NAME
ps-watcher - monitors various processes based on ps-like information.
SYNOPSIS
ps-watcher [options...]
["--config"] config-file
DESCRIPTION
Periodically a list of processes obtained via "ps". More precisely each
item in the list contains the process name (just what’s listed in the
"cmd" field, not the full command and arguments) and its process id
(pid). A configuration file specifies a list of Perl regular-expression
patterns to match the processes against. For each match, a Perl
expression specified for that pattern is evaluated. The evaluated
expression can refer to variables which are set by ps and pertain to
the matched process(es), for example the amount memory consumed by the
process, or the total elapsed time. Some other variables are set by the
program, such as the number of times the process is running. If the
Perl expression for a matched pattern evaluates true, then an action
can be run such as killing the program, restarting it, or mailing an
alert, or running some arbitrary Perl code.
Some things you might want to watch a daemon or process for:
· check that it is running (hasn’t died)
· ensure it is not running too many times
· isn’t consuming too much memory (perhaps a memory leak), or I/O
Some actions you might want to take:
· restart a process
· kill off rampant processes
· send an alert about any of the conditions listed above
Depending on options specfied, this program can be run as a daemon, run
once (which is suitable as a "cron" job), or run not as a daemon but
still continuously (which may be handy in testing the program or your
configuration).
OPTIONS
--help
Print a usage message on standard error and exit with a return code
of 100.
--doc
Extact the full documentation that you are reading now, print it
and exit with a return code of 101.
--version
Print the version release on standard output and exit with a return
code of 10.
--debug number
Give debugging output. The higher the number, the more the output.
The default is 0 = none. 2 is the most debugging output.
[--config] configuration file
Specify configuration file. .
See "CONFIGURATION FILE FORMAT" below for information on the format
of the configuration file and "EXAMPLE CONFIGURATION" for a
complete example of a configuration file.
--log [log file]
Send or don’t send error and debugging output to a log file. If
option is given but no logfile is specified, then use STDERR. The
default is no error log file. See also --syslog below.
--syslog | --nosyslog
Send or don’t send error and debugging output to syslog. The
default is to syslog error and debug output.
--daemon | --nodaemon
Run or don’t as a daemon.
--path search-path
Specify the executable search path used in running commands.
--ps-prog program
One can specify the command that gives ps information. By default,
the command is /bin/ps.
--run | --norun
do/don’t run actions go through the motions as though we were going
to. This may be useful in debugging.
--sleep interval in seconds
It is expected that one might want to run ps-watcher over and over
again. In such instances one can specify the amount of time between
iterations with this option.
If a negative number is specified the program is run only once.
CONFIGURATION FILE MODIFICATION AND SIGNAL HANDLING
Periodically ps-watcher checks to see if the configuration file that it
was run against has changed. If so, the program rereads the
configuration file.
More precisely, the checks are done after waking up from a slumber. If
the sleep interval is long (or if you are impatient), you can probably
force the program to wake up using a HUP signal.
At any time you can increase the level of debug output by sending a
USR1 signal to the ps-watcher process. Similarly you can decrease the
level of debug output by sending the process a USR2 signal.
It is recommended that you terminate ps-watcher via an INT, TERM, or
QUIT signal.
CONFIGURATION FILE FORMAT
The format of a configuration file is a series of fully qualified
filenames enclosed in square brackets followed by a number of parameter
lines. Each parameter line has a parameter name followed by an "equal"
sign and finally value. That is:
# This is a comment line
; So is this.
[process-pattern1]
parameter1 = value1
parameter2 = value2
[process-pattern2]
parameter1 = value3
parameter2 = value4
Comments start with # or ; and take effect to the end of the line.
This should be familiar to those who have worked with text-readible
Microsoft ".INI" files.
Note process patterns, (process-pattern1 and process-pattern2 above)
must be unique. If there are times when you may want to refer to the
same process, one can be creative to make these unique. e.g. cron and
[c]ron which refer to the same process even though they appear to be
different.
As quoted directly from the Config::IniFiles documentation:
Multiline or multivalued fields may also be defined ala UNIX "here
document" syntax:
Parameter=<<EOT
value/line 1
value/line 2
EOT
You may use any string you want in place of "EOT". Note that what
follows the "<<" and what appears at the end of the text must match
exactly, including any trailing whitespace.
There are two special "process patterns": $PROLOG and $EPILOG, the
former should appear first and the latter last.
You can put perl code to initialize variables here and do cleanup
actions in these sections using "perl-action."
A description of parameters names, their meanings and potential values
follows.
trigger
This parameter specifies the condition on which a process action is
fired. The condition is evaluated with Perl eval() and should
therefore return something which is equivalent to "true" in a Perl
expression.
If no trigger is given in a section, true or 1 is assumed and the
action is unconditionally triggered.
