Split user info

sinsp_threadinfo contains two fields with user and login_user
information. Since those fields are of scap_userinfo type and statically
allocated, they take a lot of space:

    scap_userinfo              m_user;               /*   368  2312 */
    scap_userinfo              m_loginuser;          /*  2680  2312 */

which is 4624 bytes out of 5728 for the whole sinsp_threadinfo:

    /* size: 5728, cachelines: 90, members: 64 */

Most of this memory is coming from the fields name
(MAX_CREDENTIALS_STR_LEN), homedir and shell (both SCAP_MAX_PATH_SIZE).
For a process-heavy workload this can mean a lot of memory taken for
these purposes.

To make memory management more flexible, split m_user/m_loginuser into
two set of fields:
* one containing uid/gid, which are ubiquitous and generally used
everywhere
* one for the rest of heavy details, which are needed less often

The new user_details structure is not supposed to use separately from
sinsp_threadinfo, thus it's defined inside the class.

Co-authored-by: Mauro Ezequiel Moltrasio <[email protected]>

Author: erthalion

userspace/libsinsp/filterchecks.cpp

@@ -6177,22 +6177,22 @@ uint8_t* sinsp_filter_check_user::extract(sinsp_evt *evt, OUT uint32_t* len, boo
 	switch(m_field_id)
 	{
 	case TYPE_UID:
-		RETURN_EXTRACT_VAR(tinfo->m_user.uid);
+		RETURN_EXTRACT_VAR(tinfo->m_user->uid);
 	case TYPE_NAME:
-		RETURN_EXTRACT_CSTR(tinfo->m_user.name);
+		RETURN_EXTRACT_STRING(tinfo->m_user->name);
 	case TYPE_HOMEDIR:
-		RETURN_EXTRACT_CSTR(tinfo->m_user.homedir);
+		RETURN_EXTRACT_STRING(tinfo->m_user->homedir);
 	case TYPE_SHELL:
-		RETURN_EXTRACT_CSTR(tinfo->m_user.shell);
+		RETURN_EXTRACT_STRING(tinfo->m_user->shell);
 	case TYPE_LOGINUID:
 		m_s64val = (int64_t)-1;
-		if(tinfo->m_loginuser.uid < UINT32_MAX)
+		if(tinfo->m_loginuser->uid < UINT32_MAX)
 		{
-			m_s64val = (int64_t)tinfo->m_loginuser.uid;
+			m_s64val = (int64_t)tinfo->m_loginuser->uid;
 		}
 		RETURN_EXTRACT_VAR(m_s64val);
 	case TYPE_LOGINNAME:
-		RETURN_EXTRACT_CSTR(tinfo->m_loginuser.name);
+		RETURN_EXTRACT_STRING(tinfo->m_loginuser->name);
 	default:
 		ASSERT(false);
 		break;
@@ -6237,9 +6237,9 @@ uint8_t* sinsp_filter_check_group::extract(sinsp_evt *evt, OUT uint32_t* len, bo
 	switch(m_field_id)
 	{
 	case TYPE_GID:
-		RETURN_EXTRACT_VAR(tinfo->m_group.gid);
+		RETURN_EXTRACT_VAR(tinfo->m_group->gid);
 	case TYPE_NAME:
-		RETURN_EXTRACT_CSTR(tinfo->m_group.name);
+		RETURN_EXTRACT_STRING(tinfo->m_group->name);
 	default:
 		ASSERT(false);
 		break;

userspace/libsinsp/parsers.cpp

@@ -1611,9 +1611,9 @@ void sinsp_parser::parse_clone_exit_caller(sinsp_evt *evt, int64_t child_tid)
 	/* Refresh user / loginuser / group */
 	if(child_tinfo->m_container_id.empty() == false)
 	{
-		child_tinfo->set_user(child_tinfo->m_user.uid);
-		child_tinfo->set_loginuser(child_tinfo->m_loginuser.uid);
-		child_tinfo->set_group(child_tinfo->m_group.gid);
+		child_tinfo->set_user(child_tinfo->m_user->uid);
+		child_tinfo->set_loginuser(child_tinfo->m_loginuser->uid);
+		child_tinfo->set_group(child_tinfo->m_group->gid);
 	}
 
