From f055b3940f999c2e26448812e67b68da363dcbad Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Wed, 17 Jul 2024 11:47:03 +0800 Subject: Initial commit This repo is to supervise all processes in containers, in other words inspect behaviors of dockers, and get the pid tree. There are several ways for programs in user space to intereact with kernel space: - system calls, which can be found out in source path arch/x86/syscalls - ioctl - /proc virtual file system, to read kernel realtime info - nerlink socket the pid we should pay attention to is /usr/bin/containerd, which may come from service docker-daemon and ppid is 1. Each time a docker is start or stop, this forks a pid, the pid then forks, that's the main process of the docker. To grub the info of pid create or exit, this program is based on go-libauditd, which uses netlink socket to hear from kernel about audit log. What's worrying is that one event is always devided into several entries, and several events may be received alternately. So, from my point of view, which program has 3 coroutines and 2 channels. the first receives raw event message from audit, then throw it to channel 1; the second listen to channel 1, and organizes each event until there's a EOE, then throw to channel 2; the third discover event from channel 2, deal with th event, such as create or delete pid. Specially, since two relative infomation(pid 1 fork pid2, then pid 1 exits)may comes out of order, deletion mast be delayed for some time(may 1 second), to keep the process tree correct. --- build.sh | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100755 build.sh (limited to 'build.sh') diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..8bdadb3 --- /dev/null +++ b/build.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +set -e +docker_api_version=$(docker version) +docker_api_version=$(docker version | grep API | head -n 1 | awk '{print $3}') +echo "Docker API version is $docker_api_version..." +export DOCKER_API_VERSION=$docker_api_version \ No newline at end of file -- cgit v1.2.3-70-g09d2