[PATCH 0/7] [RFC] kernel: add a netlink interface to get information about processes

From: Pavel Odintsov
Date: Thu Feb 19 2015 - 07:50:41 EST

Hello, folks!

It's very useful patches and they can do my tasks simpler and faster.

In my day to day work I working with Linux servers with enormous
amount of processes (~25 000 per server). This servers run multiple
hundreds of Linux containers.

If I want analyze processor load, network load or check something else
I use top/atop/htop/netstat. But they work very slow and consume
significant amount of CPU power for parsing multiple thousands text
files in /proc (like /proc/tcp, /proc/udp, /proc/status,

Some time ago I worked on malware detection toolkit for Linux -
Antidoto (https://github.com/FastVPSEestiOu/Antidoto) which uses /proc
filesystem very deeply. For detecting malware I need check every
descriptor, every sockets and get complete information about all
processes on system.

But with current text file based architecture of /proc I can't achieve
suitable speed of my toolkit.

For example, there you can look at time of processing all network
connections for server with 20244 processes with

real 1m26.637s
user 0m23.945s
sys 0m43.978s

As you can see this time is very huge but I use latest CPUs from Intel
(Xepn 2697v3).

I have multiple ideas about complete realtime Linux server monitoring
but without ability to pull information from the Linux Kernel faster I
can't realize they.

Sincerely yours, Pavel Odintsov
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/