CN111563024B - Method and device for monitoring container process on host machine and computing equipment - Google Patents
Method and device for monitoring container process on host machine and computing equipment Download PDFInfo
- Publication number
- CN111563024B CN111563024B CN202010679211.8A CN202010679211A CN111563024B CN 111563024 B CN111563024 B CN 111563024B CN 202010679211 A CN202010679211 A CN 202010679211A CN 111563024 B CN111563024 B CN 111563024B
- Authority
- CN
- China
- Prior art keywords
- container
- information
- created
- host machine
- inquiring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3051—Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention provides a method, a device, a readable storage medium and computing equipment for monitoring a container process on a host machine, which are used for acquiring accurate process information of a container view angle in real time, and the method comprises the following steps: monitoring the process of a registered host machine; when a process creation event is monitored, acquiring process information in a host machine corresponding to a created process; determining container information corresponding to the created process according to the process information in the host machine; determining the process information in the container corresponding to the created process according to the process information in the host machine; and informing the upper layer service application of the container information and the process information in the container corresponding to the created process.
Description
Technical Field
The present invention relates to the field of computer container technologies, and in particular, to a method and an apparatus for monitoring a container process on a host computer, a readable storage medium, and a computing device.
Background
A container is a stand-alone runtime environment. By packaging together software applications and libraries, configurations, tools, etc. on which the applications depend, rapid and agile deployment of the applications is achieved. Containers are much lighter than virtual machines, and the host on which the container resides is called the host.
The container engine technology represented by docker is a virtualization technology, container resources are isolated based on namespace (namespace) characteristics provided by a Linux kernel, and the namespace (namespace) is uniquely identified by using an inode number. Process namespaces (pid namespaces) are container virtualization of processes, processes within one container have the same process namespace (pid namespace), and different containers typically have different process namespaces (pidnamespaces). The process in a container can only see the process with the same process namespace (pid namespace) as the process in the container, namely, only the process in the container can be seen, thereby realizing the isolation between the containers to some extent.
At present, the container technology is used as a base stone of the cloud primary technology and is more and more widely applied. Container process monitoring on a host is a general requirement. All containers on the host share the host kernel, so all host processes and container processes can be seen on the host, but due to the existence of a process namespace (pid namespace), in the current technology, process information in the container which cannot be obtained from the host exists, and a returned result has certain distortion, for example, a process number (pid) seen on the host is inconsistent with that seen in the container, and a user (uid) to which the process obtained on the host belongs is not a user in the container.
The docker provides a docker top command for checking process information in the container, and the docker top needs to transmit a container name or container id information and return detailed information of all processes in the container. The docker top command actually obtains snapshots of all processes in the container by executing the ps command in the container, and the processes cannot be monitored in real time; moreover, the docker top cannot accurately acquire the process information of the container view angle, and the process information in the container is distorted.
Disclosure of Invention
To this end, the present invention provides a method, apparatus, readable storage medium, and computing device for monitoring container processes on a host machine in an effort to solve, or at least mitigate, at least one of the problems identified above.
According to an aspect of an embodiment of the present invention, there is provided a method for monitoring a container process on a host machine, including:
monitoring the process of a registered host machine;
when a process creation event is monitored, acquiring process information in a host machine corresponding to a created process;
determining container information corresponding to the created process according to the process information in the host machine;
determining process information in a container corresponding to the created process according to the process information in the host and the container information corresponding to the created process;
and informing the upper layer service application of the container information corresponding to the created process and the process information in the container.
Optionally, determining container information corresponding to the created process according to the process information in the host, including:
inquiring the name space inode number of the created process according to the process number included by the process information in the host machine;
acquiring process numbers of starting processes of a plurality of containers;
inquiring the name space inode numbers of the starting processes of the containers according to the process numbers of the starting processes of the containers;
determining a container corresponding to the created process according to the namespace inode numbers of the starting processes of the multiple containers and the namespace inode number of the created process;
and acquiring container information corresponding to the created process.
