Find server PIDs based on socket inode number

Author: KJ Tsanaktsidis

Dockerfile

@@ -11,7 +11,8 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -mod=vendor -ldflags "-X main.version=$
     raingutter/raingutter.go  \
     raingutter/socket_stats.go \
     raingutter/prometheus.go \
-    raingutter/netlink_socket_stats.go
+    raingutter/netlink_socket_stats.go \
+    raingutter/process.go
 
 FROM scratch
 

README.md

@@ -41,6 +41,7 @@ The following environment variables can be used to configure Raingutter:
 * `RG_USE_SOCKET_STATS`: Deprecated - use `RG_SOCKET_STATS_MODE` instead. If set to `true`, will behave like `RG_SOCKET_STATS_MODE == "proc_net"`, and if set to `false` will behave like `RG_SOCKET_STATS_MODE == "raindrops"`.
 * `RG_FREQUENCY`: Polling frequency in milliseconds (default: `500`)
 * `RG_SERVER_PORT`: Where the web server listens to
+* `RG_MEMORY_STATS_ENABLED`: If enabled, attempt to collect memory usage statistics for processers listening on `RG_SERVER_PORT`. This is most useful for preforking webservers like unicorn, where it will measure how much memory is copy-on-write shared between processes. If using this feature, you should NOT use `RG_SOCKET_STATS_MODE=netlink` - Raingutter relies on lining up the listener socket inode numbers with `/proc/$pid/fd/` to find out which processes are listening on a socket. The inode is stored in the kernel as a 64-bit integer, however the INET_DIAG netlink API only exposes it as a 32-bit integer, doing silent wrap around! This means that if you use `RG_SOCKET_STATS_MODE=netlink`, `RG_MEMORY_STATS_ENABLED` might simply fail to generate any metrics at all if your system has had a lot of sockets.
 * `RG_PROC_DIRECTORY`: Path to `/proc` directory to use. Useful when running in a container to point to a path where the host's `/proc` directory is mounted.
 
 ##### Pre-fork web servers (Unicorn)

raingutter/netlink_socket_stats_test.go

@@ -11,31 +11,42 @@ import (
 	"time"
 )
 
-func testNetlinkSocketStatsImpl(t *testing.T, bindAddr string) {
-	// Set up a listener socket
+func listenAndGetInodeNumber(t *testing.T, bindAddr string) (*net.TCPListener, uint64) {
 	l, err := net.Listen("tcp", bindAddr)
 	if err != nil {
 		t.Fatalf("failed to listen: %s", err)
 	}
-	port := uint16(l.Addr().(*net.TCPAddr).Port)
 	listenerFd, err := l.(*net.TCPListener).File()
 	if err != nil {
+		l.Close()
 		t.Fatalf("failed to get fd for listener: %s", err)
 	}
 	listenerInodeStr, err := os.Readlink(fmt.Sprintf("/proc/self/fd/%d", listenerFd.Fd()))
 	if err != nil {
+		l.Close()
 		t.Fatalf("failed to readlink fd for listener: %s", err)
 	}
 	socketIndoeRegexp := regexp.MustCompile(`socket:\[([0-9]+)\]`)
 	matches := socketIndoeRegexp.FindStringSubmatch(listenerInodeStr)
 	if len(matches) < 2 {
+		l.Close()
 		t.Fatalf("could not parse socket inode %s", listenerInodeStr)
 	}
 	listenerInode, err := strconv.Atoi(matches[1])
 	if err != nil {
+		l.Close()
 		t.Fatalf("could not convert socket inode %s to int: %s", matches[1], err)
 	}
 
+	return l.(*net.TCPListener), uint64(listenerInode)
+}
+
+func testNetlinkSocketStatsImpl(t *testing.T, bindAddr string) {
+	// Set up a listener socket
+	l, listenerInode := listenAndGetInodeNumber(t, bindAddr)
+	defer l.Close()
+	port := uint16(l.Addr().(*net.TCPAddr).Port)
+
 	rnlc, err := NewRaingutterNetlinkConnection()
 	if err != nil {
 		t.Fatalf("failed to create netlink connection: %s", err)

