aboutsummaryrefslogtreecommitdiffstats
path: root/logs (unfollow)
Commit message (Collapse)AuthorFilesLines
2024-07-22Use mongodb, insert process info into itWe-unite7-111/+216
I failed to print the process tree out. While I'm printing the tree, the tree itself gets changed, maybe deleted. What's more, the output show that there are 4 lines with the same ppid and pid, how an absurd result! It may be caused by multi-thread. So, use database instead. Mongodb uses bson(binary json) to store data but not relational database like mysql, which means it's more easy to use.(?) Beside inserting, I've also solved a question that "fork" is called once but returns twice. For instance, pid 1 forked pid 2, in the audit log it's not an event "syscall=clone,ppid=1,pid=2", but actually two events "syscall=clone,exit=0,ppid=0,pid=1" and "syscall=clone,exit= 2,ppid=0,pid=1", which is just what we see in sys_fork in kernel source. To deal with this, when syscall is clone and exit is 0 we just drop it. Left question: To find out the exit code when a process exit/exit_group, and finish the code to record it in the database.
2024-07-19Depart the whole program into several files.We-unite11-535/+580
Put all the src code in only one file is to ugly, so devide it! and mv them into src dir to keep the whole repo clear.
2024-07-19Fix some bugs, and 3nd coroutine can get pid tree.baseWe-unite2-51/+113
For some reasons, the linux kernel has made some changes in syscalls. As shown in src code, we pay attention to fork/vfork/clone to create process, while exit/exit_group to kill it. From my opinion, the fork and clone syscall should be totally different, otherwise there will be only one syscall. However, according to the logs, I heard only clone but no fork, exit_group but no exit. Infact, fork calls clone and then makes some special set. They're different, fork means parents and children, while clone means calling and callee, which allows to share sth between caller and callee. Both fork and clone makes a new process, pthread makes tasks and is called thread. Pid is factually task id. Now the 3 coroutines works well, and I've get a process tree by map[int]*process. Here hides some questions: - is it right for 2nd corutine to send to 3rd as long as eoe? - how to make the delay between exit_group and deletePid clear and suitable? Next works: - Change the pids from map into DataBase, which means that we should devide front-end and back-end. Besides, when you delete sth(such as process exit), don't delete from databese, instead just make a tag and record their exit code. In other words, we judge if it's alive not by entry existance but exit tag. - Make containers recorded, for instance, rootFS, root-process, name, id, etc.. And record them in map, maintain this database table.
2024-07-18Mainly finish the second coroutine, organize eventWe-unite4-5/+262
As is planed, the first coroutine throw rae event infomation to the second, and it organizes all info for the same event accroding to event id, which is unique without shutdown of this computer. There's several defficuties I've encountered, so I list their solution here to remeber: - raw info from 1st coroutine is correct, but wrong when 2nd gets it; or it's correct while recieved, then regular expr goes to match it, the first match is inline with expectations, but the next match goes totally wrong, and the info is different from what is received. Look into the src of go-libaudit, we'll find out that when heard from netlink socket, the read buffer is always the same slice, it first received a long data, then **pass the origin slice to rawEvent.Data**, and then received a shorter data. rawEvent.Data is passed to 2nd coruntine as **a pointer to rawEvent**, which means all this 3 process use the same part of memory. Then, when a shorter info comes from socket, the slice won't be moved, otherwise it write aigin to this part of mem, then coroutine 2 will get a dirty data. To deal with it, we change the type of channel from pointer to interface, and make a deep copy of rawEvent before passing down. As a result, the 2nd coroutine gets a copy of message but not origin, it finally comes right. - While designing a regular expr, it's thought correct but miss matched from the right string. There maybe sth wrong that can't be discovered by people's eye, you can try to rewrite the expr, then it may be fixed. Also, there's some hidden dangers: - 2nd coroutine comes with no error checks althouth err variable is set and catched ubder the rules of compiler. we **shall** make it later. - Is it reasonable to pass cooked event info immediately to 3rd coroutine without waiting some time? Info from network is out of order after all. Fight! Fight! Fight!