Optionally, querying a namespace inode number of the created process according to the process number included in the process information in the host includes:
reading/proc/{ pid }/ns/pid files according to the process number included by the process information in the host machine, and inquiring the created process namespace inode number;
inquiring the namespace inode numbers of the starting processes of the containers according to the process numbers of the starting processes of the containers, wherein the method comprises the following steps:
and reading/proc/{ pid }/ns/pid files according to the process numbers of the starting processes of the containers, and inquiring the namespace inode numbers of the starting processes of the containers.
Optionally, determining process information in the container corresponding to the created process according to the process information in the host and the container information corresponding to the created process, where the determining includes:
inquiring the process number in the container corresponding to the created process according to the process number included by the process information in the host machine;
inquiring a parent process number in a container corresponding to the created process according to the process number included in the process information in the host machine;
and inquiring the created container corresponding to the process to start the user according to the process user included in the process information in the host.
Optionally, querying, according to the process number included in the process information in the host, the process number in the container corresponding to the created process, including:
reading/proc/{ pid }/status file NSpid field according to the process number included by the process information in the host machine, and inquiring the process number in the container corresponding to the created process;
inquiring the father process number in the container corresponding to the created process according to the process number included by the process information in the host machine, wherein the inquiring comprises the following steps:
reading a PPid field of a/proc/{ pid }/status file according to a process number included by process information in a host machine, and inquiring a parent process number in a container corresponding to a created process;
inquiring a start user in a container corresponding to the created process according to the container information corresponding to the created process, wherein the method comprises the following steps:
and reading the/etc/password file in the container according to the container information corresponding to the created process, and inquiring the container corresponding to the created process to start the user.
Optionally, the method further comprises:
writing container information corresponding to the created process and process information in the container into a cache;
when a process exit event is monitored, reading container information and process information in a container corresponding to an exited process from a cache;
and informing the upper layer service application of the container information and the process information in the container corresponding to the exited process.
Optionally, the upper layer service application includes:
intrusion detection software, or application daemon tools, or resource monitoring tools.
When the intrusion detection software detects that the created process is a malicious process, the created process and/or a container corresponding to the created process are/is processed;
when the application daemon tool detects a process exit event, restarting the exited process and/or a container corresponding to the exited process;
and the resource monitoring tool acquires the process list and the process tree information in the container in real time according to the container information and the in-container process information corresponding to the created process and the container information and the in-container process information corresponding to the exited process.
According to another aspect of the present invention, there is provided an apparatus for monitoring a container process on a host machine, including:
the registration monitoring module is used for monitoring the process of the registration host machine;
the system comprises a host machine process information acquisition module, a host machine process information acquisition module and a process creation module, wherein the host machine process information acquisition module is used for acquiring host machine process information corresponding to a created process when a process creation event is monitored;
the container positioning module is used for determining container information corresponding to the created process according to the process information in the host machine;
the in-container process information acquisition module is used for determining in-container process information corresponding to the created process according to the in-host process information and the container information corresponding to the created process;
and the message notification module is used for notifying the upper layer service application of the container information and the process information in the container corresponding to the created process.
According to yet another aspect of the present invention, there is provided a readable storage medium having executable instructions thereon which, when executed, cause a computer to perform the method of monitoring container processes on a host machine as described above.
According to yet another aspect of the present invention, there is provided a computing device comprising: one or more processors; a memory; and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors to perform the above-described method of monitoring container processes on a host machine.
According to the technical scheme provided by the embodiment of the invention, a host process is registered for monitoring, when a process creating event is monitored, host machine process information corresponding to a created process is obtained, container information corresponding to the created process is determined according to the host machine process information, container process information corresponding to the created process is determined according to the host machine process information and the container information corresponding to the created process, and upper-layer service application is notified of the container information corresponding to the created process and the container process information; the embodiment of the invention realizes the real-time capture of the process change in the container and the real-time acquisition of the accurate process information of the container view angle, so that various upper-layer service applications can timely and accurately respond to the container process change, and the effectiveness of the upper-layer service applications is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate exemplary embodiments of the invention and together with the description serve to explain the principles of the invention.
