识别内核线程 [英] Identifying kernel threads

问题描述

我想知道如何区分正在构建的进程扫描程序的内核线程和用户线程.我很难找到两种类型的良好定义.

我发现内核线程没有自己的内存，因此/proc/$ pid/status中没有Vm *值，并且/proc/$ pid/exe中的统计信息不返回任何内容. /p>

因此，我认为，如果进程没有Vm *值且没有inode编号，则可以识别内核线程.我想错了...我的脚本有时会看到被标识为内核进程的php-cgi进程.

如果发现大多数错误识别的进程是僵尸，它们在一秒钟后消失了.因此，我执行了一个简单的检查以查看状态是否为"Z".如果是这样，请忽略它. 这为我节省了很多误报，但我仍然收到有关php-cgi内核进程的消息.

谁能告诉我如何正确区分内核线程和用户线程?

解决方案

在内核线程和用户空间线程之间有 一些可见的区别:

• /proc/$pid/cmdline对于内核线程为空-这是ps和top用来区分内核线程的方法.

• /proc/$pid/exe符号链接没有内核线程的目标-这很有意义，因为它们在文件系统上没有相应的可执行文件.

  更具体地说， readlink() 系统调用返回ENOENT(没有这样的文件或目录" )，尽管该链接本身存在，但表示此过程的可执行文件不存在(也从未存在).

  因此，检查内核线程的可靠方法应该是在/proc/$pid/exe上调用readlink()并检查其返回代码.如果成功，则$pid是用户进程.如果使用ENOENT失败，则/proc/$pid/exe上额外的stat()应该可以将内核线程的情况与刚刚终止的进程区分开.

• /proc/$pid/status缺少大多数 内核线程的几个字段-更具体地说是与虚拟内存相关的几个字段.

I'd like to know how I can distinguish a kernel-thread from a user-thread for a process-scanner I'm building. I'm having a hard time finding a good definition of both types.

I found that kernel-threads don't have memory of their own, so no Vm* values in /proc/$pid/status, and that a stat on /proc/$pid/exe does not return anything.

So, I figured I could identify kernel threads if a process has no Vm* values and no inode number. I figured wrong... my script sees php-cgi processes that are identified as kernel processes sometime.

If found that most of those wrongly identified processes are zombies that are gone a second later. So I implemented a simple check to see if the status is "Z". If so, ignore it. That saved me a lot of false positives, but still I receive messages about php-cgi kernel-processes.

Can anyone tell me how I can distinguish a kernel-thread from a user-thread the right way?

解决方案

There are some visible differences between a kernel thread and a user-space thread:

• /proc/$pid/cmdline is empty for kernel threads - this is the method used by ps and top to distinguish kernel threads.

• The /proc/$pid/exe symbolic link has no target for kernel threads - which makes sense since they do not have a corresponding executable on the filesystem.

  More specifically, the readlink() system call returns ENOENT ("No such file or directory"), despite the fact that the link itself exists, to denote the fact that the executable for this process does not exist (and never did).

  Therefore, a reliable way to check for kernel threads should be to call readlink() on /proc/$pid/exe and check its return code. If it succeeds then $pid is a user process. If it fails with ENOENT, then an extra stat() on /proc/$pid/exe should tell apart the case of a kernel thread from a process that has just terminated.

• /proc/$pid/status is missing several fields for most kernel threads - more specifically a few fields related to virtual memory.

这篇关于识别内核线程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！