Get parent `pid` (Incorrect comment?)

draios / sysdig

Linux system exploration and troubleshooting tool with first class support for containers

http://www.sysdig.com/

Other

7.67k stars 728 forks source link

Get parent `pid` (Incorrect comment?) #910

Open arossert opened 6 years ago

arossert commented 6 years ago

It is stated here that the m_ptid is The id of the process that started this thread. https://github.com/draios/sysdig/blob/b74233243ed9e9ad216a6f1249046fe04a06b177/userspace/libsinsp/threadinfo.h#L214

While in here it stated that it is the The id of the thread that created this thread. https://github.com/draios/sysdig/blob/b74233243ed9e9ad216a6f1249046fe04a06b177/userspace/libscap/scap.h#L205

Is this the pid or tid of the process?

If this is the tid, what would be the best way to get the pid of the current process?

gianlucaborello commented 6 years ago

You are correct, there seems to be an inconsistency. The one from scap is a pid, the one returned by the driver is a tid, so depending on when sysdig starts wrt the fork operation you will experience one behavior or the other.

It can be fixed at the driver level I suppose, making sure we always return the tgid as in scap. Potentially also just a userspace fix in parse_clone_exit will work, by looking up the parent from the tid returned by the driver.

An immediate workaround is also: make sure sysdig is started after the multithreaded fork() operation :)

arossert commented 6 years ago

I have noticed that in filterchecks.cpp when filtered by PPID there is this code:

case TYPE_PPID:
    if(tinfo->is_main_thread())
    {
        return (uint8_t*)&tinfo->m_ptid;
    }
    else
    {
        sinsp_threadinfo* mt = tinfo->get_main_thread();

        if(mt != NULL)
        {
            return (uint8_t*)&mt->m_ptid;
        }
        else
        {
            return NULL;
        }
    }

But if I understand it correctly, we are filtering by the parent thread so if the parent is a multithreaded application, we will not get the PID of the parent, is this the case?

gianlucaborello commented 6 years ago

Same inconsistency as described above: it's a pid if you're fetching the process info from /proc at scap startup, it's a tid if you're getting it from the driver via clone().

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.