FIG. 1 is a block diagram of an exemplary computing device.
FIG. 2 is a flow diagram of a method of monitoring container processes on a host machine according to an embodiment of the invention.
FIG. 3 is a diagram of a software deployment architecture, according to an embodiment of the invention.
Fig. 4 is a flow diagram of a method for monitoring container progress on a host machine in accordance with a specific embodiment of the present invention.
Fig. 5 is a schematic structural diagram of an apparatus for monitoring container processes on a host according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
FIG. 1 is a block diagram of an example computing device 100 arranged to implement a method of monitoring container processes on a host machine in accordance with the present invention. In a basic configuration 102, computing device 100 typically includes system memory 106 and one or more processors 104. A memory bus 108 may be used for communication between the processor 104 and the system memory 106.
Depending on the desired configuration, the processor 104 may be any type of processing, including but not limited to: a microprocessor (μ P), a microcontroller (μ C), a digital information processor (DSP), or any combination thereof. The processor 104 may include one or more levels of cache, such as a level one cache 110 and a level two cache 112, a processor core 114, and registers 116. The example processor core 114 may include an Arithmetic Logic Unit (ALU), a Floating Point Unit (FPU), a digital signal processing core (DSP core), or any combination thereof. The example memory controller 118 may be used with the processor 104, or in some implementations the memory controller 118 may be an internal part of the processor 104.
Depending on the desired configuration, system memory 106 may be any type of memory, including but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. System memory 106 may include an operating system 120, one or more programs 122, and program data 124. In some implementations, the program 122 can be configured to execute instructions on an operating system by one or more processors 104 using program data 124.
Computing device 100 may also include an interface bus 140 that facilitates communication from various interface devices (e.g., output devices 142, peripheral interfaces 144, and communication devices 146) to the basic configuration 102 via the bus/interface controller 130. The example output device 142 includes a graphics processing unit 148 and an audio processing unit 150. They may be configured to facilitate communication with various external devices, such as a display terminal or speakers, via one or more a/V ports 152. Example peripheral interfaces 144 may include a serial interface controller 154 and a parallel interface controller 156, which may be configured to facilitate communication with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device) or other peripherals (e.g., printer, scanner, etc.) via one or more I/O ports 158. An example communication device 146 may include a network controller 160, which may be arranged to facilitate communications with one or more other computing devices 162 over a network communication link via one or more communication ports 164.
A network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, and may include any information delivery media, such as carrier waves or other transport mechanisms, in a modulated data signal. A "modulated data signal" may be a signal that has one or more of its data set or its changes made in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or private-wired network, and various wireless media such as acoustic, Radio Frequency (RF), microwave, Infrared (IR), or other wireless media. The term computer readable media as used herein may include both storage media and communication media.
Computing device 100 may be implemented as part of a small-form factor portable (or mobile) electronic device such as a cellular telephone, a Personal Digital Assistant (PDA), a personal media player device, a wireless web-watch device, a personal headset device, an application specific device, or a hybrid device that include any of the above functions. Computing device 100 may also be implemented as a personal computer, a server, a cluster of multiple computers, including both desktop and notebook computer configurations.
Among other things, one or more programs 122 of computing device 100 include instructions for performing a method for monitoring container processes on a host machine in accordance with the present invention.
Fig. 2 illustrates a flow diagram of a method 200 for monitoring a container process on a host machine according to one embodiment of the present invention, the method 200 for monitoring a container process on a host machine beginning at step S210.
In step S210, the registered host process listens.
Specifically, through a Linux system mechanism, a process monitoring function is started on a host, and a process monitoring method for registering the host includes, but is not limited to: so preload, Netlink Connector, Audit, Syscar Hook.
