6

I would like to find out how can I trace (show) file access on Solaris. I already found the dtrace toolkit in a hope that voptrace will fit the bill. I ran it with voptrace -t /my/path if I ls or cat files under that path it produces no output. Am I looking at the wrong tool? Can someone suggest another one to find a solution?

UPDATE
@bahamat

Okay, it was giving error messages like this:

dtrace: error on enabled probe ID 3 (ID 126: syscall::openat:entry): invalid address (0xffd19652) in predicate at DIF offset 28

After redirecting stderr it seems it actually gives quite close to what I want.

cstamas
  • 6,607
  • 24
  • 42
  • Check here: http://www.solarisinternals.com/wiki/index.php/DTrace_Topics_One_Liners#Files – kofemann Sep 16 '15 at 19:52
  • Are you tracing within a zone? That error comes up when there's an event at a memory address that the running process doesn't have permission to read. Usually because of reduced capabilities within a zone. – bahamat Sep 24 '15 at 15:07
  • @bahamat I was doing testing from a zone so that makes sense. Thx. – cstamas Oct 23 '15 at 19:49

1 Answers1

10

Brendan Gregg has a number of good dtrace one liners on his site. Among them, this one liner to watch files opened by process:

dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }'

Expanding that, you can watch a particular file being opened by adding a predicate:

dtrace -n 'syscall::open*:entry /copyinstr(arg0)=="/etc/passwd"/ { printf("%s %s",execname,copyinstr(arg0)); }'

Yielding the following output:

CPU     ID                    FUNCTION:NAME
  2  12622                     open64:entry cat /etc/passwd

ls is slightly different, in that ls file doesn't open file. It uses stat instead (specifically, lstat64) so the probe would be syscall::*stat*:entry.

Note that dtrace implementations vary. The commands above were run on illumos. YMMV.

bahamat
  • 6,193
  • 23
  • 28
  • The only question is: will this detect if a long running process had the file already opened when dtrace started? – cstamas Sep 16 '15 at 20:53
  • No, `dtrace` probes fire *as events happen*. You can't use dtrace for something in the past. To see which processes *currently* have a particular open, on illumos I use `fuser ` or `lsof -f -i `. – bahamat Sep 16 '15 at 21:54
  • Addition: You can end up with `error on enabled probe ID 4 (ID 968: syscall::open_nocancel:entry): invalid address (0x...) in predicate at DIF`. Here's the error explained and a solution: https://docs.oracle.com/cd/E19253-01/819-5488/gcgkk/index.html (search for `Avoiding Errors`) – Valer Dec 08 '15 at 11:41
  • 2
    Addition 2: You can also replace the predicate with `/strstr(copyinstr(self->file), "passwd") != NULL/` to match relative/absolute path names. – Valer Dec 08 '15 at 11:49