 	/* If there's a listener, invoke it */
@@ -2159,9 +2159,9 @@ void sinsp_parser::parse_clone_exit_child(sinsp_evt *evt)
 	/* Refresh user / loginuser / group */
 	if(child_tinfo->m_container_id.empty() == false)
 	{
-		child_tinfo->set_user(child_tinfo->m_user.uid);
-		child_tinfo->set_loginuser(child_tinfo->m_loginuser.uid);
-		child_tinfo->set_group(child_tinfo->m_group.gid);
+		child_tinfo->set_user(child_tinfo->m_user->uid);
+		child_tinfo->set_loginuser(child_tinfo->m_loginuser->uid);
+		child_tinfo->set_group(child_tinfo->m_group->gid);
 	}
 
 	//
@@ -2705,7 +2705,7 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
 	if(evt->get_num_params() > 26)
 	{
 		parinfo = evt->get_param(26);
-		evt->m_tinfo->m_user.uid = *(uint32_t *)parinfo->m_val;
+		evt->m_tinfo->m_user->uid = *(uint32_t *)parinfo->m_val;
 	}
 
 	//
@@ -2747,9 +2747,9 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
 	//
 	if(container_id != evt->m_tinfo->m_container_id)
 	{
-		evt->m_tinfo->set_user(evt->m_tinfo->m_user.uid);
-		evt->m_tinfo->set_loginuser(evt->m_tinfo->m_loginuser.uid);
-		evt->m_tinfo->set_group(evt->m_tinfo->m_group.gid);
+		evt->m_tinfo->set_user(evt->m_tinfo->m_user->uid);
+		evt->m_tinfo->set_loginuser(evt->m_tinfo->m_loginuser->uid);
+		evt->m_tinfo->set_group(evt->m_tinfo->m_group->gid);
 	}
 
 	//
@@ -6388,9 +6388,9 @@ void sinsp_parser::parse_chroot_exit(sinsp_evt *evt)
 		//
 		if(container_id != evt->m_tinfo->m_container_id)
 		{
-			evt->m_tinfo->set_user(evt->m_tinfo->m_user.uid);
-			evt->m_tinfo->set_loginuser(evt->m_tinfo->m_loginuser.uid);
-			evt->m_tinfo->set_group(evt->m_tinfo->m_group.gid);
+			evt->m_tinfo->set_user(evt->m_tinfo->m_user->uid);
+			evt->m_tinfo->set_loginuser(evt->m_tinfo->m_loginuser->uid);
+			evt->m_tinfo->set_group(evt->m_tinfo->m_group->gid);
 		}
 	}
 }

userspace/libsinsp/sinsp.cpp

@@ -115,6 +115,7 @@ sinsp::sinsp(bool static_container, const std::string &static_id, const std::str
 	m_isfatfile_enabled = false;
 	m_isinternal_events_enabled = false;
 	m_hostname_and_port_resolution_enabled = false;
+	m_user_details_enabled = true;
 	m_output_time_flag = 'h';
 	m_max_evt_output_len = 0;
 	m_filesize = -1;
@@ -2145,6 +2146,11 @@ void sinsp::set_hostname_and_port_resolution_mode(bool enable)
 	m_hostname_and_port_resolution_enabled = enable;
 }
 
+void sinsp::set_user_details(bool enable)
+{
+	m_user_details_enabled = enable;
+}
+
 void sinsp::set_max_evt_output_len(uint32_t len)
 {
 	m_max_evt_output_len = len;

userspace/libsinsp/sinsp.h

@@ -762,6 +762,18 @@ class SINSP_PUBLIC sinsp : public capture_stats_source
 	*/
 	void set_hostname_and_port_resolution_mode(bool enable);
 
+	/*!
+	  \brief Set whether to store user details.
+
+	  \note By default thread information is enriched with the full set of user
+	   information, i.e. name, homedir, shell, group name. The parameter
+	   controls this behavior, an can be used to reduce memory footprint.
+
+	  \param enable If set to false, no extended user information will be
+	   stored in sinsp_threadinfo, only user id/group id will be available.
+	*/
+	void set_user_details(bool enable);
+
 	/*!
 	  \brief Set the runtime flag for resolving the timespan in a human
 	   readable mode.
@@ -1116,6 +1128,7 @@ VISIBILITY_PRIVATE
 	bool m_isfatfile_enabled;
 	bool m_isinternal_events_enabled;
 	bool m_hostname_and_port_resolution_enabled;
+	bool m_user_details_enabled;
 	char m_output_time_flag;
 	uint32_t m_max_evt_output_len;
 	bool m_compress;

userspace/libsinsp/threadinfo.cpp

@@ -155,9 +155,9 @@ void sinsp_threadinfo::init()
 	m_exe_ino_ctime_duration_clone_ts = 0;
 	m_exe_ino_ctime_duration_pidns_start = 0;
 