So preload: linux allows defining a dynamic link library that is loaded preferentially, monitoring the creation and exit of processes by overriding execave and other functions in libc.
Netlink Connector: linux provides a socket-based Netlink communication mechanism, and can realize timely exchange of kernel and user space data. The kernel has two instances of connector applications, one of which is a process event connector through which monitoring of process creation and exit can be accomplished.
And (2) Audit: the Linux audio is a component used for auditing in a Linux kernel and can monitor process creation and exit.
Syscar Hook: the general hook method is realized by modifying sys _ call _ table (Linux system call table), and the specific principle is that when the system calls, the system finds a corresponding function in the sys _ call _ table through a system call number for calling, so that the monitoring of starting and exiting of the process can be realized only by changing an address corresponding to execute in the sys _ call _ table into a specified function address.
Subsequently, in step S220, when the process creation event is monitored, the host in-process information corresponding to the created process is acquired.
Wherein, the available host internal process information comprises: process number (pid), process user (uid); process user id (gid).
Subsequently, in step S230, container information corresponding to the created process is determined according to the process information in the host, that is, a container to which the created process belongs is located.
Specifically, step S230 includes:
inquiring the name space inode number of the created process according to the process number included by the process information in the host machine;
acquiring process numbers of starting processes of a plurality of containers; preferably, acquiring process numbers of starting processes of all containers;
inquiring the name space inode numbers of the starting processes of the containers according to the process numbers of the starting processes of the containers;
determining a container corresponding to the created process according to the namespace inode numbers of the starting processes of the multiple containers and the namespace inode number of the created process; specifically, a container with a namespace inode number for starting a process in a plurality of containers and a namespace inode number for creating the process in the plurality of containers is determined as a container corresponding to the created process;
and acquiring container information corresponding to the created process.
Wherein, the namespace inode number of the created process and the namespace inode number of the starting process of the container are inquired by reading/proc/{ pid }/ns/pid files. Wherein, { pid } represents the pid value of the actually acquired process, and each process corresponds to a different { pid } folder.
Subsequently, in step S240, the in-container process information corresponding to the created process, that is, the process information of the container view angle, is determined according to the in-host process information and the container information corresponding to the created process.
Specifically, step S240 includes:
inquiring the process number in the container corresponding to the created process according to the process number included by the process information in the host machine;
inquiring a parent process number in a container corresponding to the created process according to the process number included in the process information in the host machine;
and querying the container corresponding to the created process to start the user according to the container information corresponding to the created process.
Wherein, the process number in the container is inquired by reading the NSpid field of the/proc/{ pid }/status file; inquiring the number of the parent process in the container by reading the PPid field of the/proc/{ pid }/status file; and querying a starting user of the container by reading the/etc/password file in the container.
Subsequently, after step S250, the upper business application is notified of the container information and the in-container process information corresponding to the created process.
Optionally, after step S240, the method further includes:
s260, writing the container information corresponding to the created process and the process information in the container into a cache;
s270, when a process exit event is monitored, reading container information and process information in a container corresponding to the exited process from a cache;
s280, informing the upper layer service application of the container information corresponding to the quit process and the process information in the container.
Because the process does not exist when the process exits from the host machine, the container where the process is located and the process information in the container cannot be located, and the upper-layer application cannot perform corresponding processing, in the embodiment of the invention, the exiting process is monitored by recording the container information corresponding to the created process and the process information in the container into the cache. A typical application scenario for monitoring the exit is service keep-alive, for example, when monitoring the exit of a web service process in a container, the container is destroyed, and a web service container is created again.
Further, in order to improve the read-write efficiency of the cache, the pid is used as a key value (key) in the cache, and information such as a process name, a user (user) for starting the process in the container, the process pid in the container, and a parent process pid in the container is recorded. When the process exit event is triggered, the cache information corresponding to the exit process is quickly searched through the pid of the exit process.
