fche changed the topic of #systemtap to: http://sourceware.org/systemtap; email systemtap@sourceware.org if answers here not timely, conversations may be logged
<agentzh>
tested on fedora 28, centos 6, and centos 7.
<fche>
glancing
<agentzh>
with lockdep enabled too in some test runs.
<agentzh>
great, thanks
<fche>
looks good on paper
<fche>
nothing stands out to me
<agentzh>
great, so good to commit?
zzhm has joined #systemtap
<fche>
go for it
zzhm has quit [Ping timeout: 240 seconds]
zzhm has joined #systemtap
<agentzh>
thanks
zzhm has quit [Ping timeout: 258 seconds]
zzhm has joined #systemtap
zzhm has quit [Ping timeout: 240 seconds]
zzhm has joined #systemtap
_whitelogger has joined #systemtap
irker674 has joined #systemtap
<irker674>
systemtap: yichun systemtap.git:master * release-4.3-19-g469d20e8b / runtime/print_flush.c runtime/transport/relay_v2.c runtime/transport/relayfs.c runtime/transport/ring_buffer.c runtime/transport/transport.c runtime/transport/transport.h staprun/relay.c: PR26131: garbled data might appear in staprun data channel output
_whitelogger has joined #systemtap
orivej has joined #systemtap
orivej has quit [Ping timeout: 240 seconds]
orivej has joined #systemtap
orivej has quit [Ping timeout: 246 seconds]
orivej has joined #systemtap
orivej has quit [Ping timeout: 240 seconds]
derek0883 has joined #systemtap
orivej has joined #systemtap
derek0883 has quit [Remote host closed the connection]
orivej has quit [Ping timeout: 240 seconds]
orivej has joined #systemtap
khaled_ has joined #systemtap
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
hpt has joined #systemtap
orivej has quit [Ping timeout: 258 seconds]
_whitelogger has joined #systemtap
irker674 has quit [Quit: transmission timeout]
hpt has quit [Ping timeout: 246 seconds]
mjw has joined #systemtap
orivej has joined #systemtap
orivej_ has joined #systemtap
orivej has quit [Ping timeout: 256 seconds]
orivej_ has quit [Read error: Connection reset by peer]
orivej has joined #systemtap
orivej has quit [Ping timeout: 240 seconds]
zzhm has quit [Ping timeout: 246 seconds]
orivej has joined #systemtap
orivej_ has joined #systemtap
orivej has quit [Ping timeout: 256 seconds]
orivej has joined #systemtap
orivej_ has quit [Ping timeout: 240 seconds]
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
zzhm has joined #systemtap
gromero has quit [Quit: Leaving]
khaled_ has quit [Ping timeout: 256 seconds]
orivej has quit [Ping timeout: 264 seconds]
orivej has joined #systemtap
khaled_ has joined #systemtap
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
axel12 has joined #systemtap
orivej_ has joined #systemtap
orivej has quit [Ping timeout: 264 seconds]
<axel12>
Hello together. I was wondering if it was possible to log syscalls from processes that are in a different control group namespace. Or in other words I want to get the syscalls from a process inside a docker container. Does anybody know anything concerning that topic. I tried using probeing nd_syscall.* but syscalls from docker container dont seem
<axel12>
to show up in there.
<axel12>
Is this the right place to ask such a question?
orivej_ has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
<fche>
axel12, hi
<fche>
that should work; syscalls are often intercepted system-wide
hpt has joined #systemtap
<axel12>
fchech also what I thought. But kinda does not work. I am actually talking cuckoo(an malware analysis tool) which uses systemtap. https://github.com/cuckoosandbox/cuckoo/blob/master/stuff/systemtap/strace.stp So I run a docker container while this script is running and I see syscalls from docker but only the once from the docker daemon starting it
<axel12>
etc.
<fche>
notice how that script has conditionals in the probes to filter events?
<fche>
if (!target_set_pid(pid())) next <<< e.g.
<axel12>
yes
<fche>
so remove that filtering if you don't want filtering :)
<axel12>
I did does not help. Also found out what they are for. They keep systemtab from logging itself XD
<fche>
there are other ways to do that
<fche>
if (execname() ~= "stap.*") next e.g.
<axel12>
Well yes that would probably be better. On the other hand than malware could name a process stap and it would not be logged XD
<fche>
yeah. so if you really do not want staprun/stapio traffic but want everything else, you'd probably need to filter a little more carefully
<fche>
e.g. have a procfs probe that lets userspace write pid#'s to exclude
<fche>
I'm pretty sure we have an example someplace for that
<fche>
so basically you could have a dynamic blacklist / whitelist of pids to filter in or out,
<fche>
managed by procfs files
<fche>
kind of like the syscalls_nonreturn[] map used in that script
<axel12>
Ok so I also tried removing them. However then the file was so big I could not transfer it. (because it ran in a loop). But really I am sure that those checks should not be an issue. I mean the target is set to the process starting staprun and all child of this process are excluded. That being staprun and all its child. I don't see any way that
<axel12>
could filter out processes in docker containers.
