From owner-freebsd-dtrace@FreeBSD.ORG Thu Dec 4 00:45:08 2014 Return-Path: Delivered-To: freebsd-dtrace@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ADCC820A; Thu, 4 Dec 2014 00:45:08 +0000 (UTC) Received: from mail-pa0-x235.google.com (mail-pa0-x235.google.com [IPv6:2607:f8b0:400e:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 818AF8C6; Thu, 4 Dec 2014 00:45:08 +0000 (UTC) Received: by mail-pa0-f53.google.com with SMTP id kq14so16823008pab.12 for ; Wed, 03 Dec 2014 16:45:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=1f04gpTT/e0ouH0eI3qzMKcmN3lvU0udggWSNqHQHFo=; b=fLlTzHzFcIlSDElP2P0MTPGRGwzaUoe152lnNw6fs7qNqomywrG+GVPqUcvarqX9gz 3B1+8ynWIIP22bqLHzXmmhxJJrVANm351f979mhomf3jYATuHTd14Ie4KxOHbp8l+0gU CRKBq8RsXpMMZUVPJOOX8elSb1+2W4N79ZflZxCwYSoP1k84lvADgaqgnmI1WM4C0YGq OZTTHKI1FvaVpmgGfq39h5Af+R2oHs8SCnkfZPLZpSQKXHKIoE4Lw5wGJ2upceGjL3X0 OpsTdVQJjDEntrT8LbjEoJHW2XRXsOSXBb3IOPdWNM0KuHzmZUODcmGszi2u6mvWwWoB gIdA== X-Received: by 10.70.42.208 with SMTP id q16mr13957935pdl.56.1417653907888; Wed, 03 Dec 2014 16:45:07 -0800 (PST) Received: from charmander.picturesperfect.net (c-67-182-131-225.hsd1.wa.comcast.net. [67.182.131.225]) by mx.google.com with ESMTPSA id ye3sm24054409pbb.93.2014.12.03.16.45.03 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Dec 2014 16:45:04 -0800 (PST) Sender: Mark Johnston Date: Wed, 3 Dec 2014 16:45:01 -0800 From: Mark Johnston To: dteske@FreeBSD.org Subject: Re: DTrace script to trace processes entering vfs::vop_remove Message-ID: <20141204004501.GB29167@charmander.picturesperfect.net> References: <032e01d00f4f$98a04e20$c9e0ea60$@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <032e01d00f4f$98a04e20$c9e0ea60$@FreeBSD.org> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: 'Julian Elischer' , freebsd-dtrace@freebsd.org X-BeenThere: freebsd-dtrace@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "A discussion list for developers working on DTrace in FreeBSD." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2014 00:45:08 -0000 On Wed, Dec 03, 2014 at 03:19:31PM -0800, dteske@FreeBSD.org wrote: > Hi markj, list, > > I wrote a script for $work to help me find out "who on Earth > keeps deleting files XYZ?" from a particular storage server. > > Please find attached a copy of watch_vop_remove.d which > has the following sample output: > > 2014 Dec 3 11:58:52 rm[75596]: /tmp/foo > -+= 72846 0.0 -bash > \-+= 75589 0.0 /bin/bash /usr/home/support/bash_script > \-+= 75596 0.0 rm -f /tmp/foo > > The above sample output was displayed when executing the following shell > script: > > #!/bin/bash > touch /tmp/foo > rm -f /tmp/foo > > The output format displayed for each vop_remove() call is as follows: > > DATE process[PID]: PATH_TO_DELETE > -+= GPID UID.GID grandparent_process [arguments (up to 3)] > \-+= PPID UID.GID parent_process [arguments (up to 3)] > \-+= PID UID.GID process [arguments (up to 3)] This is neat. I just had a few comments: - You can use walltimestamp when printing the date and time, instead of timestamp + blah. - It's possible to get the full argv of the current process with curpsinfo->pr_psargs. It can be done for other processes too; see /usr/lib/dtrace/psinfo.d. (This might not be true depending on the FreeBSD version you're on.) - Running this script with a make -j4 buildkernel causes dtrace to run out of dynamic variable space. I'd really really like to fix name resolution so that we don't have to jump through so many hoops to write scripts like this, though. One approach is to do what Solaris does, which is keep a cached path in the vnode itself (v_path). > > NB: Requires "kldload dtraceall" to be performed prior to execution (libdtrace automatically kldloads dtraceall on head and stable/10.)