In the embodiment of the present invention, the upper layer service application includes: intrusion detection software, or application daemon, or resource monitoring tools; the intrusion detection software checks whether the process corresponding to the process creation event is a malicious process or not according to the container information and the process information in the container and performs corresponding processing; the application daemon restarts the process to exit the container corresponding to the event according to the container information and the in-container process information; and the resource monitoring tool determines the process list and the process tree information in the container according to the container information and the process information in the container.
As shown in fig. 3, in the embodiment of the present invention, an agent (agent) is deployed between an operating system of a host and a container, and the agent monitors process quitting and creation of all containers on the current host, where a monitoring process is shown in fig. 4, and includes:
step 1, monitoring the process of the registered host machine. And starting a process monitoring function on the host machine through a Linux system mechanism.
Step 2, if the process creates the event, the following steps are carried out:
and 2.1, acquiring a process name and a process pid from the monitored process creation event.
And 2.2, positioning the container where the process is located.
Step 2.3, acquiring process information in the container; specifically, the method comprises an in-container process user, an in-container process pid and an in-container father process pid.
And 2.4, recording the information of the process in the container into a cache.
And 2.5, informing the upper layer of the process creation in the service container.
Step 3, if the process quits the event, reading the cached process information; and informing the upper layer business container of the process exit.
The cache is an optional step, if no process cache exists, the process creation in the container can still be monitored, and the process quitting in the container cannot be monitored.
The process of monitoring the process of registering the host machine comprises the following steps:
step 1, registering process event monitoring including process creation and exit in a mode of So load, Netlink Connector, Audit, Syscar Hook and the like.
And 2, when the process change newly occurs in the container, obtaining a process event notice. If the process creates the event, the process field needing to be recorded in the process event for the subsequent step comprises the following steps: process number (pid), process user id (uid), process user group id (gid).
The process of locating the container in which the process is located includes:
step 1, acquiring a process namespace (pid namespace). The method is to read/proc/{ pid }/ns/pid file and obtain the name space (pid namespace) inode number of the process.
And 2, acquiring process namespaces (pid namespaces) of all the containers. The method comprises the steps of firstly obtaining the starting process pid of the container, and then reading/proc/{ pid }/ns/pid files to obtain the name space (pidnamespace) inode number of the container starting process.
And 3, if the name space (pid namespace) inode number of the process is equal to the name space (pid namespace) inode number of the container starting process, the process belongs to the container.
The process of obtaining process information in a container includes:
step 1, acquiring a process pid in a container of the process. The method is to read/proc/{ pid }/status file NSpid field. The value of the NSpid field is an array, each value of the array representing the pid value of the process within all process namespaces (pidnamespaces). For container processes, the first value of the tuple is the process pid on the host, and the second value of the tuple is the process pid inside the container.
And 2, acquiring the parent process pid in the container of the process. The method is to read the PPid field of the/proc/{ pid }/status file.
And 3, acquiring a user (user) for starting the process in the container of the process. The method is to read the/etc/password file in the container, and the format of each line of the file is 'user (user): user password: user id (uid): user group id (gid): remark information of the account: user home directory: user default bash'. The start user (user) can be found from the user id (uid) of the process.
The cache read mechanism is as follows:
writing in the cache: and writing the details of the process in the container by using the created process pid as a key (key) of the cache. At least comprising information such as a process name, a process starting user in the container, a process pid in the container, a parent process pid in the container and the like;
reading the cache: and searching the cache record by taking the pid of the exit process as a key (key) of the cache.
The embodiment of the invention can capture the process creating behavior by monitoring the process on the host machine, obtain the process name, then obtain the container information of the process, and further obtain the starting user of the container visual angle, the process pid of the container visual angle and the parent process pid of the container visual angle. By accurately acquiring the process information in the container in real time, the intrusion detection software can check whether the process file is a virus Trojan horse or not when monitoring the process starting; the application daemon tool can restart the service container when monitoring that the service process in the container exits; the resource monitoring tool may obtain the process list and process tree information in the container.
