Molo nonke, sabelana nani ngenxalenye yesibini yoshicilelo ethi “Iinkqubo zeefayile ze-Virtual kwi Linux: Kutheni zifuneka kwaye zisebenza njani? Inxalenye yokuqala ingafundwa . Masikukhumbuze ukuba olu ngcelele lweempapasho lubekwe ixesha lokuhambelana nokuqaliswa komlambo omtsha kwikhosi. , eqala ngokukhawuleza.
Uyijonga njani iVFS usebenzisa izixhobo ze-eBPF kunye ne-bcc
Eyona ndlela ilula yokuqonda ukuba i-kernel isebenza njani kwiifayile sysfs kukubona xa usebenza, kwaye eyona ndlela ilula yokuyibukela i-ARM64 kukusebenzisa i-eBPF. I-eBPF (ifutshane kwi-Berkeley Packet Filter) iquka umatshini wenyani osebenzayo , abasebenzisi abanethamsanqa banokucela (query) ukusuka kumgca womyalelo. Imithombo ye-kernel ixelela umfundi ukuba i-kernel inokwenza ntoni; ukusebenzisa izixhobo ze-eBPF kwindlela elayishiweyo kubonisa ukuba ikernel yenza ntoni kanye kanye.

Ngethamsanqa, ukuqalisa ukusebenzisa i-eBPF kulula kakhulu ngoncedo lwezixhobo , ezifumaneka njengepakethe ukusuka kunikezelo jikelele kwaye ibhalwe ngokweenkcukacha . Izixhobo bcc Zizikripthi zePython ezinofakelo oluncinci lwekhowudi ye-C, okuthetha ukuba nabani na oqheleneyo nazo zombini iilwimi unokuziguqula ngokulula. IN bcc/tools Kukho imibhalo yePython engama-80, nto leyo ethetha ukuba kusenokwenzeka ukuba umphuhlisi okanye umlawuli wenkqubo uya kukwazi ukukhetha into efanelekileyo yokusombulula ingxaki.
Ukufumana ubuncinci umbono ongaphezulu wokuba yintoni umsebenzi weVFSs owenzayo kwinkqubo esebenzayo, zama vfscount okanye vfsstat. Oku kuya kubonisa, masithi, ukuba iminxeba emininzi vfs_open() kwaye "abahlobo bakhe" zenzeka ngokoqobo umzuzwana ngamnye.

vfsstat.pysiscript sePython esinofakelo lwekhowudi ye-C ebala ngokulula iifowuni zeVFS.
Makhe sinike umzekelo ongento yanto kwaye sibone ukuba kwenzeka ntoni xa sifaka i-USB flash drive kwikhompyuter kwaye inkqubo iyibhaqe.

Ukusebenzisa i-eBPF unokubona okwenzekayo kuyo
/sysxa i-USB flash drive ifakiwe. Umzekelo olula nontsokothileyo ubonisiwe apha.
Kumzekelo oboniswe ngasentla, bcc isixhobo ishicilela umyalezo xa umyalelo uqhutywa sysfs_create_files(). Siyayibona loo nto sysfs_create_files() yaqaliswa kusetyenziswa kworker umsinga ekuphenduleni into yokuba i-flash drive ifakiwe, kodwa yeyiphi ifayile eyadalwa? Umzekelo wesibini ubonisa amandla e-eBPF. Apha trace.py Shicilela umva wekernel (-K ukhetho) kunye negama lefayile eyenziweyo sysfs_create_files(). Ufakelo lwengxelo enye yikhowudi engu-C equka umtya wefomati ophawuleka ngokulula onikezwe ngumbhalo wePython osebenzisa iLLVM. nje-ngexesha compiler. Iqokelela lo mgca kwaye iwuphumeze kumatshini wenyani ngaphakathi kwekernel. Utyikityo lomsebenzi opheleleyo sysfs_create_files () kufuneka iveliswe kwakhona kumyalelo wesibini ukuze umtya wefomathi ubhekisele kwenye yeeparamitha. Iimpazamo kwesi siqwenga sekhowudi C zikhokelela kwiimpazamo ezibonakalayo ezivela kumqokeleli weC. Umzekelo, ukuba i-parameter ayifakwanga, uya kubona "Ayiphumelelanga ukuqulunqa iteksti ye-BPF." Abaphuhlisi abaqhelana neC kunye nePython baya kufumana izixhobo bcc kulula ukwandisa kunye nokutshintsha.
Xa i-USB drive ifakiwe, i-kernel backtrace iya kubonisa ukuba i-PID 7711 yintambo. kworkereyenza ifayile «events» в sysfs. Ngokufanelekileyo, umnxeba ovela sysfs_remove_files() iya kubonisa ukuba ukususa i-drive kubangele ukuba ifayile icinywe events, ehambelana nengqiqo jikelele yokubala ireferensi. Ngexesha elifanayo, ukujonga sysfs_create_link () nge-eBPF ngelixa ufaka i-USB drive iya kubonisa ukuba ubuncinane amakhonkco angama-48 enziwe.
