5

I am trying to understand the logs of sysdig. It mentions there file descriptors other than 0 (standard input), 1 (standard output), 2 (standard error); file descriptors such as 3, 6, 7, -2 are listed.

If these are the file index or file number in memory, why there are negative numbers?

The structure of the events is like this:

*%evt.num %evt.time %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.args

58650327 12:56:29.887941337 0 clear_console (5527) > open 
58650328 12:56:29.887948371 0 clear_console (5527) < open fd=-2(ENOENT) name=/dev/tty0 flags=3(O_RDWR) mode=0 
58650329 12:56:29.887949853 0 clear_console (5527) > open 
58650330 12:56:29.887954188 0 clear_console (5527) < open fd=-13(EACCES) name=/dev/console flags=3(O_RDWR) mode=0 
58650331 12:56:29.887954835 0 clear_console (5527) > open 
58650332 12:56:29.887956940 0 clear_console (5527) < open fd=-13(EACCES) name=/dev/console flags=1(O_RDONLY) mode=0 
58650333 12:56:29.887957474 0 clear_console (5527) > open 
58650334 12:56:29.887959911 0 clear_console (5527) < open fd=-13(EACCES) name=/dev/console flags=2(O_WRONLY) mode=0 
58650363 12:56:29.888201994 0 bash (5506) > open 
58650390 12:56:29.912662138 0 bash (5506) < open fd=-2(ENOENT) name=/etc/bash.bash_logout flags=1(O_RDONLY) mode=0 
58650395 12:56:29.912720036 0 bash (5506) > open 
58650396 12:56:29.912735157 0 bash (5506) < open fd=3(<f>/home/ubuntu/.bash_history) name=/home/ubuntu/.bash_history flags=10(O_APPEND|O_WRONLY) mode=0 
58650426 12:56:29.953271487 0 bash (5506) > open 
58650427 12:56:29.953303756 0 bash (5506) < open fd=3(<f>/home/ubuntu/.bash_history) name=/home/ubuntu/.bash_history flags=1(O_RDONLY) mode=0 
58650541 12:56:29.962503103 0 sshd (5495) > open 
58650542 12:56:29.962537862 0 sshd (5495) < open fd=6(<f>/etc/passwd) name=/etc/passwd flags=4097(O_RDONLY|O_CLOEXEC) mode=0 
58650559 12:56:29.962636515 0 sshd (5495) > open 
58650560 12:56:29.962646634 0 sshd (5495) < open fd=6(<f>/var/run/utmp) name=/var/run/utmp flags=4097(O_RDONLY|O_CLOEXEC) mode=0 
58651059 12:56:29.997560921 0 sshd (5495) > open 
58651060 12:56:29.997629170 0 sshd (5495) < open fd=7(<f>/var/run/utmp) name=/var/run/utmp flags=4099(O_RDWR|O_CLOEXEC) mode=0 
58651091 12:56:29.997727995 0 sshd (5495) > open 
58651092 12:56:29.997768935 0 sshd (5495) < open fd=6(<f>/var/log/wtmp) name=/var/log/wtmp flags=2(O_WRONLY) mode=0 
58651991 12:56:30.016524060 0 sshd (5495) > open 
58651992 12:56:30.016573912 0 sshd (5495) < open fd=4(<f>/etc/login.defs) name=/etc/login.defs flags=1(O_RDONLY) mode=0 
58652240 12:56:30.053254470 0 sshd (5495) > open 
58652241 12:56:30.053280905 0 sshd (5495) < open fd=4(<f>/etc/passwd) name=/etc/passwd flags=4097(O_RDONLY|O_CLOEXEC) mode=0
Improve this question

1 Answer 1

Reset to default
4

When you use open() to open a file (see man 2 open), you get a file descriptor back for it (it's an int in C). The standard streams are associated with descriptors 0, 1 and 2, and any other open file stream will have a separate descriptor associated with it.

There's a limit to how many files you can have open at once, usually somewhere around 512 or 1024 (see ulimit -Hn for the hard upper limit), and each of those open files will have a file descriptor associated with them.

Conceptually, it's just an index into an array maintained by the kernel. Apart from the three standard ones, there is no fixed association between the file descriptors and any other stream.

In the log that you have added to the question, you see that the "negative file descriptors" are associated with error codes (ENOENT and EACCESS). The open() system call returns negative numbers for errors.

See man errno for a description of these error codes.

The file descriptors are per process, so file descriptor 6 in process A is not the same stream as file descriptor 6 in process B.

Improve this answer
5
  • But I have fd=-2 and fd=-13 too the array index can't be negative. If I show you the logs then a file-descriptor number used multiple time, does it means the array index or a file at that index is used multiple time? fd=3(<f>/home/ubuntu/.bash_history) name=/home/ubuntu/.bash_history flags=1(O_RDONLY) mode=0 fd=6(<f>/var/run/utmp) name=/var/run/utmp flags=4097(O_RDONLY|O_CLOEXEC) mode=0 fd=7(<f>/var/run/utmp) name=/var/run/utmp flags=4099(O_RDWR|O_CLOEXEC) mode=0 fd=6(<f>/var/log/wtmp) name=/var/log/wtmp flags=2(O_WRONLY) mode=0
    – Root
    Commented May 15, 2017 at 7:37
  • @Root That must have some other meaning. A file descriptor simply can not be negative. None of that is present in any logs you have supplied. Edit you question to add further information.
    – Kusalananda
    Commented May 15, 2017 at 7:39
  • I have updated the question with the complete logs. Check it out the fd 6 was associated with the same process 5495 how its possible at first time at 6 it was file A and second time it was file B.
    – Root
    Commented May 15, 2017 at 8:03
  • @Root It open a file, reads it, closes it, opens another file, reads it, closes it, etc. The file descriptors are recycled.
    – Kusalananda
    Commented May 15, 2017 at 8:06
  • Ok looks Great :)
    – Root
    Commented May 15, 2017 at 8:08

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .