mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 16:44:46 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/daemon/procmon/cache.go

333 lines
7.3 KiB
Go
Raw Normal View History

procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
package procmon
import (
"fmt"
"os"
"sort"
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
"sync"
Added new processes monitor method: audit Use auditd events to keep a list of PIDs which open sockets, reading them from the audisp af_unix plugin. - Install auditd and audisp-plugins - Enable the af_unix plugin (/etc/audisp-plugin/af_unix, active = yes) - Start opensnitch with -process-monitor-method audit. If the choosen method is audit but it's not active or not installed, it'll fallback to /proc anyway. If it's properly configured, a debug trace will be written to the logs: "PID found via audit events ..."
2020-03-03 23:51:25 +01:00
"time"
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
"github.com/evilsocket/opensnitch/daemon/core"
)
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
// InodeItem represents an item of the InodesCache.
type InodeItem struct {
sync.RWMutex
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
Pid int
FdPath string
LastSeen int64
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
}
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
// ProcItem represents an item of the pidsCache
type ProcItem struct {
sync.RWMutex
Added new processes monitor method: audit Use auditd events to keep a list of PIDs which open sockets, reading them from the audisp af_unix plugin. - Install auditd and audisp-plugins - Enable the af_unix plugin (/etc/audisp-plugin/af_unix, active = yes) - Start opensnitch with -process-monitor-method audit. If the choosen method is audit but it's not active or not installed, it'll fallback to /proc anyway. If it's properly configured, a debug trace will be written to the logs: "PID found via audit events ..."
2020-03-03 23:51:25 +01:00
Pid int
FdPath string
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
Descriptors []string
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
LastSeen int64
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
}
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
// CacheProcs holds the cache of processes that have established connections.
type CacheProcs struct {
sync.RWMutex
items []*ProcItem
}
// CacheInodes holds the cache of Inodes.
// The key is formed as follow:
// inode+srcip+srcport+dstip+dstport
type CacheInodes struct {
sync.RWMutex
items map[string]*InodeItem
}
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
var (
// cache of inodes, which help to not iterate over all the pidsCache and
// descriptors of /proc/<pid>/fd/
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
// 15-50us vs 50-80ms
// we hit this cache when:
// - we've blocked a connection and the process retries it several times until it gives up,
// - or when a process timeouts connecting to an IP/domain and it retries it again,
// - or when a process resolves a domain and then connects to the IP.
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
inodesCache = NewCacheOfInodes()
maxTTL = 3 // maximum 3 minutes of inactivity in cache. Really rare, usually they lasts less than a minute.
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
// 2nd cache of already known running pids, which also saves time by
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
// iterating only over a few pids' descriptors, (30us-20ms vs. 50-80ms)
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
// since it's more likely that most of the connections will be made by the
// same (running) processes.
Added new processes monitor method: audit Use auditd events to keep a list of PIDs which open sockets, reading them from the audisp af_unix plugin. - Install auditd and audisp-plugins - Enable the af_unix plugin (/etc/audisp-plugin/af_unix, active = yes) - Start opensnitch with -process-monitor-method audit. If the choosen method is audit but it's not active or not installed, it'll fallback to /proc anyway. If it's properly configured, a debug trace will be written to the logs: "PID found via audit events ..."
2020-03-03 23:51:25 +01:00
// The cache is ordered by time, placing in the first places those PIDs with
// active connections.
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
pidsCache CacheProcs
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
pidsDescriptorsCache = make(map[int][]string)
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
cacheTicker = time.NewTicker(2 * time.Minute)
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
)
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
// CacheCleanerTask checks periodically if the inodes in the cache must be removed.
func CacheCleanerTask() {
for {
select {
case <-cacheTicker.C:
inodesCache.cleanup()
}
}
}
// NewCacheOfInodes returns a new cache for inodes.
func NewCacheOfInodes() *CacheInodes {
return &CacheInodes{
items: make(map[string]*InodeItem),
}
}
//******************************************************************************
// items of the caches.
func (i *InodeItem) updateTime() {
i.Lock()
i.LastSeen = time.Now().UnixNano()
i.Unlock()
}
func (i *InodeItem) getTime() int64 {
i.RLock()
defer i.RUnlock()
return i.LastSeen
}
func (p *ProcItem) updateTime() {
p.Lock()
p.LastSeen = time.Now().UnixNano()
p.Unlock()
}
func (p *ProcItem) updateDescriptors(descriptors []string) {
p.Lock()
p.Descriptors = descriptors
p.Unlock()
}
//******************************************************************************
// cache of processes
func (c *CacheProcs) add(fdPath string, fdList []string, pid int) {
c.Lock()
defer c.Unlock()
for n := range c.items {
item := c.items[n]
if item == nil {
continue
}
if item.Pid == pid {
item.updateTime()
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
return
}
}
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
procItem := &ProcItem{
cache of pids: insert new processes at the top of the list code formatted and documented a little bit.