Ngoko yintoni inqaku lefayile yeziganeko? Ukusetyenziswa Ukukhangela , ibonisa ukuba ibangela ntoni disk_add_events (), kwaye nokuba "media_change", okanye "eject_request" inokurekhodwa kwifayile yesiganeko. Apha umaleko we-kernel block wazisa indawo yomsebenzisi ukuba "idiski" ivele kwaye yakhutshwa. Qaphela ukuba inolwazi kangakanani le ndlela yophando ngokufaka i-USB drive, xa kuthelekiswa nokuzama ukufumanisa ukuba izinto zisebenza njani ukusuka kumthombo.
Iinkqubo zeefayili eziziingcambu ezifundwayo kuphela zenza izixhobo ezizinzisiweyo
Ewe kunjalo, akukho mntu ucima iseva okanye ikhompyuter yakhe ngokutsala iplagi kwisokethi. Kodwa kutheni? Oku kungenxa yokuba iinkqubo zefayile ezinyusiweyo kwizixhobo zogcino lwenyama zinokubhala zishiywe lixesha, kwaye izakhiwo zedatha ezirekhoda imeko yazo zisenokungadityaniswa nokubhala kugcino. Xa oku kusenzeka, abanini benkqubo kufuneka balinde de ibe yinkqubo elandelayo yokuqalisa into eluncedo. fsck filesystem-recovery kwaye, kwimeko embi kakhulu, ukulahlekelwa idatha.
Nangona kunjalo, sonke siyazi ukuba izixhobo ezininzi ze-IoT, kunye nee-routers, ii-thermostats kunye neemoto, ngoku ziyasebenza. LinuxUninzi lwezi zixhobo alunawo ujongano lomsebenzisi, kwaye akukho ndlela yokuzicima kakuhle. Khawuthelekelele uqala imoto enebhetri engasebenziyo xa amandla esixhobo sokulawula ecinyiwe. ehlala exhuma-xhuma. Kwenzeka njani ukuba inkqubo iqale ngaphandle kwexesha elide fsckiqala nini ukusebenza injini ekugqibeleni? Kwaye impendulo ilula. Izixhobo ezizinzisiweyo zixhomekeke kwinkqubo yefayile yengcambu (efinyeziwe ro-rootfs (funda-kuphela ingcambu yenkqubo yefayile)).
ro-rootfs zibonelela ngeenzuzo ezininzi ezingacacanga kangako kunobunyani. Enye inzuzo kukuba i-malware ayikwazi ukubhalela /usr okanye /lib, ukuba akukho nkqubo Linux andinakukwazi ukuyibhalela. Enye into kukuba inkqubo yefayile engaguqukiyo ibalulekile ekuxhaseni izixhobo ezikude, kuba abasebenzi benkxaso basebenzisa iinkqubo zasekuhlaleni ezifana kakhulu neenkqubo ezikwindawo. Mhlawumbi eyona nzuzo ibalulekileyo (kodwa ikwayeyona ifihlakeleyo) kukuba i-ro-rootfs inyanzela abaphuhlisi ukuba bagqibe ukuba zeziphi izinto zenkqubo eziya kuguqulwa kwasekuqaleni kuyilo lwenkqubo. Ukusebenza nge-ro-rootfs kunokuba nzima kwaye kube buhlungu, njengoko kusoloko kunjalo kwiinguqu ze-const kwiilwimi zeprogram, kodwa iingenelo zayo zidlula ngokulula iindleko ezongezelelweyo.
Indalo rootfs Ukusebenza kokufunda kuphela kufuna umgudu owongezelelweyo kubaphuhlisi abafakelweyo, kwaye kulapho i-VFS ingena khona. Linux ifuna ukuba iifayile zibe /var bezibhaleka, kwaye ukongeza, izicelo ezininzi ezidumileyo ezisebenzisa iindlela ezilungisiweyo ziyakuzama ukwenza uqwalaselo dot-files в $HOME. Isisombululo esinye seefayile zoqwalaselo kulawulo lwasekhaya kuqhelekile ukuvelisa ngaphambili kunye nokwakha kuzo rootfs... Kuba /var Enye indlela enokwenzeka kukuyixhoma kwisahlulelo esibhaliweyo esahlukileyo, ngelixa / inyuswe yokufunda kuphela. Enye indlela edumileyo kukusebenzisa i-binding okanye ii-overlay.
