Wavefront and Solaris 04: /proc
03 March 2017

Previously on Twin Peaks

After some amount of work, I have very useful Solaris-specific Wavefront dashboards. Most of the metrics come from kstats, so they’re low overhead, and give deep, accurate introspection. For instance, here’s network traffic out of all zones on a single host, courtesy of my SunOS Network Collector.

But, kstats consider the kernel’s view of the system as a whole, and sometimes it’s handy to have a finer-grained view than that.

So, in this episode, I’m going to write something about how I use Solaris’s /proc filesystem to produce process-specific metrics.

Linux /proc is a mess. Who knows what’s in there. Solaris /proc isn’t. It’s very clean, consistent, and, of course, well documented. man -s4 proc will tell you all you need to know.

What the /proc?

You likely know that /proc contains one directory for each process in the system. The name of the directory is the PID of the process. Let’s have a look at one.

$ ls -l /proc/$$
-rw-------   1 rob      sysadmin 5877760 Mar  3 14:15 as
-r--------   1 rob      sysadmin     336 Mar  3 14:15 auxv
dr-x------   2 rob      sysadmin      32 Mar  3 14:15 contracts
-r--------   1 rob      sysadmin      32 Mar  3 14:15 cred
--w-------   1 rob      sysadmin       0 Mar  3 14:15 ctl
lr-x------   1 rob      sysadmin       0 Mar  3 14:15 cwd ->
dr-x------   2 rob      sysadmin     272 Mar  3 14:15 fd
-r--------   1 rob      sysadmin       0 Mar  3 14:15 ldt
-r--r--r--   1 rob      sysadmin     192 Mar  3 14:15 lpsinfo
-r--------   1 rob      sysadmin    1328 Mar  3 14:15 lstatus
-r--r--r--   1 rob      sysadmin    1072 Mar  3 14:15 lusage
dr-xr-xr-x   3 rob      sysadmin      64 Mar  3 14:15 lwp
-r--------   1 rob      sysadmin    2600 Mar  3 14:15 map
dr-x------   2 rob      sysadmin     544 Mar  3 14:15 object
-r--------   1 rob      sysadmin    4176 Mar  3 14:15 pagedata
dr-x------   2 rob      sysadmin     816 Mar  3 14:15 path
-r--------   1 rob      sysadmin      72 Mar  3 14:15 priv
-r--------   1 rob      sysadmin       0 Mar  3 14:15 prune
-r--r--r--   1 rob      sysadmin     440 Mar  3 14:15 psinfo
-r--------   1 rob      sysadmin    2600 Mar  3 14:15 rmap
lr-x------   1 rob      sysadmin       0 Mar  3 14:15 root ->
-r--------   1 rob      sysadmin    2304 Mar  3 14:15 sigact
-r--------   1 rob      sysadmin    1680 Mar  3 14:15 status
-r--r--r--   1 rob      sysadmin     504 Mar  3 14:15 usage
-r--------   1 rob      sysadmin       0 Mar  3 14:15 watch
-r--------   1 rob      sysadmin   40824 Mar  3 14:15 xmap

Unlike Linux, Solaris’s /proc directory doesn’t present all that much from a simple ls. Beyond the user and group the process runs as, there’s not a lot of information at all. The timestamps on the files are the time the process was launched. Also unlike Linux, none of those files can be usefully accessed with simple tools like cat. Instead of just catting things, you’re expected to use tools like pmap or pstack, which are consumers of these binary structures. This is fine, and if we were writing instrumentation in C, as nature intended, it would be trivially easy to read and use them.

But, I’m writing a collector for Diamond, which means Python. And, as this article will surely show, I’m not much of a Python programmer.

One of the things I like about /proc is the careful use of file permissions. Look at the example above and consider

$ ls -ld /proc/$$
dr-x--x--x   5 rob      sysadmin     928 Mar  3 14:15 /proc/2208

Only a process owner can list the directories, and see other senstive information. But the “other” execute bit is set on the directory, and some files are world-readable. So if we’re even a little bit clever, our unprivileged Diamond process should be able to see all system processes.

First, I needed to decide what information I wanted. /proc gives way more detail, particularly on LWPs, than I’m interested in. What I want, at least for now, is a prstat style thing which reports the CPU and memory consumption of running processes. I’d like to be able to aggregate and filter that on process name, PID, and the zone in which the process runs.

After a bit of thought I decided to put the process name in the metric path, then to tag each point with the PID of the process and its zone. Tagging by PID forces Wavefront to separate multiple processes with the same executable name, but it’s trivial to wrap them in a sum(), or group them by metric path if need be. (There’s an argument for dumping the whole lot on the same path and having the exec name also be a tag, but this seemed more natural to me, and I was worried about having too many tags on the same path.) When I first started writing my Solaris collectors, I put the zone name in the metric path, but it never quite seemed right having to force global into things where it didn’t really belong. So, zone name is always a tag now. More tags. Tags are good. It’s possible that the PID tag could end up being of too high cardinality, but I don’t see much alternative. We’ll see how it goes.

