Hello!
I am trying to study and monitor container behaviour and am using BCC/eBPF
to do so. Ultimately my goal is to be able to identify containers and
processes running on those containers.
Up to now I have been using kprobe to intercept meaningful syscalls and
return the pid of the process to userspace. I then look into /proc/$pid/exe
to analyse the executable and into /proc/$pid/cgroup to retrieve the id of
the parent container of the process.
My program would look like that:
###########################################################
#!/usr/bin/python
from bcc import BPF
prog = """
int hello(void *ctx) {
bpf_trace_printk("");
return 0;
}
"""
b = BPF(text=prog)
b.attach_kprobe(event=“sys_sync”, fn_name="hello”) # Understand sys_sync as
‘any syscall we would deem meaningful to filter upon’
while 1:
try:
(task, pid, cpu, flags, ts, msg) = b.trace_fields()
with open("/proc/%d/exe" % pid, "rb") as exe:
# Analyse /proc/pid/exe
pass
with open("/proc/%d/cgroup" % pid, "rb") as cgroup:
# Analyse /proc/pid/cgroup
pass
except ValueError, IOError:
continue
###########################################################
The main issue is that some processes are extremely fast and /proc/$pid/ is
created and removed before I can read the information I need from cgroup
and exe.
I tried reading the executable from its real path (instead of the symlink
/proc/$pid/exe) but this requires opening and reading several files to
determine the real path to the executable and slowed my whole process even
more.
Is there a more efficient way of accessing the binary that is executed in a
container and the id of the container itself? Would it be possible to get
some of that information from the kernel?
Thank you in advance.
Maxime
_______________________________________________
iovisor-dev mailing list
[email protected]
https://lists.iovisor.org/mailman/listinfo/iovisor-dev