Ukunyuswa okudityanisiweyo kunye nokupakishwayo, ukusetyenziswa kwazo zizikhongozeli
Ukuphunyezwa komyalelo man mount yeyona ndlela ingcono yokufunda malunga nokubopheleka nokuxhoma okukwalekekayo, okunika ababhekisi phambili kunye nabalawuli benkqubo ukukwazi ukwenza inkqubo yefayile kwindlela enye kwaye emva koko uyiveze kwizicelo kwenye. Kwiinkqubo ezizinzisiweyo, oku kuthetha ukukwazi ukugcina iifayile ngaphakathi /var kwi-flash drive efundwayo kuphela, kodwa isigqubuthelo okanye indlela yentaba eqhagamshekayo ukusuka tmpfs в /var xa ulayisha, iyakuvumela izicelo ukuba zibhale amanqaku apho (scrawl). Kwixesha elizayo xa uvula utshintsho kwi /var uya kulahleka. Intaba eyalekeneyo yenza umanyano phakathi tmpfs kunye nenkqubo yefayile esezantsi kwaye ikuvumela ukuba wenze utshintsho olubonakalayo kwiifayile ezikhoyo ro-tootf ngelixa intaba ebophekayo inokwenza ezintsha zingabi nanto tmpfs iziqulathi zeefayili ezibonakalayo njengoko zibhalwayo ngaphakathi ro-rootfs iindlela. Ngelixa overlayfs le yeyona ilungileyo (proper) uhlobo lwesixokelelwano sefayile, intaba ebophelelayo iphunyeziwe .
Ngokusekwe kwinkcazo yokwaleka kunye nentaba enokuqhagamshelwana nayo, akukho mntu umangaliswayo kukuba zisetyenziswa ngenkuthalo. Makhe sibone ukuba kwenzeka ntoni xa sisebenzisa ukuqhuba isikhongozeli usebenzisa isixhobo mountsnoop ukusuka bcc.
Mngeni system-nspawn iqala isikhongozeli ngelixa ibaleka mountsnoop.py.
Makhe sibone ukuba kwenzeke ntoni:
Qalisa mountsnoop Ngelixa isikhongozeli "siqalisa" sibonisa ukuba ixesha lokuqhuba lesikhongozeli lixhomekeke kakhulu kwintaba edityanisiweyo (Kuphela isiqalo sesiphumo eside sibonisiwe).
kuyinto systemd-nspawn inikeza iifayile ezikhethiweyo kwi procfs и sysfs ngenisa isikhongozeli njengeendlela eziya kuyo rootfs... Ngaphandle koko MS_BIND iflegi emisela intaba ebophelelayo, ezinye iiflegi entabeni zichaza unxulumano phakathi kotshintsho kumamkeli kunye nezithuba zamagama zesikhongozeli. Umzekelo, intaba edityanisiweyo inokutsiba utshintsho ukuya /proc и /sys kwisikhongozeli, okanye uzifihle ngokuxhomekeke kwifowuni.
isiphelo
Ukuqonda ulwakhiwo lwangaphakathi Linux ingabonakala ngathi ngumsebenzi ongenakwenzeka, kuba i-kernel ngokwayo inekhowudi eninzi, ishiya ecaleni usetyenziso lwesithuba somsebenzisi Linux kunye neendawo zokunxibelelana ngefowuni yenkqubo kwiilayibrari ze-C ezifana glibc. Enye indlela yokwenza inkqubela kukufunda ikhowudi yemvelaphi ye-kernel subsystem, kunye nogxininiso kwiifowuni zenkqubo yokuqonda kunye nentloko yendawo yomsebenzisi, kunye nojongano oluphambili lwekernel lwangaphakathi, olufana netafile. file_operations. Imisebenzi yefayile ibonelela ngomgaqo othi "yonke into yifayile", nto leyo eyenza ukuba kube mnandi kakhulu ukuyilawula. Iifayile zemvelaphi ye-kernel kwinqanaba eliphezulu fs/ imele ukuphunyezwa kweenkqubo zefayile ezibonakalayo, ezilulwelo olugubungelayo olubonelela ngokuhambelana okubanzi nokulula phakathi kweenkqubo zefayile ezidumileyo kunye nezixhobo zokugcina. Ukufakela ngokudibanisa nokugquma ngeendawo zamagama Linux — ngumlingo we-VFS owenza kube nokwenzeka ukwenza izikhongozeli kunye neenkqubo zefayile yeengcambu zokufunda kuphela. Idityaniswe nophando lwekhowudi yomthombo, isixhobo se-eBPF kernel kunye nojongano lwaso. bcc
ukwenza uphononongo olungundoqo lube lula kunangaphambili.
Zihlobo, ndaziseni ukuba eli nqaku libe luncedo kuni. Mhlawumbi ninezimvo okanye iingcebiso? Kwaye kwabo banomdla kwikhosi ethi "Administrator", Linux", siyakumema ukuba , eya kuba ngoAprili 18.
umthombo: www.habr.com