Example:
# Match if httpd has not spawned enough (<4) times. NFS and databases
# daemons typically spawn child processes. Since the program
# matches against the command names, not commands and arguments,
# something like: ps -ef | grep httpd won't match the below.
# If you want to match against the command with arguments, see
# the example with $args below.
[httpd$]
trigger = $count <= 4
occurs
This parameter specifies how many times an action should be
performed on processes matching the section trigger. Acceptable
values are "every", "first", "first-trigger", and "none".
Setting the occurs value to "none" causes the the trigger to be
evaluated when there are no matching processes. Although one might
think "$count == 0" in the action expression would do the same
thing, currently as coded this does not work.
Setting the occurs value to "first" causes the process-pattern rule
to be finished after handling the first rule that matches, whether
or not the trigger evaluated to true.
Setting the occurs value to "first-trigger" causes the process-
pattern rule to be finished after handling the first rule that
matches and the trigger evaluates to true.
If the item parameter is not specified, "first" is assumed.
Examples:
[.]
occurs = first
action = echo "You have $count processes running"
# Note in the above since there is no trigger specified,
# occurs = first
# is the same thing as
# occurs = first-trigger
[.?]
trigger = $vsz > 1000
occurs = every
action = echo "Large program $command matches $ps_pat: $vsz KB"
# Fire if /usr/sbin/syslogd is not running.
# Since the program matches against the command names, not commands and
# arguments, something like:
# ps -ef | grep /usr/sbin/syslogd
# won't match the below.
[(/usr/sbin/)?syslogd]
occurs = none
action = /etc/init.d/syslogd start
action
This specifies the action, a command that gets run by the system
shell, when the trigger condition is evaluated to be true.
Example:
action = /etc/init.d/market_loader.init restart
perl-action
This specifies Perl statements to be eval’d. This can be especially
useful in conjunction with $PROLOG and $EPILOG sections to make
tests across collections of process and do things which ps-watcher
would otherwise not be able to do.
Example:
# A Perl variable initialization.
# Since ps-watcher runs as a daemon it's a good idea
# to (re)initialize variables before each run.
[$PROLOG]
perl-action = $root_procs=0;
# Keep track of how many root processes we are running
[.*]
perl-action = $root_procs++ if $uid == 0
occurs = every
# Show this count.
[$EPILOG]
action = echo "I counted $root_procs root processes"
EXPANDED VARIABLES IN TRIGGER/ACTION CLAUSES
Any variables defined in the program can be used in pattern or action
parameters. For example, $program can be used to refer to the name of
this program ps-watcher.
The following variables can be used in either the pattern or action
fields.
$action
A string containing the text of the action to run.
$perl_action
A string containing the text of the perl_action to run.
$ps_pat
The Perl regular expression specified in the beginning of the
section.
$command
The command that matched $ps_pat.
The Perl regular expression specified in the beginning of the
section. Normally processes will not have funny characters in
them. Just in case, backticks in $command are escaped.
Example:
# List processes other than emacs (which is a known pig) that use lots
# of virtual memory
[.*]
trigger = $command !~ /emacs$/ && $vsz > 10
action = echo \"Looks like you have a big \$command program: \$vsz KB\"
$count
The number of times the pattern matched. Presumably the number of
processes of this class running.
$trigger
A string containing the text of the trigger.
A list of variables specific to this program or fields commonly found
in "ps" output is listed below followed by a description of the more
common ones. See also "ps" for a more complete description of the
meaning of the field.
uid euid ruid gid egid rgid alarm blocked bsdtime c caught
cputime drs dsiz egroup eip esp etime euser f fgid
fgroup flag flags fname fsgid fsgroup fsuid fsuser fuid fuser
group ignored intpri lim longtname m_drs m_trs maj_flt majflt
min_flt minflt ni nice nwchan opri pagein pcpu pending pgid pgrp
pmem ppid pri rgroup rss rssize rsz ruser s sess session
sgi_p sgi_rss sgid sgroup sid sig sig_block sig_catch sig_ignore
sig_pend sigcatch sigignore sigmask stackp start start_stack start_time
stat state stime suid suser svgid svgroup svuid svuser sz time timeout
tmout tname tpgid trs trss tsiz tt tty tty4 tty8 uid_hack uname
user vsize vsz wchan
Beware though, in some situations ps can return multiple lines for a
single process and we will use just one of these in the trigger. In
particular, Solaris’s "ps" will return a line for each LWP (light-
weight process). So on Solaris, if a trigger uses variable lwp, it may
or may not match depending on which single line of the multiple "ps"
lines is used.
$args
The command along with its command arguments. It is possible that
this is might get truncated at certain length (if ps does likewise
as is the case on Solaris).
$ppid
The parent process id.
$stime
The start time of the process.
$etime
The end time of the process.
$pmem
The process memory.
$pcpu
The percent CPU utilization.
$tty
The controlling tty.