Referring to fig. 5, an apparatus for monitoring a container process on a host according to an embodiment of the present invention includes:
a registration monitoring module 510, configured to register host process monitoring;
a host process information obtaining module 520, configured to obtain host process information corresponding to a created process when a process creation event is monitored;
a container positioning module 530, configured to determine, according to the process information in the host, container information corresponding to the created process;
the in-container process information obtaining module 540 is configured to determine, according to the in-host process information and the container information corresponding to the created process, in-container process information corresponding to the created process;
and a message notification module 550, configured to notify the upper layer service application of the container information and the process information in the container corresponding to the created process.
Optionally, the container positioning module 530 is specifically configured to:
inquiring the name space inode number of the created process according to the process number included by the process information in the host machine;
acquiring process numbers of starting processes of a plurality of containers;
inquiring the name space inode numbers of the starting processes of the containers according to the process numbers of the starting processes of the containers;
determining a container corresponding to the created process according to the namespace inode numbers of the starting processes of the multiple containers and the namespace inode number of the created process;
and acquiring container information corresponding to the created process.
Optionally, the in-container process information obtaining module 540 is specifically configured to:
inquiring the process number in the container corresponding to the created process according to the process number included by the process information in the host machine;
inquiring a parent process number in a container corresponding to the created process according to the process number included in the process information in the host machine;
and querying the container corresponding to the created process to start the user according to the container information corresponding to the created process.
The device still includes:
the cache read-write module is used for writing the container information corresponding to the created process and the process information in the container into a cache; and when the process exit event is monitored, reading container information and process information in the container corresponding to the exited process from the cache.
The message notification module 550 is further configured to notify the upper layer service application of the container information and the process information in the container corresponding to the exited process.
For specific limitations of the apparatus for monitoring the container process on the host machine, reference may be made to the above limitations of the method for monitoring the container process on the host machine, which are not described herein again.
It should be understood that the various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to perform the various methods of the present invention according to instructions in the program code stored in the memory.
By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer-readable media includes both computer storage media and communication media. Computer storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of computer readable media.
It should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the method of the invention should not be construed to reflect the intent: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing inventive embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the apparatus in the examples invented herein may be arranged in an apparatus as described in this embodiment or alternatively may be located in one or more apparatuses different from the apparatus in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features of the invention in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so invented, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature of the invention in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is used to implement the functions performed by the elements for the purpose of carrying out the invention.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention is to be considered as illustrative and not restrictive in character, with the scope of the invention being indicated by the appended claims.
Claims (9)
1. A method for monitoring container processes on a host machine, comprising:
monitoring the process of a registered host machine;
when a process creation event is monitored, acquiring process information in a host machine corresponding to a created process;
inquiring the name space inode number of the created process according to the process number included in the process information in the host machine;
acquiring process numbers of starting processes of a plurality of containers;
inquiring the name space inode numbers of the starting processes of the containers according to the process numbers of the starting processes of the containers;
determining a container corresponding to the created process according to the namespace inode numbers of the starting processes of the containers and the namespace inode number of the created process;
acquiring container information corresponding to the created process;
determining the process information in the container corresponding to the created process one by one according to the process information in the host and the container information corresponding to the created process, wherein the determining comprises the following steps: the method comprises the steps that a process number in a container, a parent process number in the container and a user is started in the container;
and informing the upper layer service application of the container information and the process information in the container corresponding to the created process.
2. The method of claim 1,
inquiring the name space inode number of the created process according to the process number included in the process information in the host machine, wherein the inquiry comprises the following steps:
reading/proc/{ pid }/ns/pid files according to the process numbers included in the process information in the host machine, and inquiring the name space inode number of the created process;
inquiring the namespace inode numbers of the starting processes of the containers according to the process numbers of the starting processes of the containers, wherein the method comprises the following steps:
and reading/proc/{ pid }/ns/pid files according to the process numbers of the starting processes of the containers, and inquiring the namespace inode numbers of the starting processes of the containers.