raingutter/process.go

@@ -0,0 +1,127 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"path"
+	"strconv"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+type ServerProcess struct {
+	Pid int
+}
+
+// linuxDirent64 is linux_dirent64 from linux/dirent.h
+type linuxDirent64 struct {
+	DIno uint64 // u64 d_ino
+	DOff int64 // s64 d_off
+	DReclen uint16 // unsigned short d_reclen
+	DType uint8 // unsigned char d_type
+	DName byte // The first byte of flexible array member char d_name[]
+}
+
+func FindProcessesListeningToSocket(procDir string, socketInode uint64) ([]ServerProcess, error) {
+	// Check what network namespace _we_ are in.
+	selfNetNs, err := os.Readlink(path.Join(procDir, "self/ns/net"))
+	if err != nil {
+		return nil, fmt.Errorf("error reading %s/self/ns/net: %w", procDir, err)
+	}
+
+	// List out every process in /proc
+	procEntries, err := os.ReadDir(procDir)
+	if err != nil {
+		return nil, fmt.Errorf("error reading dir %s: %w", procDir, err)
+	}
+
+	var result []ServerProcess
+
+	for _, entry := range procEntries {
+		// use an IIFE so that we can defer closing the directory FD.
+		func(){
+			if !entry.IsDir() {
+				return
+			}
+			pid, err := strconv.Atoi(entry.Name())
+			if err != nil {
+				// Not a proc/$PID directory
+				return
+			}
+			dirFD, err := os.OpenFile(path.Join(procDir, entry.Name()), os.O_RDONLY | unix.O_DIRECTORY, 0)
+			if err != nil {
+				// failed to open the directory - process may simply have died before we could open it.
+				return
+			}
+			defer dirFD.Close()
+
+			// Is this process in the same namespace as us?
+			// format of this link is "net:[uint64 in base10]" so this buffer is always
+			// going to be large enough
+			linkBuffer := make([]byte, 64)
+			n, err := unix.Readlinkat(int(dirFD.Fd()), "ns/net", linkBuffer)
+			if err != nil {
+				// Could mean a couple of things - this process might have exited, or we might not
+				// be in the same (or parent) net namespace as the pid. We want to filter for processes
+				// in the same network namespace anyway, so ignore this regardless.
+				return
+			}
+			pidNetNs := string(linkBuffer[:n])
+			if selfNetNs != pidNetNs {
+				// this process is in a different network namespace. Ignore.
+				return
+			}
+
+
+			// See if it has an open file with the given socketInode.
+			fdDirFD, err := unix.Openat(int(dirFD.Fd()), "fd", os.O_RDONLY | unix.O_DIRECTORY, 0)
+			if err != nil {
+				// could have exited
+				return
+			}
+			defer unix.Close(fdDirFD)
+
+			pidHasListenerSocketOpened := false
+			// Gross-time. Golang has no binding for "read entries from a directory FD". This is important,
+			// because pids can be recycled, so doing something like os.Readdir("/proc/$pid/fd") is racey.
+			// Linux has the getdents64 syscall for this purpose; use the raw syscall API.
+			dentBuf := make([]byte, 4096)
+			for {
+				nBytes, err := unix.Getdents(fdDirFD, dentBuf)
+				if err != nil {
+					return
+				}
+				if nBytes == 0 {
+					break
+				}
+				offset := 0
+				for offset < nBytes {
+					dentStruct := (*linuxDirent64)(unsafe.Pointer(&dentBuf[offset]))
+
+					fdFileNameStartOffset := offset + int(unsafe.Offsetof(dentStruct.DName))
+					fdFileNameEndOffset := fdFileNameStartOffset
+					for dentBuf[fdFileNameEndOffset] != 0 {
+						fdFileNameEndOffset++
+					}
+					fdFileName := string(dentBuf[fdFileNameStartOffset:fdFileNameEndOffset])
+
+					linkBytes, err := unix.Readlinkat(fdDirFD, fdFileName, linkBuffer)
+					if err == nil && string(linkBuffer[:linkBytes]) == fmt.Sprintf("socket:[%d]", socketInode) {
+						// This process has the listener socket opened.
+						pidHasListenerSocketOpened = true
+					}
+
+					offset += int(dentStruct.DReclen)
+				}
+			}
+
+			if pidHasListenerSocketOpened {
+				result = append(result, ServerProcess{
+					Pid: pid,
+				})
+			}
+		}()
+	}
+	return result, nil
+}

raingutter/process_test.go

@@ -0,0 +1,26 @@
+package main
+
+import (
+	"os"
+	"testing"
+)
+
+func TestFindProcessesListeningToSocket(t *testing.T) {
+	// Open a listening socket.
+	l, listenerInode := listenAndGetInodeNumber(t, "127.0.0.1:0")
+	defer l.Close()
+
+	// Find processes using that socket
+	procs, err := FindProcessesListeningToSocket("/proc", listenerInode)
+	if err != nil {
+		t.Fatalf("error FindProcessesListeningToSocket: %s", err)
+	}
+
+	// This process should be the only process using that socket.
+	if len(procs) != 1 {
+		t.Fail()
+	}
+	if procs[0].Pid != os.Getpid() {
+		t.Fail()
+	}
+}

raingutter/raingutter.go

@@ -329,6 +329,13 @@ func main() {
 	log.Info("RG_FREQUENCY: ", frequency)
 	freqInt, _ := strconv.Atoi(frequency)
 
+
+	memoryStatsEnabledStr := os.Getenv("RG_MEMORY_STATS_ENABLED")
+	memoryStatsEnabled := false
+	if strings.ToLower(memoryStatsEnabledStr) == "true" {
+		memoryStatsEnabled = true
+	}
+
 	if podName == "" {
 		log.Warn("POD_NAME is missing")
 	}
@@ -450,6 +457,19 @@ func main() {
 			}
 		}
 
+		if memoryStatsEnabled {
+			serverProcs, err := FindProcessesListeningToSocket(procDir, r.ListenerSocketInode)
+			if err != nil {
+				log.Error(err)
+			} else {
+				var pids []int
+				for _, s := range serverProcs {
+					pids = append(pids, s.Pid)
+				}
+				log.Infof("Found unicorn pids: %+v", pids)
+			}
+		}
+
 		if didScan {
 			if statsdEnabled == "true" {
 				r.sendStats(statsdClient, &tc, useThreads)