Re: [pcp] access to /proc/pid/maps

To:	Nathan Scott <nathans@xxxxxxxxxx>
Subject:	Re: [pcp] access to /proc/pid/maps
From:	Martins Innus <minnus@xxxxxxxxxxx>
Date:	Tue, 2 Jul 2013 20:44:21 -0400
Cc:	"Frank Ch. Eigler" <fche@xxxxxxxxxx>, "pcp@xxxxxxxxxxx" <pcp@xxxxxxxxxxx>
Delivered-to:	pcp@xxxxxxxxxxx
In-reply-to:	<303386089.12172207.1372811258810.JavaMail.root@xxxxxxxxxx>
References:	<51D3282C.3060806@xxxxxxxxxxx> <y0mobak7ijr.fsf@xxxxxxxx> <77CBA5BA-5B02-47D5-A597-64DBB582639B@xxxxxxxxxxx> <303386089.12172207.1372811258810.JavaMail.root@xxxxxxxxxx>


On Jul 2, 2013, at 8:27 PM, Nathan Scott <nathans@xxxxxxxxxx> wrote:

> 
> 
> ----- Original Message -----
>> 
>> The impending default solution to this is the pmcd
>> authenticated-connection mode, wherein a pcp client can forward user
>> identity to pmcd, after which the pmda-linux code can setuid to that
>> user temporarily to service proc requests. The new AF_UNIX pmcd
>> transport will pass credentials automatically. That should handle
>> users being able to monitor their own processes, or root monitoring
>> everyone, without having to run pmcd itself as root.
>> 
>> - FChE
>> 
>> Ok, that sounds good. So I could run pmlogger as root and collect information
>> for all processes when this is implemented?
> 
> You would need to allow pmlogger (which runs as "pcp" user) to authenticate as
> "root" if you'd like to be able to query values (and record) all processes.  
> How
> that would be achieved would depend on the authentication mechanism used, 
> which
> is handled by SASL and configured outside of pmcd.

Ok

> 
> As a general rule, its not a good idea to record all processes ... and the 
> maps
> metric in particular is huge.  There are better potential solutions, like 
> having
> a PMDA which tracks only processes of interest (custom PMDA), or the 
> process(es)
> of interest could be cgroup-controlled, and the cgroup metrics (in the 
> linux_proc
> PMDA) could be extended with the maps information.  Lot of "could be"s there -
> this remains an area of on-going work and experimentation I think.
> 

Sure, it's a lot of data. We are trying to see how often we can collect all 
possible data without affecting overall performance on the machine. For 
purposes of this project we don't know what might be interesting processes 
until afterwards.

> If you have an immediate need however, you can still install the Linux proc 
> PMDA
> (which runs as root, separate to pmcd) it is just not default-installed 
> anymore
> due to the information-exposure concern.

That's probably what we'll do for now as this is on an isolated network.

Thanks

Martins

> 
> cheers.
> 
> --
> Nathan
> 
>

<Prev in Thread]	Current Thread	[Next in Thread>
access to /proc/pid/maps, Martins Innus Re: access to /proc/pid/maps, Frank Ch. Eigler Re: access to /proc/pid/maps, Martins Innus Re: [pcp] access to /proc/pid/maps, Nathan Scott Re: [pcp] access to /proc/pid/maps, Martins Innus <= Re: [pcp] access to /proc/pid/maps, Frank Ch. Eigler Re: [pcp] access to /proc/pid/maps, Nathan Scott

Previous by Date:	Re: [pcp] access to /proc/pid/maps, Nathan Scott
Next by Date:	Re: [pcp] Prepare to be assimilated^Wanalysed; resistance is futile, Nathan Scott
Previous by Thread:	Re: [pcp] access to /proc/pid/maps, Nathan Scott
Next by Thread:	Re: [pcp] access to /proc/pid/maps, Frank Ch. Eigler
Indexes:	[Date] [Thread] [Top] [All Lists]