The proc(4) man page gives you the layout of the /proc data structures, and they’re also in /usr/include/sys/procfs.h, with a little bit more annotation. From that file, here’s psinfo

#define PRARGSZ   80  /* number of chars of arguments */
typedef struct psinfo {
  int pr_flag;              /* process flags (DEPRECATED; do not use) */
  int pr_nlwp;              /* number of active lwps in the process */
  pid_t pr_pid;             /* unique process id */
  pid_t pr_ppid;            /* process id of parent */
  pid_t pr_pgid;            /* pid of process group leader */
  pid_t pr_sid;             /* session id */
  uid_t pr_uid;             /* real user id */
  uid_t pr_euid;            /* effective user id */
  gid_t pr_gid;             /* real group id */
  gid_t pr_egid;            /* effective group id */
  uintptr_t pr_addr;        /* address of process */
  size_t  pr_size;          /* size of process image in Kbytes */
  size_t  pr_rssize;        /* resident set size in Kbytes */
  size_t  pr_pad1;
  dev_t pr_ttydev;          /* controlling tty device (or PRNODEV) */

      /* The following percent numbers are 16-bit binary */
      /* fractions [0 .. 1] with the binary point to the */
      /* right of the high-order bit (1.0 == 0x8000) */

  ushort_t pr_pctcpu;       /* % of recent cpu time used by all lwps */
  ushort_t pr_pctmem;       /* % of system memory used by process */
  timestruc_t pr_start;     /* process start time, from the epoch */
  timestruc_t pr_time;      /* usr+sys cpu time for this process */
  timestruc_t pr_ctime;     /* usr+sys cpu time for reaped children */
  char  pr_fname[PRFNSZ];   /* name of execed file */
  char  pr_psargs[PRARGSZ]; /* initial characters of arg list */
  int pr_wstat;             /* if zombie, the wait() status */
  int pr_argc;              /* initial argument count */
  uintptr_t pr_argv;        /* address of initial argument vector */
  uintptr_t pr_envp;        /* address of initial environment vector */
  char  pr_dmodel;          /* data model of the process */
  char  pr_pad2[3];
  taskid_t pr_taskid;       /* task id */
  projid_t pr_projid;       /* project id */
  int pr_nzomb;             /* number of zombie lwps in the process */
  poolid_t pr_poolid;       /* pool id */
  zoneid_t pr_zoneid;       /* zone id */
  id_t  pr_contract;        /* process contract */
  int pr_filler[1];         /* reserved for future use */
  lwpsinfo_t pr_lwp;        /* information for representative lwp */
} psinfo_t;

and here’s usage:

typedef struct prusage {
  id_t    pr_lwpid;         /* lwp id.  0: process or defunct */
  int   pr_count;           /* number of contributing lwps */
  timestruc_t pr_tstamp;    /* current time stamp */
  timestruc_t pr_create;    /* process/lwp creation time stamp */
  timestruc_t pr_term;      /* process/lwp termination time stamp */
  timestruc_t pr_rtime;     /* total lwp real (elapsed) time */
  timestruc_t pr_utime;     /* user level cpu time */
  timestruc_t pr_stime;     /* system call cpu time */
  timestruc_t pr_ttime;     /* other system trap cpu time */
  timestruc_t pr_tftime;    /* text page fault sleep time */
  timestruc_t pr_dftime;    /* data page fault sleep time */
  timestruc_t pr_kftime;    /* kernel page fault sleep time */
  timestruc_t pr_ltime;     /* user lock wait sleep time */
  timestruc_t pr_slptime;   /* all other sleep time */
  timestruc_t pr_wtime;     /* wait-cpu (latency) time */
  timestruc_t pr_stoptime;  /* stopped time */
  timestruc_t filltime[6];  /* filler for future expansion */
  ulong_t   pr_minf;        /* minor page faults */
  ulong_t   pr_majf;        /* major page faults */
  ulong_t   pr_nswap;       /* swaps */
  ulong_t   pr_inblk;       /* input blocks */
  ulong_t   pr_oublk;       /* output blocks */
  ulong_t   pr_msnd;        /* messages sent */
  ulong_t   pr_mrcv;        /* messages received */
  ulong_t   pr_sigs;        /* signals received */
  ulong_t   pr_vctx;        /* voluntary context switches */
  ulong_t   pr_ictx;        /* involuntary context switches */
  ulong_t   pr_sysc;        /* system calls */
  ulong_t   pr_ioch;        /* chars read and written */
  ulong_t   filler[10];     /* filler for future expansion */
} prusage_t;

Between them, those two structures reveal everything I want. And, they’re both universally accessible. So how the heck do I read a binary struct in Python?