2020-03-06 23:23:16 +01:00
Pid: pid,
FdPath: fdPath,
Descriptors: fdList,
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
LastSeen: time.Now().UnixNano(),
cache of pids: insert new processes at the top of the list code formatted and documented a little bit.
2020-03-06 23:23:16 +01:00
}
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
c.setItems([]*ProcItem{procItem}, c.items)
}
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
func (c *CacheProcs) sort(pid int) {
item := c.getItem(0)
if item != nil && item.Pid == pid {
return
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
}
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
c.RLock()
defer c.RUnlock()
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
sort.Slice(c.items, func(i, j int) bool {
t := c.items[i].LastSeen
u := c.items[j].LastSeen
Added new processes monitor method: audit Use auditd events to keep a list of PIDs which open sockets, reading them from the audisp af_unix plugin. - Install auditd and audisp-plugins - Enable the af_unix plugin (/etc/audisp-plugin/af_unix, active = yes) - Start opensnitch with -process-monitor-method audit. If the choosen method is audit but it's not active or not installed, it'll fallback to /proc anyway. If it's properly configured, a debug trace will be written to the logs: "PID found via audit events ..."
2020-03-03 23:51:25 +01:00
return t > u || t == u
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
})
}
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
func (c *CacheProcs) delete(pid int) {
c.Lock()
defer c.Unlock()
for n, procItem := range c.items {
if procItem.Pid == pid {
c.setItems(c.items[:n], c.items[n+1:])
inodesCache.delete(pid)
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
break
}
}
}
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
func (c *CacheProcs) deleteItem(pos int) {
tempItems := c.getItems()
c.setItems(tempItems[:pos], tempItems[pos+1:])
}
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
func (c *CacheProcs) setItems(newItems []*ProcItem, oldItems []*ProcItem) {
c.items = append(newItems, oldItems...)
}
func (c *CacheProcs) getItem(index int) *ProcItem {
c.RLock()
defer c.RUnlock()
if index >= len(c.items) {
return nil
delete inodes cache when a process exits
2020-04-03 00:42:46 +02:00
}
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
return c.items[index]
delete inodes cache when a process exits
2020-04-03 00:42:46 +02:00
}
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
func (c *CacheProcs) getItems() []*ProcItem {
return c.items
}
func (c *CacheProcs) countItems() int {
return len(c.items)
}
// loop over the processes that have generated connections
func (c *CacheProcs) getPid(inode int, inodeKey string, expect string) (int, int) {
c.Lock()
defer c.Unlock()
for n, procItem := range c.items {
if procItem == nil {
continue
}
if idxDesc, _ := getPidDescriptorsFromCache(procItem.FdPath, inodeKey, expect, &procItem.Descriptors, procItem.Pid); idxDesc != -1 {
procItem.updateTime()
return procItem.Pid, n
}
descriptors := lookupPidDescriptors(procItem.FdPath, procItem.Pid)
if descriptors == nil {
// FIXME: out of bounds may occur
c.setItems(c.items[:n], c.items[n+1:])
continue
}
procItem.updateDescriptors(descriptors)
if idxDesc, _ := getPidDescriptorsFromCache(procItem.FdPath, inodeKey, expect, &descriptors, procItem.Pid); idxDesc != -1 {
procItem.updateTime()
return procItem.Pid, n
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
}
}
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
return -1, -1
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
}
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
//******************************************************************************
// cache of inodes
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
func (i *CacheInodes) add(key, descLink string, pid int) {
i.Lock()
defer i.Unlock()
if descLink == "" {
descLink = fmt.Sprint("/proc/", pid, "/exe")
}
i.items[key] = &InodeItem{
FdPath: descLink,
Pid: pid,
LastSeen: time.Now().UnixNano(),
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
}
}
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
func (i *CacheInodes) delete(pid int) {
i.Lock()
defer i.Unlock()
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
for k, inodeItem := range i.items {
if inodeItem.Pid == pid {
delete(i.items, k)
}
}
}
func (i *CacheInodes) getPid(inodeKey string) int {
if item, ok := i.isInCache(inodeKey); ok {
Fix random typos Found via `codespell v2.1.dev0` `codespell -q 3 -L ans`
2020-12-23 13:24:59 -05:00
// sometimes the process may have disappeared at this point
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
if _, err := os.Lstat(item.FdPath); err == nil {
item.updateTime()
return item.Pid
