monitor

Documentation

Index

• Constants
• Variables
• func GetArgs(dataBuff *bytes.Buffer, Argnum int32) ([]interface{}, error)
• func Min(a, b int) int
• type ContextCombined
• type NsKey
• type SyscallContext
• type SystemMonitor
  • func NewSystemMonitor(node tp.Node, logger *fd.Feeder, containers *map[string]tp.Container, ...) *SystemMonitor
  • func (mon *SystemMonitor) AddActiveHostPid(hostPid uint32, node tp.PidNode)
  • func (mon *SystemMonitor) AddActivePid(containerID string, node tp.PidNode)
  • func (mon *SystemMonitor) AddContainerIDToNsMap(containerID string, pidns, mntns uint32)
  • func (mon *SystemMonitor) BuildLogBase(msg ContextCombined) tp.Log
  • func (mon *SystemMonitor) BuildPidNode(ctx SyscallContext, execPath string, args []string) tp.PidNode
  • func (mon *SystemMonitor) CleanUpExitedHostPids()
  • func (mon *SystemMonitor) DeleteActiveHostPid(hostPid uint32)
  • func (mon *SystemMonitor) DeleteActivePid(containerID string, ctx SyscallContext)
  • func (mon *SystemMonitor) DeleteContainerIDFromNsMap(containerID string)
  • func (mon *SystemMonitor) DestroySystemMonitor() error
  • func (mon *SystemMonitor) GetExecPath(containerID string, pid uint32) string
  • func (mon *SystemMonitor) GetExecPathWithHostPID(containerID string, hostPid uint32) string
  • func (mon *SystemMonitor) GetHostExecPath(hostPid uint32) string
  • func (mon *SystemMonitor) InitBPF() error
  • func (mon *SystemMonitor) LookupContainerID(pidns, mntns, ppid, pid uint32) string
  • func (mon *SystemMonitor) TraceHostSyscall()
  • func (mon *SystemMonitor) TraceSyscall()
  • func (mon *SystemMonitor) UpdateContainerInfoByContainerID(log tp.Log) tp.Log
  • func (mon *SystemMonitor) UpdateHostLogs()
  • func (mon *SystemMonitor) UpdateLogs()

Constants

const (
	SysOpen   = 2
	SysOpenAt = 257
	SysClose  = 3

	SysSocket  = 41
	SysConnect = 42
	SysAccept  = 43
	SysBind    = 49
	SysListen  = 50

	SysExecve   = 59
	SysExecveAt = 322
	DoExit      = 351
)

System Call Numbers

const (
	PermissionDenied = -13
	MaxStringLen     = 4096
)

SystemMonitor Constant Values

Variables

var StopChan chan struct{}

StopChan Channel

Functions

func GetArgs

func GetArgs(dataBuff *bytes.Buffer, Argnum int32) ([]interface{}, error)

GetArgs Function

func Min

func Min(a, b int) int

Min Function

Types

type ContextCombined

type ContextCombined struct {
	ContainerID string
	ContextSys  SyscallContext
	ContextArgs []interface{}
}

ContextCombined Structure

type NsKey

type NsKey struct {
	PidNS uint32
	MntNS uint32
}

NsKey Structure

type SyscallContext

type SyscallContext struct {
	Ts uint64

	PidID uint32
	MntID uint32

	HostPPID uint32
	HostPID  uint32

	PPID uint32
	PID  uint32
	UID  uint32

	EventID int32
	Argnum  int32
	Retval  int64

	Comm [16]byte
}

SyscallContext Structure

type SystemMonitor

type SystemMonitor struct {
	// host
	HostName      string
	KernelVersion string

	// options
	EnableKubeArmorPolicy     bool
	EnableKubeArmorHostPolicy bool

	// logs
	Logger *fd.Feeder

	// container id -> cotnainer
	Containers     *map[string]tp.Container
	ContainersLock **sync.RWMutex

	// container id -> (host) pid
	ActivePidMap     *map[string]tp.PidMap
	ActiveHostPidMap *map[string]tp.PidMap
	ActivePidMapLock **sync.RWMutex

	// PidID + MntID -> container id
	NsMap     map[NsKey]string
	NsMapLock *sync.RWMutex

	// system monitor (for container)
	BpfModule *bcc.Module

	// context + args (for container)
	ContextChan chan ContextCombined

	// process + file (for container)
	SyscallChannel     chan []byte
	SyscallLostChannel chan uint64
	SyscallPerfMap     *bcc.PerfMap

