0

I run linux on eMMC.

I want to reduce the IO which gets done on the device.

I don't like to search the needle in the haystack.

I want a way to trace the access to the device.

I want to see the process-ID and the file-name which does write operations the eMMC.

Unfortunately I could not find a way to do this up to now.

I could run this every second, but a more robust solution is welcome:

ls -ltr /proc/*/fd| grep -vE '/dev/|socket|pipe'

Any hint how to find the information I search?

BTW, I have already applied the hints from this answer: https://raspberrypi.stackexchange.com/a/186

I use ubuntu 16.04

Community
  • 1
guettli
  • 3,113
  • 14
  • 59
  • 110

1 Answers1

3

Try sysdig.

bash-4.1$ sysdig -l | grep write
                 However, for some events (like writes to /dev/log) it provides
evt.is_io       'true' for events that read or write to FDs, like read(), send,
evt.is_io_write 'true' for events that write to FDs, like write(), send(), etc.
                that write to FDs, like write().
evt.is_syslog   'true' for events that are writes to /dev/log.
evt.is_open_write
bash-4.1$ sysdig -l | egrep 'proc.pid|fd.name'
fd.name         FD full name. If the fd is a file, this field contains the full
proc.pid        the id of the process generating the event.

So perhaps something like:

sudo sysdig -p '%proc.pid %fd.name' evt.is_io_write exists

Whoops that matches sysdig (and my SSH session).

sudo sysdig -p '%proc.pid %fd.name' \
  "evt.is_io_write exists and not ( proc.name contains sysdig or proc.name contains ssh )"

Still a bit busy. This is better on my test system:

sudo sysdig -p '%proc.pid %fd.name %fd.type' "evt.is_io_write exists and fd.typechar = f and not ( fd.name contains /dev or fd.name contains /proc or fd.name contains eventfd or fd.name contains signalfd or fd.name contains kvm- )"

Or you could filter for fd.name with a path and then exclude /dev and /proc...

thrig
  • 1,626
  • 9
  • 9