Linux – sudo pgrep -f matches arbitrary strings and returns increasing pids

linuxprocprocessps

While debugging an related issue, I noticed that pgrep was returning a PID for seemingly arbitrary command-line patterns, e.g.:

$ sudo pgrep -f "asdf"
13017

$ sudo pgrep -f ";lkj"
13023

$ sudo pgrep -f "qwer"
13035

$ sudo pgrep -f "poiu"
13046

$ sudo pgrep -f "blahblahblah"
14038

$ sudo pgrep -f "$(pwgen 16 1)"
14219

The same command without sudo returned nothing (as expected):

$ pgrep -f blahblahblah

I tried to pipe the PID to ps in order to see what the command was, but that didn't work:

$ sudo pgrep -f blahblahblah | xargs ps -f -p
UID        PID  PPID  C STIME TTY          TIME CMD

It looks as though the process terminates too quickly. Then I tried using ps and grep, but that didn't work either (i.e. there were no results):

$ sudo ps -e -f | grep [a]sdf

$ sudo ps -e -o command | grep asdf
grep asdf

I also noticed that if I reran the command quickly enough then it seemed as though the PID was steadily climbing:

$ for i in $(seq 1 10); do sudo pgrep -f $(pwgen 4 1); done
14072
14075
14078
14081
14084
14087
14090
14093
14096
14099

$ for i in $(seq 1 10); do sudo pgrep -f blahblahblah; done
13071
13073
13075
13077
13079
13081
13083
13085
13087
13089

As a sanity check I tried using find and grep to search the proc directory:

$ sudo find /proc/ -regex '/proc/[0-9]+/cmdline' -exec grep adsfasdf {} \;
Binary file /proc/14113/cmdline matches
Binary file /proc/14114/cmdline matches

$ sudo find /proc/ -regex '/proc/[0-9]+/cmdline' -exec grep adsfasdf {} \;
Binary file /proc/14735/cmdline matches
Binary file /proc/14736/cmdline matches

Again it seems that the PID is climbing and that the cmdline matches arbitrary strings.

I tried this out on both CentOS 6.7 and on Ubuntu 12.04 with the same results. When I tried similar experiments on my Mac the tests came back negative – no mystery processes.

What's going on here?

Best Answer

It's showing the sudo process i.e. the PID is the PID of the sudo process that is the parent of the pgrep command you are running by putting after sudo. As you are searching in the whole command line (by -f), the sudo process pops up in the output because the string (pattern) is also a part of the original sudo command.

By using the -l and -a (if your pgrep supports), you would get a better idea.

Test:

% sudo pgrep -af "asdf"
4560 sudo pgrep -af asdf

% sudo pgrep -lf "asdf"
4562 sudo

% pgrep -af "asdf" 
%

Related Solutions

The program pstree and htop showing threads with unique PIDS. How is this possible

The mistake was to presume those numbers were PIDS, when in fact they are TIDS (thread IDs). See Linux function gettid(2). Reading up on clone(2) gives a lot of extra (and interesting) details.

Linux – filter out certain processes and/or pids in ftrace

I figured out how to do what I was describing, but it was a bit counter-intuitive, so I'm posting the answer here for people who might hit this page when searching (tl:dr; at bottom). As far as I know, there is no blanket way to just filter out processes with a certain PID from ftrace as easily as it is to tell it to ONLY consider processes with a certain PID, but in my case, I only care about raw system calls (sys_enter) and I found out how to eliminate records with certain PIDs from being included for those and this is how:

The ftrace directory is:

/sys/kernel/debug/tracing/

Inside, there is a directory called "events." From here, you can see all the things that ftrace can trace, but for my case, I go into "raw_syscalls."

Within raw_syscalls," the two subdirectories are sys_enter and sys_exit.

Within sys_enter (and sys_exit, for that matter), there are the following files:

enable

filter

format

id

trigger

"filter" is the one we care most about right now, but format has useful information regarding the fields of an entry produced by ftrace when sys_enter is enabled:

name: sys_enter
ID: 17
format:
    field:unsigned short common_type;   offset:0;   size:2; signed:0;
    field:unsigned char common_flags;   offset:2;   size:1; signed:0;
    field:unsigned char common_preempt_count;   offset:3;   size:1; signed:0;
    field:int common_pid;   offset:4;   size:4; signed:1;

    field:long id;  offset:8;   size:8; signed:1;
    field:unsigned long args[6];    offset:16;  size:48;    signed:0;

Here, we care about common_pid.

If you want your trace to omit records from a process with PID n, you would edit

/sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/filter

To read:

common_pid != n

If the program you're trying to ignore while tracing has multiple threads or multiple processes, you just use the && operator. Say you want to omit processes with PIDs n, o, and p, you would edit the file so that it reads:

common_pid != n && common_pid != o && common_pid != p

To clear a filter, you just write "0" to the file:

echo "0" > /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/filter

...would do the trick.

enable has to contain "1" for the event you're tracing as well as tracing_on in the ftrace directory. Writing in 0 turns tracing of that event (or all tracing in the case of tracing_on) off.

Writing to these files requires root permissions.

That's about all I can think of. Thanks to anyone who read/voted on this and I hope my answer helps someone. If anyone knows a way that makes the way I did it look stupid, feel free to call me out.

tl;dr: to filter out records from process 48, write:

common_pid != 48

...to

/sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/filter

Filter multiple PIDs (eg. 48, 49, 53, 58) by writing this instead:

common_pid != 48 && common_pid != 49 && common_pid != 53 && common_pid !=58

Replace "events/raw_syscalls/sys_enter" with your desired event and replace my numbers with whatever PIDs you want to ignore.

Best Answer

Related Solutions

The program pstree and htop showing threads with unique PIDS. How is this possible

Linux – filter out certain processes and/or pids in ftrace

Related Question