From owner-freebsd-dtrace@FreeBSD.ORG Thu Dec 4 02:03:57 2014 Return-Path: Delivered-To: freebsd-dtrace@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8CF3931E; Thu, 4 Dec 2014 02:03:57 +0000 (UTC) Received: from shxd.cx (unknown [64.201.244.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 77288C0; Thu, 4 Dec 2014 02:03:57 +0000 (UTC) Received: from 50-196-156-133-static.hfc.comcastbusiness.net ([50.196.156.133]:32631 helo=THEMADHATTER) by shxd.cx with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1Xvwp0-000HaN-FV; Tue, 02 Dec 2014 15:25:30 -0800 From: To: "'Mark Johnston'" , References: <032e01d00f4f$98a04e20$c9e0ea60$@FreeBSD.org> <20141204004501.GB29167@charmander.picturesperfect.net> In-Reply-To: <20141204004501.GB29167@charmander.picturesperfect.net> Subject: RE: DTrace script to trace processes entering vfs::vop_remove Date: Wed, 3 Dec 2014 18:03:45 -0800 Message-ID: <03ed01d00f66$89db0ee0$9d912ca0$@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQI3By3pwavXf++OEI907mvFaHhfnwHGQBwmm6KLGbA= Content-Language: en-us Sender: devin@shxd.cx Cc: 'Julian Elischer' , freebsd-dtrace@freebsd.org X-BeenThere: freebsd-dtrace@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "A discussion list for developers working on DTrace in FreeBSD." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2014 02:03:57 -0000 > -----Original Message----- > From: Mark Johnston [mailto:markjdb@gmail.com] On Behalf Of Mark > Johnston > Sent: Wednesday, December 3, 2014 4:45 PM > To: dteske@FreeBSD.org > Cc: freebsd-dtrace@freebsd.org; 'Julian Elischer' > Subject: Re: DTrace script to trace processes entering vfs::vop_remove > > On Wed, Dec 03, 2014 at 03:19:31PM -0800, dteske@FreeBSD.org wrote: > > Hi markj, list, > > > > I wrote a script for $work to help me find out "who on Earth > > keeps deleting files XYZ?" from a particular storage server. > > > > Please find attached a copy of watch_vop_remove.d which > > has the following sample output: > > > > 2014 Dec 3 11:58:52 rm[75596]: /tmp/foo > > -+= 72846 0.0 -bash > > \-+= 75589 0.0 /bin/bash /usr/home/support/bash_script > > \-+= 75596 0.0 rm -f /tmp/foo > > > > The above sample output was displayed when executing the following shell > > script: > > > > #!/bin/bash > > touch /tmp/foo > > rm -f /tmp/foo > > > > The output format displayed for each vop_remove() call is as follows: > > > > DATE process[PID]: PATH_TO_DELETE > > -+= GPID UID.GID grandparent_process [arguments (up to 3)] > > \-+= PPID UID.GID parent_process [arguments (up to 3)] > > \-+= PID UID.GID process [arguments (up to 3)] > > This is neat. I just had a few comments: > - You can use walltimestamp when printing the date and time, instead of > timestamp + blah. I read that online as well, however: walltimestamp appears to _always_ be zero. > - It's possible to get the full argv of the current process with > curpsinfo->pr_psargs. It can be done for other processes too; see > /usr/lib/dtrace/psinfo.d. (This might not be true depending on the > FreeBSD version you're on.) Thanks! I'll have a look. > - Running this script with a make -j4 buildkernel causes dtrace to run > out of dynamic variable space. > Any recommendation on how to fix that? #pragma D option dynvarsize=what_exactly? (16m causes a warning that it's lowering the dynamic variable memory) > I'd really really like to fix name resolution so that we don't have to > jump through so many hoops to write scripts like this, though. One > approach is to do what Solaris does, which is keep a cached path in the > vnode itself (v_path). > Yes, that would be great. But perhaps not something we should do solely for dtrace's benefit. -- Devin