3. The method of claim 1, wherein determining the in-container process information corresponding to the created process according to the in-host process information and the in-container information corresponding to the created process comprises:
inquiring the process number in the container corresponding to the created process according to the process number included in the process information in the host machine;
inquiring a parent process number in a container corresponding to the created process according to the process number included in the process information in the host machine;
and querying a container corresponding to the created process to start a user according to the container information corresponding to the created process.
4. The method of claim 3,
inquiring the process number in the container corresponding to the created process according to the process number included in the process information in the host machine, wherein the inquiring comprises the following steps:
reading/proc/{ pid }/status file NSpid field according to the process number included in the host machine process information, and inquiring the process number in the container corresponding to the created process;
inquiring the parent process number in the container corresponding to the created process according to the process number included in the process information in the host machine, wherein the inquiring comprises the following steps:
reading a PPid field of a/proc/{ pid }/status file according to a process number included by the process information in the host machine, and inquiring a parent process number in a container corresponding to the created process;
inquiring a user started in a container corresponding to the created process according to the container information corresponding to the created process, wherein the method comprises the following steps:
and reading an/etc/password file in the container according to the container information corresponding to the created process, and inquiring a user started in the container corresponding to the created process.
5. The method of claim 1, further comprising:
writing the container information corresponding to the created process and the process information in the container into a cache;
when a process exit event is monitored, reading container information and process information in a container corresponding to an exited process from a cache;
and informing the upper layer service application of the container information and the process information in the container corresponding to the exited process.
6. The method of claim 5, wherein the upper layer service application comprises:
intrusion detection software, or application daemon, or resource monitoring tools;
when the intrusion detection software detects that the created process is a malicious process, processing the created process and/or a container corresponding to the created process;
when the application daemon tool detects the process exit event, restarting the exited process and/or a container corresponding to the exited process;
and the resource monitoring tool acquires the process list and the process tree information in the container in real time according to the container information and the in-container process information corresponding to the created process and the container information and the in-container process information corresponding to the quitted process.
7. An apparatus for monitoring container progress on a host machine, comprising:
the registration monitoring module is used for monitoring the process of the registration host machine;
the system comprises a host machine process information acquisition module, a host machine process information acquisition module and a process creation module, wherein the host machine process information acquisition module is used for acquiring host machine process information corresponding to a created process when a process creation event is monitored;
the container positioning module is used for inquiring the name space inode number of the created process according to the process number included by the process information in the host machine; acquiring process numbers of starting processes of a plurality of containers; inquiring the name space inode numbers of the starting processes of the containers according to the process numbers of the starting processes of the containers; determining a container corresponding to the created process according to the namespace inode numbers of the starting processes of the containers and the namespace inode number of the created process; acquiring container information corresponding to the created process;
the in-container process information obtaining module is configured to determine, according to the in-host process information and the container information corresponding to the created process, in-container process information that corresponds to the created process one by one, and includes: the method comprises the steps that a process number in a container, a parent process number in the container and a user is started in the container;
and the message notification module is used for notifying the upper layer service application of the container information and the process information in the container corresponding to the created process.
8. A readable storage medium having executable instructions thereon that, when executed, cause a computer to perform the operations included in any one of claims 1-6.