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
}
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
pidsCache.delete(item.Pid)
i.delItem(inodeKey)
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
}
return -1
}
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
func (i *CacheInodes) delItem(inodeKey string) {
i.Lock()
defer i.Unlock()
delete(i.items, inodeKey)
}
func (i *CacheInodes) getItem(inodeKey string) *InodeItem {
i.RLock()
defer i.RUnlock()
return i.items[inodeKey]
}
func (i *CacheInodes) getItems() map[string]*InodeItem {
i.RLock()
defer i.RUnlock()
return i.items
}
func (i *CacheInodes) isInCache(inodeKey string) (*InodeItem, bool) {
i.RLock()
defer i.RUnlock()
if item, found := i.items[inodeKey]; found {
return item, true
}
return nil, false
}
func (i *CacheInodes) cleanup() {
now := time.Now()
i.Lock()
defer i.Unlock()
for k := range i.items {
lastSeen := now.Sub(
time.Unix(0, i.items[k].getTime()),
)
if core.Exists(i.items[k].FdPath) == false || int(lastSeen.Minutes()) > maxTTL {
delete(i.items, k)
}
}
}
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
func getPidDescriptorsFromCache(fdPath, inodeKey, expect string, descriptors *[]string, pid int) (int, *[]string) {
cache improvements - update the descriptors/inodes of a PID when it's found in cache. - when a descriptor/inode is found in cache, push it to the top of the descriptors list. The next time it's found in cache it'll be in the 1st position of the list, saving CPU time. - added test cases and benchmark helpers to help analyzing performance.
2021-03-19 19:05:45 +01:00
for fdIdx := 0; fdIdx < len(*descriptors); fdIdx++ {
descLink := fmt.Sprint(fdPath, (*descriptors)[fdIdx])
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
if link, err := os.Readlink(descLink); err == nil && link == expect {
cache improvements - update the descriptors/inodes of a PID when it's found in cache. - when a descriptor/inode is found in cache, push it to the top of the descriptors list. The next time it's found in cache it'll be in the 1st position of the list, saving CPU time. - added test cases and benchmark helpers to help analyzing performance.
2021-03-19 19:05:45 +01:00
if fdIdx > 0 {
// reordering helps to reduce look up times by a factor of 10.
fd := (*descriptors)[fdIdx]
*descriptors = append((*descriptors)[:fdIdx], (*descriptors)[fdIdx+1:]...)
*descriptors = append([]string{fd}, *descriptors...)
}
cache, pids/inodes: fixed race conditions, improvements - Fixed multiple race conditions when using the cache of PIDs. - Improved the chances to hit the cache of inodes, which helps to keep down the times to get the PID of a connection to <= 30us. These caches are mainly used when not using "ebpf" proc monitor method.
2021-07-21 15:04:23 +02:00
if _, ok := inodesCache.isInCache(inodeKey); ok {
inodesCache.add(inodeKey, descLink, pid)
more cache improvements - don't clean cache by number of items. - clean inodes from cache every 2' if the descriptor symlink doesn't exist anymore, or if the lastSeen time is more than 5 minutes. - launch cache cleaners before start a new process monitoring method, and start it only once for the life time of the daemon. - do not store in cache the Time objects, only the nanoseconds of the last updated time. - if the inode of a connection is found in cache, reorder the descriptors to push the descritptor to the top of the list. Also add cached the inode. It turns out that when a new connection is about to be established, when the process resolves the domain, the same inode is used to open the tcp connection to the target. So if it's cached we save CPU cycles. This also occurs when we block a connection and the process retries it, or when a connection timeouts and the process retries it (telnet 1.1.1.1).
2021-03-24 01:16:47 +01:00
}
cache improvements - update the descriptors/inodes of a PID when it's found in cache. - when a descriptor/inode is found in cache, push it to the top of the descriptors list. The next time it's found in cache it'll be in the 1st position of the list, saving CPU time. - added test cases and benchmark helpers to help analyzing performance.
2021-03-19 19:05:45 +01:00
return fdIdx, descriptors
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
}
}
cache improvements - update the descriptors/inodes of a PID when it's found in cache. - when a descriptor/inode is found in cache, push it to the top of the descriptors list. The next time it's found in cache it'll be in the 1st position of the list, saving CPU time. - added test cases and benchmark helpers to help analyzing performance.
2021-03-19 19:05:45 +01:00
return -1, descriptors
procmon: split cache functionality to a new file
2020-02-20 09:58:19 +01:00
}
Reference in a new issue Copy permalink