	// host pid
	ActiveHostMap     *map[uint32]tp.PidMap
	ActiveHostMapLock **sync.RWMutex

	// system monitor (for host)
	HostBpfModule *bcc.Module

	// context + args (for host)
	HostContextChan chan ContextCombined

	// process + file (for host)
	HostSyscallChannel     chan []byte
	HostSyscallLostChannel chan uint64
	HostSyscallPerfMap     *bcc.PerfMap

	// lists to skip
	UntrackedNamespaces []string

	UptimeTimeStamp float64
	HostByteOrder   binary.ByteOrder

	// ticker to clean up exited pids
	Ticker *time.Ticker

	// GKE
	IsCOS bool
}

SystemMonitor Structure

func NewSystemMonitor

func NewSystemMonitor(node tp.Node, logger *fd.Feeder, containers *map[string]tp.Container, containersLock **sync.RWMutex,
	activePidMap *map[string]tp.PidMap, activeHostPidMap *map[string]tp.PidMap, activePidMapLock **sync.RWMutex,
	activeHostMap *map[uint32]tp.PidMap, activeHostMapLock **sync.RWMutex) *SystemMonitor

NewSystemMonitor Function

func (*SystemMonitor) AddActiveHostPid

func (mon *SystemMonitor) AddActiveHostPid(hostPid uint32, node tp.PidNode)

AddActiveHostPid Function

func (*SystemMonitor) AddActivePid

func (mon *SystemMonitor) AddActivePid(containerID string, node tp.PidNode)

AddActivePid Function

func (*SystemMonitor) AddContainerIDToNsMap

func (mon *SystemMonitor) AddContainerIDToNsMap(containerID string, pidns, mntns uint32)

AddContainerIDToNsMap Function

func (*SystemMonitor) BuildLogBase

func (mon *SystemMonitor) BuildLogBase(msg ContextCombined) tp.Log

BuildLogBase Function

func (*SystemMonitor) BuildPidNode

func (mon *SystemMonitor) BuildPidNode(ctx SyscallContext, execPath string, args []string) tp.PidNode

BuildPidNode Function

func (*SystemMonitor) CleanUpExitedHostPids

func (mon *SystemMonitor) CleanUpExitedHostPids()

CleanUpExitedHostPids Function

func (*SystemMonitor) DeleteActiveHostPid

func (mon *SystemMonitor) DeleteActiveHostPid(hostPid uint32)

DeleteActiveHostPid Function

func (*SystemMonitor) DeleteActivePid

func (mon *SystemMonitor) DeleteActivePid(containerID string, ctx SyscallContext)

DeleteActivePid Function

func (*SystemMonitor) DeleteContainerIDFromNsMap

func (mon *SystemMonitor) DeleteContainerIDFromNsMap(containerID string)

DeleteContainerIDFromNsMap Function

func (*SystemMonitor) DestroySystemMonitor

func (mon *SystemMonitor) DestroySystemMonitor() error

DestroySystemMonitor Function

func (*SystemMonitor) GetExecPath

func (mon *SystemMonitor) GetExecPath(containerID string, pid uint32) string

GetExecPath Function

func (*SystemMonitor) GetExecPathWithHostPID

func (mon *SystemMonitor) GetExecPathWithHostPID(containerID string, hostPid uint32) string

GetExecPathWithHostPID Function

func (*SystemMonitor) GetHostExecPath

func (mon *SystemMonitor) GetHostExecPath(hostPid uint32) string

GetHostExecPath Function

func (*SystemMonitor) InitBPF

func (mon *SystemMonitor) InitBPF() error

InitBPF Function

func (*SystemMonitor) LookupContainerID

func (mon *SystemMonitor) LookupContainerID(pidns, mntns, ppid, pid uint32) string

LookupContainerID Function

func (*SystemMonitor) TraceHostSyscall

func (mon *SystemMonitor) TraceHostSyscall()

TraceHostSyscall Function

func (*SystemMonitor) TraceSyscall

func (mon *SystemMonitor) TraceSyscall()

TraceSyscall Function

func (*SystemMonitor) UpdateContainerInfoByContainerID

func (mon *SystemMonitor) UpdateContainerInfoByContainerID(log tp.Log) tp.Log

UpdateContainerInfoByContainerID Function

func (*SystemMonitor) UpdateHostLogs

func (mon *SystemMonitor) UpdateHostLogs()

UpdateHostLogs Function

func (*SystemMonitor) UpdateLogs

func (mon *SystemMonitor) UpdateLogs()

UpdateLogs Function