Ruddy Python

I’m not the biggest Python fan. I certainly don’t think there’s anything bad about it, but it’s never “clicked” with me in the way that, say, Ruby did. Writing Ruby, for me, is fun. Writing Python is work. Rather dry work. But, I plough on, hopeful that one day I’ll “get it” and enjoy Python too.

It’s straightforward to read a binary file into a variable, and once that’s done, you can use Python’s struct module to unpack the structure within. But, you need to know how to describe that structure.

In C we define data types as, say, char or int, and the compiler knows the sizes of those types. Python’s struct module requires you to define the incoming structures with characters, which are helpfully listed in a table.

With basic types like ulong_t or int, it’s obvious what letter to use, but I had no idea what the underlying types of things like poolid_t were, so I spent a fair amount of time hunting through /usr/include/sys/types.h or running bits of C like

#include <stdio.h>
#include <sys/types.h>

void main() {
  printf("%zu\n", sizeof(dev_t));

timestruc_t took a bit of tracking down, but it looks like this:

typedef struct  timespec {    /* definition per POSIX.4 */
  time_t  tv_sec;   /* seconds */
  long    tv_nsec;  /* and nanoseconds */
} timespec_t;

So after a little while, I had a format string identifying the whole of the usage struct. psinfo was more challenging, as it includes a complex structure called lwpsinfo_t. I started trying to decode this, but eventually realised I didn’t want any of the information in it, so I could discard it by telling my intial read() operation to only read the file up to the point just before lwpsinfo_t began.

I thought it would be nice to make a Python dict of each of the /proc files I was interested in, so I ended up writing a “key” dict to describe them:

proc_parser = {
  'usage': {
    'fmt':  '=ii8s8s8s8s8s8s8s8s8s8s8s8s8s8s13L',
    'keys': ('pr_lwpid', 'pr_count', 'pr_tstamp', 'pr_create', 'pr_term',
             'pr_rtime', 'pr_utime', 'pr_stime', 'pr_ttime', 'pr_tftime',
             'pr_dftime', 'pr_kftime', 'pr_ltime', 'pr_slptime',
             'pr_wtime', 'pr_stoptime', 'pr_minf', 'pr_majf', 'pr_nswap',
             'pr_inblk', 'pr_oublk', 'pr_msnd', 'pr_mrcv', 'pr_sigs',
             'pr_vctx', 'pr_ictx', 'pr_sysc', 'pr_ioch'),
      'size': 172,
      'ts_t': ('pr_tstamp', 'pr_create', 'pr_term', 'pr_rtime', 'pr_utime',
               'pr_stime', 'pr_ttime', 'pr_tftime', 'pr_dftime',
               'pr_kftime', 'pr_ltime', 'pr_slptime', 'pr_wtime',
  'psinfo': {
    'fmt':  '=iiiiiiIIIIlLLLlHH8s8s8s16s80siills3siiiiiii',
    'keys': ('pr_flag', 'pr_nlwp', 'pr_pid', 'pr_ppid', 'pr_pgid',
             'pr_sid', 'pr_uid', 'pr_euid', 'pr_gid', 'pr_egid',
             'pr_addr', 'pr_size', 'pr_rssize', 'pr_pad1', 'pr_ttydev',
             'pr_pctcpu', 'pr_pctmem', 'pr_start', 'pr_time', 'pr_ctime',
             'pr_fname', 'pr_psargs', 'pr_wstat', 'pr_argc', 'pr_argv',
             'pr_envp', 'pr_dmodel', 'pr_pad2', 'pr_taskid', 'pr_projid',
             'pr_nzomb', 'pr_poolid', 'pr_zoneid', 'pr_contract'),
   'size': 232,
   'ts_t': ('pr_start', 'pr_time', 'pr_ctime'),

The ts_t list is of all the timestruc_t fields. For my own convenience I decided to turn all those into simple Python floats.

Then a simple method which uses that information to return a dict which lets me easily access, say, pr_zoneid. (I’ve removed all the error handling for brevity and clarity.)

def proc_info(p_file, pid):
  parser = proc_parser[p_file]
  p_path = path.join('/proc', str(pid), p_file)
  raw = file(p_path, 'rb').read(parser['size'])

  ret = dict(zip(parser['keys'], struct.unpack(parser['fmt'], raw)))

  for k in parser['ts_t']:
    (s, n) = struct.unpack('lL', ret[k])
    ret[k] = (s * 1e9) + n

  return ret

I put all of this into a library, and went on to write the collector.


The collector loops over every process in /proc, reading both psinfo and usage and turning them into a single dict. The person configuring Diamond is able to select any number of keys from that dict and have them made into metrics under the process namespace. Simple!