-	memset(&m_user, 0, sizeof(scap_userinfo));
-	memset(&m_group, 0, sizeof(scap_groupinfo));
-	memset(&m_loginuser, 0, sizeof(scap_userinfo));
+	m_user = std::make_shared<sinsp_userinfo>();
+	m_loginuser = std::make_shared<sinsp_userinfo>();
+	m_group = std::make_shared<sinsp_groupinfo>();
 }
 
 sinsp_threadinfo::~sinsp_threadinfo()
@@ -574,19 +574,32 @@ void sinsp_threadinfo::set_user(uint32_t uid)
 	if (!user)
 	{
 		auto notify = m_inspector->is_live() || m_inspector->is_syscall_plugin();
-		user = m_inspector->m_usergroup_manager.add_user(m_container_id, m_pid, uid, m_group.gid, NULL, NULL, NULL, notify);
+		user = m_inspector->m_usergroup_manager.add_user(m_container_id, m_pid, uid, m_group->gid, NULL, NULL, NULL, notify);
 	}
+
 	if (user)
 	{
-		memcpy(&m_user, user, sizeof(scap_userinfo));
+		m_user->uid = user->uid;
+		m_user->gid = m_group->gid;
+
+		if (m_inspector->m_user_details_enabled)
+		{
+			m_user->name.assign(user->name, sizeof(user->name));
+			m_user->homedir.assign(user->homedir, sizeof(user->homedir));
+			m_user->shell.assign(user->shell, sizeof(user->shell));
+		}
 	}
 	else
 	{
-		m_user.uid = uid;
-		m_user.gid = m_group.gid;
-		strlcpy(m_user.name, (uid == 0) ? "root" : "<NA>", sizeof(m_user.name));
-		strlcpy(m_user.homedir, (uid == 0) ? "/root" : "<NA>", sizeof(m_user.homedir));
-		strlcpy(m_user.shell, "<NA>", sizeof(m_user.shell));
+		m_user->uid = uid;
+		m_user->gid = m_group->gid;
+
+		if (m_inspector->m_user_details_enabled)
+		{
+			m_user->name = (uid == 0) ? "root" : "<NA>";
+			m_user->homedir = (uid == 0) ? "/root" : "<NA>";
+			m_user->shell = "<NA>";
+		}
 	}
 }
 
@@ -600,30 +613,51 @@ void sinsp_threadinfo::set_group(uint32_t gid)
 	}
 	if (group)
 	{
-		memcpy(&m_group, group, sizeof(scap_groupinfo));
+		m_group->gid = group->gid;
+
+		if (m_inspector->m_user_details_enabled)
+		{
+			m_group->name.assign(group->name, sizeof(group->name));
+		}
 	}
 	else
 	{
-		m_group.gid = gid;
-		strlcpy(m_group.name, (gid == 0) ? "root" : "<NA>", sizeof(m_group.name));
+		m_group->gid = gid;
+		if (m_inspector->m_user_details_enabled)
+		{
+			m_group->name = (gid == 0) ? "root" : "<NA>";
+		}
 	}
-	m_user.gid = m_group.gid;
+	m_user->gid = m_group->gid;
 }
 
 void sinsp_threadinfo::set_loginuser(uint32_t loginuid)
 {
 	scap_userinfo *login_user = m_inspector->m_usergroup_manager.get_user(m_container_id, loginuid);
+
 	if (login_user)
 	{
-		memcpy(&m_loginuser, login_user, sizeof(scap_userinfo));
+		m_loginuser->uid = login_user->uid;
+		m_loginuser->gid = m_group->gid;
+
+		if (m_inspector->m_user_details_enabled)
+		{
+			m_loginuser->name.assign(login_user->name, sizeof(login_user->name));
+			m_loginuser->homedir.assign(login_user->homedir, sizeof(login_user->homedir));
+			m_loginuser->shell.assign(login_user->shell, sizeof(login_user->shell));
+		}
 	}
 	else
 	{
-		m_loginuser.uid = loginuid;
-		m_loginuser.gid = m_group.gid;
-		strlcpy(m_loginuser.name, loginuid == 0 ? "root" : "<NA>", sizeof(m_loginuser.name));
-		strlcpy(m_loginuser.homedir, loginuid == 0  ? "/root" : "<NA>", sizeof(m_loginuser.homedir));
-		strlcpy(m_loginuser.shell, "<NA>", sizeof(m_loginuser.shell));
+		m_loginuser->uid = loginuid;
+		m_loginuser->gid = m_group->gid;
+
+		if (m_inspector->m_user_details_enabled)
+		{
+			m_loginuser->name = loginuid == 0 ? "root" : "<NA>";
+			m_loginuser->homedir = loginuid == 0  ? "/root" : "<NA>";
+			m_loginuser->shell = "<NA>";
+		}
 	}
 }
 