9. A computing device, comprising:
one or more processors;
a memory; and
one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors to perform operations as recited in any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010679211.8A CN111563024B (en) | 2020-07-15 | 2020-07-15 | Method and device for monitoring container process on host machine and computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010679211.8A CN111563024B (en) | 2020-07-15 | 2020-07-15 | Method and device for monitoring container process on host machine and computing equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111563024A CN111563024A (en) | 2020-08-21 |
| CN111563024B true CN111563024B (en) | 2020-10-16 |
Family
ID=72072772
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010679211.8A Active CN111563024B (en) | 2020-07-15 | 2020-07-15 | Method and device for monitoring container process on host machine and computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111563024B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112989330B (en) * | 2021-02-08 | 2023-12-12 | 网宿科技股份有限公司 | Container intrusion detection method, device, electronic equipment and storage medium |
| CN113360913A (en) * | 2021-08-10 | 2021-09-07 | 杭州安恒信息技术股份有限公司 | Malicious program detection method and device, electronic equipment and storage medium |
| CN113467897B (en) * | 2021-09-02 | 2021-12-07 | 北京安华金和科技有限公司 | System and method for monitoring database in container |
| CN116820871A (en) * | 2022-03-22 | 2023-09-29 | 三六零数字安全科技集团有限公司 | Method, system, storage medium and computer equipment for auditing process behavior |
| CN114500115B (en) * | 2022-04-14 | 2022-07-29 | 浙江齐安信息科技有限公司 | Auditing device, system and method for flow data packet |
| CN114978963A (en) * | 2022-04-26 | 2022-08-30 | 西安交通大学 | Network system monitoring analysis method and device, electronic equipment and storage medium |
| CN115202830B (en) * | 2022-09-09 | 2022-12-30 | 统信软件技术有限公司 | Root file system preparation method, system, computing device and readable storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102147711B (en) * | 2010-12-31 | 2014-04-02 | 华为数字技术(成都)有限公司 | Storage method and device based on data content identification |
| CN104881481B (en) * | 2015-06-03 | 2018-05-01 | 广东省机电设备招标有限公司 | A kind of method and device for accessing magnanimity time series data |
| CN110851824B (en) * | 2019-11-13 | 2023-07-28 | 哈尔滨工业大学 | Detection method for malicious container |
-
2020
- 2020-07-15 CN CN202010679211.8A patent/CN111563024B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN111563024A (en) | 2020-08-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111563024B (en) | Method and device for monitoring container process on host machine and computing equipment | |
| CN110427323B (en) | Application testing method, device, proxy server and system | |
| CN113434205B (en) | Operating system starting method and computing device | |
| WO2020224238A1 (en) | Blockchain node depolyment method, device and equipment, and storage medium | |
| CN107566392B (en) | Detection method for error reporting type SQL injection, proxy server and storage medium | |
| CN114416252A (en) | Window display method and device, computing equipment and storage medium | |
| CN113709246B (en) | Network proxy method, computing device and readable storage medium | |
| CN111563259B (en) | Puppet process detection method and device, readable storage medium and computing device | |
| CN114691226A (en) | Multi-operating-system switching operation method, computing device and storage medium | |
| CN112925539B (en) | Application updating method, computing device and storage medium | |
| CN111447178B (en) | Access control method, system and computing device | |
| CN112559913A (en) | Data processing method and device, computing equipment and readable storage medium | |
| CN114448929B (en) | Data link switching method, device and system and computing equipment | |
| CN108173716B (en) | Method for identifying network equipment manufacturer and computing equipment | |
| CN114546678A (en) | Method for copying and pasting data, computing equipment and readable storage medium | |
| CN114168937A (en) | Resource access method, computing device and readable storage medium | |
| CN110442380B (en) | Data preheating method and computing equipment | |
| CN113377563A (en) | Webpage monitoring method and computing device | |
| CN107566349B (en) | Method and computing device for detecting sensitive file leakage in network server | |
| CN110647383A (en) | Application management method based on docker container and computing device | |
| CN112711490B (en) | Message processing method, computing device and storage medium | |
| US20180089221A1 (en) | Methods and Apparatus for Managing Access to File Content | |
| CN113190455B (en) | Element positioning method and computing equipment | |
| CN113032038B (en) | Application program management method and device, computing equipment and readable storage medium | |
| TWI756685B (en) | Computer program product and apparatus for arranging and executing jobs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |