Comments (4)
Ok, thanks for the info 👍 For now, BPF based solution seems the best way for us to go.
from snoopy.
Hey @serkan-ozal,
What's the actual use case that you'd want to solve with such a feature? Personally, I've never needed such information from Snoopy, because I was able to tell, from the command itself, for how long it has been running - it's either in the order or seconds, or days/weeks. In the past, for the stuff that I needed the execution time (it was a PHP application), I've built those measurements into the PHP itself.
Technicalities
First of all, Snoopy's current approach to operation is kinda hands-off:
- It gets preloaded into the program's memory.
- It simply intercepts calls to
exec()
/execve()
, - It logs what's about to be executed,
- Then it continues with the actual
execv()
/execve()
call.
At that point, Snoopy is out of the picture again and doing nothing untilexecv()
/execve()
is (potentially) called again. Snoopy also keeps no state information.
Also, in the child process, up to this point, Snoopy does nothing:
- It it simply preloaded by the dynamic loader.
- And then it waits for the first
execv()
/execve()
call.
Meanwhile the child process is doing whatever it is doing.
Technically (to some extent, according to my quick googling) what you're asking for may be doable with:
- The
atexit()
libc facility from within the child, but it may not work in exactly the cases you'd need it the most - see first paragraph in the "Notes" section, - Or by trying to hook into the parent's handling of child exit routine (
wait()
/waitpid()
), but by then, most of the information of the child process might already be gone (meaning we'd need to keep a state internally with that information stored, which is another can of worms).
Please describe your use case and let's then discuss further.
PS: Have you checked alternative solutions for this, things like Linux' implementation of BSD process accounting, Linux's auditd subsystem or maybe even a BPF?
from snoopy.
Hi @bostjan,
The use case is that we want to trace processes with their
- name,
- start time,
- end time (or duration),
- args,
- exit code
In addition to snoopy, we have also considered using process accounting, auditd and BPF. However, as far as we experiment, currently only BPF based https://github.com/iovisor/bcc/blob/master/tools/exitsnoop.py does what we want to be able to get process exit time with its exit code.
from snoopy.
Haha, @serkan-ozal, I had more the "why, to what purpose?" question in mind, no the details of what you'd want to be collected to fulfil said purpose. :) (BTW feel free to not share this information, I understand it might be considered private.)
That said, and given how Snoopy currently (and since forever) operates, I don't think this feature is a good fit for Snoopy's current internal architecture. Refactoring from ld.so.preload
-based(-only) operation to BPF (for triggers) + daemon (for trigger consumption + log event creation) is no small feat, and it's probably simpler to just create a new tool, something similar to exitsnoop
you found.
from snoopy.
Related Issues (20)
- Just a little question about reboot (or not) after installation. HOT 2
- install-snoopy.sh latest silently failing on Github release API rate limit HOT 4
- Enable thread safety by default (starting with 2.5.0)
- add date for ouput filename HOT 3
- object '/lib/x86_64-linux-gnu/libsnoopy.so' from /etc/ld.so.preload cannot be preloaded HOT 4
- Iron out cross compilation issues HOT 3
- some commands can't be recorded HOT 2
- Snoopy ignores config under /etc/ (building from source) HOT 3
- Ubuntu 18.04.6 LTS install error HOT 8
- exclude_spawns_of not working as expected HOT 10
- Build issue on the mips platform HOT 3
- Command line length limit HOT 8
- i686 builds of snoopy HOT 2
- Nice idea - didn't work HOT 2
- Test case failed - cli/cli-action-conf.sh HOT 3
- segfault when ls /a/b/c/* HOT 2
- How to get only user typing commands HOT 2
- snoopy for chroot HOT 2
- Install in cloud-init or using shell script HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from snoopy.