Cir*_*四事件 4 linux system-calls ftrace linux-kernel
例如,要监控所有mkdir拨打的电话,我能想到的最好办法是:
#!/bin/sh
set -eux
d=debug/tracing
mkdir -p debug
if ! mountpoint -q debug; then
mount -t debugfs nodev debug
fi
# Stop tracing.
echo 0 > "${d}/tracing_on"
# Clear previous traces.
echo > "${d}/trace"
# Enable tracing mkdir
echo sys_enter_mkdir > "${d}/set_event"
# Set tracer type.
echo function > "${d}/current_tracer"
# Filter only sys_mkdir as a workaround.
echo SyS_mkdir > "${d}/set_ftrace_filter"
# Start tracing.
echo 1 > "${d}/tracing_on"
# Generate two mkdir calls.
rm -rf /tmp/a
rm -rf /tmp/b
mkdir /tmp/a
mkdir /tmp/b
# View the trace.
cat "${d}/trace"
# Stop tracing.
echo 0 > "${d}/tracing_on"
umount debug
然后运行后sudo给出:
# tracer: function
#
# entries-in-buffer/entries-written: 4/4 #P:16
#
# _-----=> irqs-off
# / _----=> need-resched
# | / _---=> hardirq/softirq
# || / _--=> preempt-depth
# ||| / delay
# TASK-PID CPU# |||| TIMESTAMP FUNCTION
# | | | |||| | |
mkdir-31254 [015] .... 2010985.576760: sys_mkdir(pathname: 7ffc54b32c77, mode: 1ff)
mkdir-31254 [015] .... 2010985.576763: SyS_mkdir <-tracesys_phase2
mkdir-31255 [007] .... 2010985.578363: sys_mkdir(pathname: 7fff02d90c77, mode: 1ff)
mkdir-31255 [007] .... 2010985.578365: SyS_mkdir <-tracesys_phase2
我的问题是它为每个系统调用输出两行:
sys_mkdir这是我想要的活动SyS_mkdir这是过滤函数的解决方法,我不想看到如果我尝试这样做:
echo > "${d}/set_ftrace_filter"
或者根本不碰该文件,那么它会显示大量函数,并且很难找到系统调用。
是否有更好的方法来禁用常规函数并仅保留系统调用事件?
我猜我可以只使用SyS_mkdir并禁用系统调用事件,但如果我可以使用更具体的事件,感觉会更干净?还:
__x64_sys_mkdir上取代了SyS_mkdir。有关的:
在 Ubuntu 18.04、Linux 内核 4.15 上测试。
使用nop追踪器
正如sruffell 所建议的,我们所要做的就是使用nop跟踪器而不是function,这将禁用函数跟踪,但不会禁用事件。
运行sudo:
#!/bin/sh
set -eux
d=debug/tracing
mkdir -p debug
if ! mountpoint -q debug; then
mount -t debugfs nodev debug
fi
# Stop tracing.
echo 0 > "${d}/tracing_on"
# Clear previous traces.
echo > "${d}/trace"
# Find the tracer name.
cat "${d}/available_tracers"
# Disable tracing functions, show only system call events.
echo nop > "${d}/current_tracer"
# Find the event name with.
grep mkdir "${d}/available_events"
# Enable tracing mkdir.
# Both statements below seem to do the exact same thing,
# just with different interfaces.
# https://www.kernel.org/doc/html/v4.18/trace/events.html
echo sys_enter_mkdir > "${d}/set_event"
# echo 1 > "${d}/events/syscalls/sys_enter_mkdir/enable"
# Start tracing.
echo 1 > "${d}/tracing_on"
# Generate two mkdir calls by two different processes.
rm -rf /tmp/a /tmp/b
mkdir /tmp/a
mkdir /tmp/b
# View the trace.
cat "${d}/trace"
# Stop tracing.
echo 0 > "${d}/tracing_on"
umount debug
这给出了所需的输出:
mkdir-26064 [007] .... 2014370.909743: sys_mkdir(pathname: 7fffbd461c77, mode: 1ff)
mkdir-26065 [014] .... 2014370.911615: sys_mkdir(pathname: 7ffea53bac77, mode: 1ff)
替代方案不是最佳解决方案
这也有效,但肯定不太好,替换:
echo SyS_mkdir > "${d}/set_ftrace_filter"
和:
echo '*' > "${d}/set_ftrace_notrace"
这将关闭文档中提到的所有功能:https://www.kernel.org/doc/html/v4.18/trace/ftrace.html#the-file-system
set_ftrace_notrace:
这与 set_ftrace_filter 的效果相反。此处添加的任何功能都不会被跟踪。如果函数同时存在于set_ftrace_filter和set_ftrace_notrace中,则不会跟踪该函数。
| 归档时间: |
|
| 查看次数: |
3887 次 |
| 最近记录: |