236 | } | 253 | } |
| 237 | 254 | ||
| 238 | match := eoeRegex.FindSubmatch(rawEvent.Data) | 255 | match := eoeRegex.FindSubmatch(rawEvent.Data) |
| 239 | eventId, errs[0] = strconv.Atoi(string(match[1])) | 256 | eventId, _ = strconv.Atoi(string(match[1])) |
| 240 | tmp, ok = eventTable.Load(eventId) | 257 | tmp, ok = eventTable.Load(eventId) |
| 241 | if !ok { | 258 | if !ok { |
| 242 | return | 259 | return |
| 243 | } | 260 | } |
| 244 | cooked := *(tmp.(*Event)) | 261 | cooked := *(tmp.(*Event)) |
| 245 | cookedChan <- cooked | 262 | cookedChan <- cooked |
| 246 | // fmt.Printf("Send: %10d\t%v\t%7d\t%7d\n", eventId, cooked.tag, cooked.ppid, cooked.pid) | ||
| 247 | eventTable.Delete(eventId) // 死人别占地 | 263 | eventTable.Delete(eventId) // 死人别占地 |
| 248 | } | 264 | } |
| 249 | 265 | ||
| @@ -252,8 +268,9 @@ func path(rawEvent libaudit.RawAuditMessage) { | |||
| 252 | return | 268 | return |
| 253 | } | 269 | } |
| 254 | match := pathRegex.FindSubmatch(rawEvent.Data) | 270 | match := pathRegex.FindSubmatch(rawEvent.Data) |
| 255 | eventId, errs[0] = strconv.Atoi(string(match[1])) | 271 | eventId, _ = strconv.Atoi(string(match[1])) |
| 256 | name := string(match[2]) | 272 | // item, _ := strconv.Atoi(string(match[2])) |
| 273 | name := string(match[3]) | ||
| 257 | 274 | ||
| 258 | tmp, ok = eventTable.Load(eventId) | 275 | tmp, ok = eventTable.Load(eventId) |
| 259 | if !ok { | 276 | if !ok { |
| @@ -267,8 +284,8 @@ func path(rawEvent libaudit.RawAuditMessage) { | |||
| 267 | } | 284 | } |
| 268 | 285 | ||
| 269 | if name[0] == '/' { | 286 | if name[0] == '/' { |
| 270 | pEvent.pathName = name | 287 | pEvent.srcPath = name |
| 271 | } else { | 288 | } else { |
| 272 | pEvent.pathName += "/" + name | 289 | pEvent.srcPath += "/" + name |
| 273 | } | 290 | } |
| 274 | } | 291 | } |