<fche>
the target_set_pid() construct is normally used for tracking process hierarchies spawned by systemtap as in stap SCRIPT.stp -c COMMAND
<fche>
it's not suited for third-party process hierarchies, where stap did not create the parent
<fche>
so in docker, it's a dockerd server that will create the process, so this stap construct would filter those processes out of the trace
orivej has quit [Ping timeout: 256 seconds]
<axel12>
ok well then I guess I try your if (execname() ~= "stap.*") and see if that resolves it.
orivej has joined #systemtap
<fche>
worth a shot
<axel12>
And if that work I look into the other better way u suggested;D
<fche>
yeah
<fche>
stap is highly programmable, so if you can describe an algorithm for selecting the processes of interest, you can probably code that up in stap script
<axel12>
IRC really needs a way to edit the messages you write. It is really a pain reading my own messages and seeing my mistakes.
<fche>
heh
<fche>
after a while you stop worrying about it
<fche>
and just enjoying the raw back & forth
<axel12>
Thanks a lot for your help.
<fche>
np, was glad to find out about cuckoo in the first place!
<fche>
if it would help y'all, we can add some more utility functions to the tapset or more examples that are relevant to your area
<axel12>
Well I don't really like cuckoo a lot. It is so freaking bugged you would not belive it. It is kinda not maintained atm
<fche>
last release a year ago
<axel12>
yeah look at open Prs XD
<axel12>
Like there is an issue with linux guests which makes them not work. It is an pretty easy programming error and easy to fix. But sine almost one year they did not fix it and u have to patch it your self if you wanna get it working. And it is not mentioned in the docs. So u got to find that github issue on your own and apply the patch. That is NOT
<axel12>
user friendly.
<fche>
bummer
<fche>
well one can always fork
<axel12>
yes I also wonder why that does not happen. Anyways I am an IT student and me+friend where given the task to make cuckoo show sycalls from containers. ;D But I also contribute to other open source projects and yes if I would really contribute to that project I would have forked it long ago. There is a fork acctually but only for windows part of
<axel12>
cuckoo...
<fche>
aha
<fche>
well if some systemtap-related subset is still of interest to you, and you can hack it into working, we would be glad to redistribute that as a part of the stap package
<axel12>
Not sure what you mean exactly, but modifying systemtap it self.... not sure if that matches my skill set. Also if I don't get it to work in a reasonable amount of time, I am gonna use strace instead.=# Just that systemtab would be cool because it is already used by cuckoo.
<fche>
yup
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
orivej_ has joined #systemtap
orivej has quit [Ping timeout: 240 seconds]
orivej_ has quit [Ping timeout: 260 seconds]
orivej has joined #systemtap
hpt has quit [Ping timeout: 246 seconds]
orivej has quit [Ping timeout: 256 seconds]
orivej has joined #systemtap
irker082 has joined #systemtap
<irker082>
systemtap: wcohen systemtap.git:wcohen/tapset_cast * release-4.3-20-g822ed2692 / tapset/linux/dentry.stp tapset/linux/dev.stp tapset/linux/ioblock.stp tapset/linux/task.stp: Use explicit @cast() operators pointing to kernel for tapsets
orivej has quit [Ping timeout: 246 seconds]
orivej has joined #systemtap
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
axel12 has quit [Remote host closed the connection]
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
derek0883 has joined #systemtap
zzhm has quit [Quit: Leaving]
derek0883 has quit [Remote host closed the connection]
derek0883 has joined #systemtap
orivej has quit [Read error: Connection reset by peer]
orivej_ has joined #systemtap
sapatel has joined #systemtap
orivej_ has quit [Ping timeout: 265 seconds]
orivej has joined #systemtap
derek0883 has quit [Remote host closed the connection]
derek0883 has joined #systemtap
orivej has quit [Ping timeout: 260 seconds]
orivej_ has joined #systemtap
orivej_ has quit [Ping timeout: 260 seconds]
orivej has joined #systemtap
orivej has quit [Ping timeout: 265 seconds]
orivej has joined #systemtap
orivej_ has joined #systemtap
<irker082>
systemtap: wcohen systemtap.git:master * release-4.3-20-ga948c291c / tapset/linux/dentry.stp tapset/linux/dev.stp tapset/linux/ioblock.stp tapset/linux/task.stp: Use explicit @cast() operators pointing to kernel for tapsets
orivej has quit [Ping timeout: 256 seconds]
orivej_ has quit [Ping timeout: 256 seconds]
orivej has joined #systemtap
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
mjw has quit [Quit: Leaving]
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
orivej has quit [Ping timeout: 260 seconds]
orivej has joined #systemtap
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
orivej has quit [Ping timeout: 256 seconds]
orivej has joined #systemtap
sscox has joined #systemtap
orivej has quit [Ping timeout: 265 seconds]
orivej has joined #systemtap
derek0883 has quit [Remote host closed the connection]
derek0883 has joined #systemtap
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
orivej has quit [Ping timeout: 260 seconds]
orivej has joined #systemtap
orivej has quit [Ping timeout: 246 seconds]
orivej has joined #systemtap
orivej has quit [Ping timeout: 260 seconds]
orivej has joined #systemtap
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #systemtap
orivej has quit [Quit: No Ping reply in 210 seconds.]
orivej has joined #systemtap
orivej has quit [Ping timeout: 260 seconds]
orivej_ has joined #systemtap
orivej_ has quit [Ping timeout: 258 seconds]
irker082 has quit [Quit: transmission timeout]
derek0883 has quit [Remote host closed the connection]