Process Monitoring – Print PIDs and Names of Processes as They Are Created

monitoringprocess

From the question here, the OP wants to repeatedly poll the pid of a process using pidof in a shell script. Of course this is inefficient as a new process must be started for the pidof program multiple times per second (I don't know that this is the cause of the CPU spikes in the question, but it seems likely).

Usually the way around this kind of thing in a shell script is to work with a single program that outputs the data you need on stdout and then doing some text processing if necessary. While this involves more programs to be running concurrently, it is likely to be less CPU intensive since new processes are not being continually created to for polling purposes.

So for the above question, one solution might be to have some program which outputs the names and pids of processes as they are created. Then you could do something like:

pids-names |
  grep some_program |
  cut -f 2 |
  while read pid; do
    process-pid "$pid"
  done

The problem with this is that it raises a more fundamental question, how can pids and process names be printed as they are created?

I have found a program called ps-watcher, though the problem with this is that it is just a perl script which repeatedly runs ps so it doesn't really solve the problem. Another option is to use auditd which could probably work if the log was processed directly via tail -f. An ideal solution would be simpler and more portable than this, though I will accept an auditd solution if it is the best option.

Best Answer

Linux-specific answer:

perf-tools contains an execsnoop that does exactly this. It uses various Linux-specific features such as ftrace. On Debian, its in the perf-tools-unstable package.

Example of me running man cat in another terminal:

root@Zia:~# execsnoop 
TIME        PID   PPID ARGS
17:24:26  14189  12878 man cat 
17:24:26  14196  14189 tbl 
17:24:26  14195  14189 preconv -e UTF-8 
17:24:26  14199  14189 /bin/sh /usr/bin/nroff -mandoc -Tutf8 
17:24:26  14200  14189 less 
17:24:26  14201  14199 locale charmap 
17:24:26  14202  14199 groff -mtty-char -Tutf8 -mandoc 
17:24:26  14203  14202 troff -mtty-char -mandoc -Tutf8 
17:24:26  14204  14202 grotty

I doubt there is a portable way to do this.

Related Solutions

Resource (CPU time and memory) limitation and termination of a process upon violation in Linux

The setrlimit(2) syscall is relevant to limit resources (CPU time -integral number of seconds, so at least 1 sec- with RLIMIT_CPU, file size with RLIMIT_FSIZE, address space with RLIMIT_AS, etc...). You could also set up disk quotas. The wait4(2) syscall tells you -and gives feedback- about some resource usage. And proc(5) tells you a lot more, and also getrusage(2) (you might code some monitor which periodically stops the entire process group using SIGSTOP, call getrusage or query /proc/$PID/, then send SIGCONT -to continue- or SIGTERM -to terminate- to that process group).

The valgrind tool is very useful on Linux to help finding memory leaks. And strace(1) should be helpful too.

If you can recompile the faulty software, you could consider -fsanitize=address and -fsanitize=undefined and other -fsanitize=... options to a recent version of the GCC compiler.

Perhaps you have some batch processing. Look for batch monitors, or simply code your own thing in C, Python, Ocaml, Perl, .... (which forks the command, and loop on monitoring it...). Maybe you want some process accounting (see acct(5) & sa(8)...)

Notice that "amount of memory used" (a program generally allocates with mmap & releases memory with munmap to the kernel while running) and "CPU time" (see time(7), think of multi-threaded programs ...) are very fuzzy concepts.

See also PAM and configure things under /etc/security/ ; perhaps inotify(7) might also be helpful (but probably not).

Linux – filter out certain processes and/or pids in ftrace

I figured out how to do what I was describing, but it was a bit counter-intuitive, so I'm posting the answer here for people who might hit this page when searching (tl:dr; at bottom). As far as I know, there is no blanket way to just filter out processes with a certain PID from ftrace as easily as it is to tell it to ONLY consider processes with a certain PID, but in my case, I only care about raw system calls (sys_enter) and I found out how to eliminate records with certain PIDs from being included for those and this is how:

The ftrace directory is:

/sys/kernel/debug/tracing/

Inside, there is a directory called "events." From here, you can see all the things that ftrace can trace, but for my case, I go into "raw_syscalls."

Within raw_syscalls," the two subdirectories are sys_enter and sys_exit.

Within sys_enter (and sys_exit, for that matter), there are the following files:

enable

filter

format

id

trigger

"filter" is the one we care most about right now, but format has useful information regarding the fields of an entry produced by ftrace when sys_enter is enabled:

name: sys_enter
ID: 17
format:
    field:unsigned short common_type;   offset:0;   size:2; signed:0;
    field:unsigned char common_flags;   offset:2;   size:1; signed:0;
    field:unsigned char common_preempt_count;   offset:3;   size:1; signed:0;
    field:int common_pid;   offset:4;   size:4; signed:1;

    field:long id;  offset:8;   size:8; signed:1;
    field:unsigned long args[6];    offset:16;  size:48;    signed:0;

Here, we care about common_pid.

If you want your trace to omit records from a process with PID n, you would edit

/sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/filter

To read:

common_pid != n

If the program you're trying to ignore while tracing has multiple threads or multiple processes, you just use the && operator. Say you want to omit processes with PIDs n, o, and p, you would edit the file so that it reads:

common_pid != n && common_pid != o && common_pid != p

To clear a filter, you just write "0" to the file:

echo "0" > /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/filter

...would do the trick.

enable has to contain "1" for the event you're tracing as well as tracing_on in the ftrace directory. Writing in 0 turns tracing of that event (or all tracing in the case of tracing_on) off.

Writing to these files requires root permissions.

That's about all I can think of. Thanks to anyone who read/voted on this and I hope my answer helps someone. If anyone knows a way that makes the way I did it look stupid, feel free to call me out.

tl;dr: to filter out records from process 48, write:

common_pid != 48

...to

/sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/filter

Filter multiple PIDs (eg. 48, 49, 53, 58) by writing this instead:

common_pid != 48 && common_pid != 49 && common_pid != 53 && common_pid !=58

Replace "events/raw_syscalls/sys_enter" with your desired event and replace my numbers with whatever PIDs you want to ignore.

Best Answer

Related Solutions

Resource (CPU time and memory) limitation and termination of a process upon violation in Linux

Linux – filter out certain processes and/or pids in ftrace

Related Question