@@ -1945,8 +1979,8 @@ void sinsp_thread_manager::thread_to_scap(sinsp_threadinfo& tinfo, 	scap_threadi
 
 	sctinfo->flags = tinfo.m_flags ;
 	sctinfo->fdlimit = tinfo.m_fdlimit;
-	sctinfo->uid = tinfo.m_user.uid;
-	sctinfo->gid = tinfo.m_group.gid;
+	sctinfo->uid = tinfo.m_user->uid;
+	sctinfo->gid = tinfo.m_group->gid;
 	sctinfo->vmsize_kb = tinfo.m_vmsize_kb;
 	sctinfo->vmrss_kb = tinfo.m_vmrss_kb;
 	sctinfo->vmswap_kb = tinfo.m_vmswap_kb;
@@ -1955,7 +1989,7 @@ void sinsp_thread_manager::thread_to_scap(sinsp_threadinfo& tinfo, 	scap_threadi
 	sctinfo->vtid = tinfo.m_vtid;
 	sctinfo->vpid = tinfo.m_vpid;
 	sctinfo->fdlist = NULL;
-	sctinfo->loginuid = tinfo.m_loginuser.uid;
+	sctinfo->loginuid = tinfo.m_loginuser->uid;
 	sctinfo->filtered_out = false;
 }
 
@@ -2181,9 +2215,9 @@ threadinfo_map_t::ptr_t sinsp_thread_manager::get_thread_ref(int64_t tid, bool q
             newti->m_not_expired_children = 0;
             newti->m_comm = "<NA>";
             newti->m_exe = "<NA>";
-            newti->m_user.uid = 0xffffffff;
-            newti->m_group.gid = 0xffffffff;
-            newti->m_loginuser.uid = 0xffffffff;
+            newti->m_user->uid = 0xffffffff;
+            newti->m_group->gid = 0xffffffff;
+            newti->m_loginuser->uid = 0xffffffff;
         }
 
         //

userspace/libsinsp/threadinfo.h

@@ -72,6 +72,21 @@ class SINSP_PUBLIC sinsp_threadinfo: public libsinsp::state::table_entry
 {
 
 public:
+	typedef struct sinsp_userinfo
+	{
+		uint32_t uid; ///< User ID
+		uint32_t gid; ///< Group ID
+		std::string name; ///< Username
+		std::string homedir; ///< Home directory
+		std::string shell; ///< Shell program
+	} sinsp_userinfo;
+
+	typedef struct sinsp_groupinfo
+	{
+		uint32_t gid; ///< Group ID
+		std::string name; ///< Group name
+	} sinsp_groupinfo;
+
 	sinsp_threadinfo(
 		sinsp *inspector = nullptr,
 		std::shared_ptr<libsinsp::state::dynamic_struct::field_infos> dyn_fields = nullptr);
@@ -419,9 +434,9 @@ class SINSP_PUBLIC sinsp_threadinfo: public libsinsp::state::table_entry
 	std::string m_container_id; ///< heuristic-based container id
 	uint32_t m_flags; ///< The thread flags. See the PPM_CL_* declarations in ppm_events_public.h.
 	int64_t m_fdlimit;  ///< The maximum number of FDs this thread can open
-	scap_userinfo m_user; ///< user infos
-	scap_userinfo m_loginuser; ///< loginuser infos (auid)
-	scap_groupinfo m_group; ///< group infos
+	std::shared_ptr<sinsp_userinfo> m_user; ///< user infos
+	std::shared_ptr<sinsp_userinfo> m_loginuser; ///< loginuser infos (auid)
+	std::shared_ptr<sinsp_groupinfo> m_group; ///< group infos
 	uint64_t m_cap_permitted; ///< permitted capabilities
 	uint64_t m_cap_effective; ///< effective capabilities
 	uint64_t m_cap_inheritable; ///< inheritable capabilities