$vsz
Virtual memory size of the process
OTHER THINGS IN TRIGGER CLAUSES
To make testing against elapsed time easier, a function "elapse2sec()"
has been written to parse and convert elapsed time strings in the
format "dd-hh:mm:ss" and a number of seconds.
Some constants for the number of seconds in a minute, hour, or day have
also been defined. These are referred to as "MINS", "HOURS", and "DAYS"
respectively and they have the expected definitions:
use constant MINS => 60;
use constant HOURS => 60*60;
use constant DAYS => HOURS * 24;
Here is an example of the use of "elapsed2sec()":
# Which processes have been running for more than 3 hours?
# Also note use of builtin-function elapsed2secs, variable $etime
# and builtin-function HOURS
[.]
trigger = elapsed2secs('$etime') > 1*DAYS
action = echo "$command has been running more than 1 day ($etime)"
occurs = every
Please note the quotes around ’$etime’.
EXAMPLE CONFIGURATION
# Comments start with # or ; and go to the end of the line.
# The format for each entry is in Microsoft .INI form:
# [process-pattern]
# trigger = perl-expression
# action = program-and-arguments-to-run
[httpd$]
trigger = $count < 4
action = echo "$trigger fired -- You have $count httpd sessions."
[.]
trigger = $vsz > 10
action = echo "Looks like you have a big $command program: $vsz KB"
# Unfortunately we have use a different pattern below. (Here we use
# ".?" instead of ".".) In effect the the two patterns mean
# test every process.
[.?]
trigger = elapsed2secs('$etime') > 2*MINS && $pcpu > 40
occurs = every
action = <<EOT
echo "$command used $pcpu% CPU for the last $etime seconds" | /bin/mail root
kill -TERM $pid
EOT
# Scripts don't show as the script name as the command name on some
# operating systems. Rather the name of the interpreter is listed
# (e.g. bash or perl) Here's how you can match against a script.
# BSD/OS is an exception: it does give the script name rather than
# the interpreter name.
[/usr/bin/perl]
trigger = \$args !~ /ps-watcher/
occurs = every
action = echo "***found perl program ${pid}:\n $args"
Using $PROLOG for getting non-ps information
Here is an example to show how to use ps-watcher to do something not
really possible from ps: check to see if a port is active. We make use
of lsof to check port 3333 and the $PROLOG make sure it runs.
[$PROLOG]
occurs = first
trigger = { \$x=`lsof -i :3333 >/dev/null 2>&1`; \$? >> 8 }
action = <<EOT
put-your-favorite-command-here arg1 arg2 ...
EOT
SECURITY CONSIDERATIONS
Any daemon such as this one which is sufficiently flexible is a
security risk. The configuration file allows arbitrary commands to be
run. In particular if this daemon is run as root and the configuration
file is not protected so that it can’t be modified, a bad person could
have their programs run as root.
There’s nothing in the ps command or ps-watcher, that requires one to
run this daemon as root.
So as with all daemons, one needs to take usual security precautions
that a careful sysadmin/maintainer of a computer would. If you can run
any daemon as an unprivileged user (or with no privileges), do it! If
not, set the permissions on the configuration file and the directory it
lives in.
This program can also run chrooted and there is a "--path" option that
is available which can be used to set the executable search path. All
commands used by ps-watcher are fully qualified, and I generally give a
full execution path in my configuration file, so consider using the
option "--path=''".
Commands that need to be run as root you can run via "sudo". I often
run process accounting which tracks all commands run. Tripwire may be
useful to track changed configuration files.
TROUBLESHOOTING
To debug a configuration file the following options are useful:
ps-watcher --log --nodaemon --sleep -1 --debug 2 *config-file*
For even more information and control try running the above under the
perl debugger, e.g.
perl -d ps-watcher --log --nodaemon --sleep -1 --debug 2 *config-file*
BUGS
Well, some of these are not so much a bug in ps-watcher so much as a
challenge to getting ps-watcher to do what you want it to do.
One common problem people run in into is understanding exactly what the
process variables mean. The manual page ps(1) should be of help, but
I’ve found some of the descriptions either a bit vague or just plain
lacking.
Sometimes one will see this error message when debug tracing is turned
on:
** debug ** Something wrong getting ps variables
This just means that the process died between the time ps-watcher first
saw the existence of the process and the time that it queried
variables.
SEE ALSO
See also ps(1) and syslogd(8).
Another cool program doing ps-like things is "xps". Well okay, it’s
another program I distributed. It shows the process tree dynamically
updated using X Motif and tries to display the output "attractively"
but fast. You can the find the homepage at
<http://motif-pstree.sourceforge.net> and it download via
<http://prdownloads.sourceforge.net/motif-pstree?sort_by=date&sort=desc>
AUTHOR
Rocky Bernstein (rocky@gnu.org)
COPYRIGHT
Copyright (C) 2000, 2002, 2003, 2004, 2005, 2006, 2008
Rocky Bernstein, email: rocky@gnu.org.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.