Except, of course, nothing’s ever simple. A likely use for the new proc collector is to show the busiest processes on a host, and just how busy they are. Refer back to the usage structure, and you can see that processes do keep track of that, using all those timestruc_t pr_*times. But they’re cumulative, so the collector has to do some sums. Diamond gives you a class variable, last_value to memo things between runs, and using that and our simple-to-work-with nanosecond times, it’s easy to work out the time each process spends on-CPU, literally, and as a percentage of available time. Here’s the system + kernel CPU usage for the Java processes on one of my hosts

If you hover over that chart, you’ll see the zone tags. These are attached to every metric produced by the proc collector, using the pr_zoneid value from psinfo. This is the first field you see when you do zoneadm list -cv; it’s numeric, and it’s not that meaningful. (If you reboot a zone it will likely get a different ID.) At the beginning of each collector run I shell out to zoneadm and generate a map of zone ID to name. When it’s time to send the point, I look up the pr_zoneid value in the map, and tag with the name.

Now on to memory, where I chose to follow prstat(1), and offer the RSS (resident set size) and SIZE columns. The latter is defined in the man pages as The total virtual memory size of the process, including all mapped files and devices. We can get the values from the psinfo struct’s pr_rssize and pr_size fields.

The prstat man page tells us that memory sizes are displayed in Kb. I prefer to send all my metrics as bytes, and let Wavefront handle the prefixes. I’ve taken a hardline “always bytes” policy across all my collectors, even if the standard tooling uses a different unit. But, you know, that K can mean different things to different people. Checking the source it seems that Sun chose to use “proper” K and M, not this Ki and Mi nonsense. So, we multiply the raw figure by 1024.

This seemed to work fine. I wrote and tested it on SmartOS, but I also run a couple of Solaris machines. When I dropped the code on to those, some of the processes showed zero memory usage. At first it seemed arbitrary: of two Java process, one reported its memory correctly, the other didn’t. I couldn’t work it out and I started digging: I DTraced prstat to see exactly what it did and, so far as I could tell, it was doing the same as my code. I read through the prstat source. (The Illumos source is mostly very easy to follow, and the block comments are superb.) The more I looked, the more baffled I was. Everything was correct, I was certain, but for the unavoidable fact it didn’t work.

Eventually I gave up, and asked for help on the illumos-discuss mailing list. In next to no time, an Illumos kernel dev had pointed me at the code which zeros out the pr_size field if a 32-bit process tries to examine a 64-bit one. And sure enough, on SmartOS:

$ file -b `which python2.7`
ELF 64-bit LSB executable AMD64 Version 1, dynamically linked, not stripped, no
debugging information available

and on Solaris:

$ file -b `which python`
ELF 32-bit LSB executable 80386 Version 1 [SSE FXSR FPU], dynamically linked, not stripped

Mystery solved. Self kicked.

At this point I decided to write a script to make an “Omnibus” style package to deploy Diamond. This builds and bundles together together a 64-bit Python, my own Wavefront-enabled fork of Diamond, all Diamond’s dependencies, and my SunOS collectors.

The Tenant Collector

So far I’d developed everything with a view to running in a global zone (easier done on Solaris than on SmartOS) and collecting metrics on the system and on individual zones all from one place. Doing as much as possible from the global is a I learnt early in my zoning days (2007 I think). Back then I wrote acres of Korn shell to dynamically probe whatever appeared under /zones, and run zlogin loops over the output of zoneadm list running Nagios-style check scripts. That looping survives in these collectors, though the zlogin stuff is much less necessary on SmartOS due to zone-aware extensions to the svc commands, and zone-level kstats. Solaris needs to catch up in these areas, assuming it continues to exist at all.

But I have stuff, like the site you’re reading, which runs in the Joyent Public Cloud. I’m in zones there, and you have a different view of the system from inside a zone. Some metrics are invisible, others are meaningless. So I got copying and pasting, and put together a collector tuned to run in a resource-capped SmartOS zone. The README explains the available metrics, so if you’re interested, read that.

Telegraf and the Future

Diamond is fine. It’s a reasonably active open-source project, and it feels a bit step up from CollectD. But now we have Telegraf, and that is far more modern than Diamond.

When I first tried Telegraf, it wouldn’t build on Solaris. Now, it will but, as was the case with Diamond, none of the OS-related plugins work at all. So I’ve started porting my Diamond collectors to Telegraf. There are kstat bindings for Go, and I’m using those. Once I have everything ported over, I might look at trying to write a libscf binding, (though I suspect I’m over-reaching myself there) so I can monitor SMF without having to shell out. I also haven’t really explored DTrace metric collection in the way I wanted to, and there are Go libusdt bindings just waiting for me. It’s a little slow going though, as I’m having to learn Go and its toolchain as I go.

Having a single binary is a big advantage when deploying to a SmartOS global zone. Getting a Python environment built and running was messy, and feels like a big fat hack.