如何在Linux中跟踪每个文件的IO操作？

Question

我需要跟踪read特定文件的系统调用,我目前正在通过解析输出来完成此操作strace.由于read文件描述符工作我必须保持轨道之间的当前映射的fd和path.此外,seek必须进行监控以使跟踪中的当前位置保持最新.

Linux中是否有更好的方法来获取每个应用程序,每个文件路径的IO跟踪？

Answer 1

您可以等待文件打开,这样您就可以在进程启动后学习fd并附加strace,如下所示:

strace -p pid -e trace = file -e read = fd

Answer 2

systemtap - 一种针对Linux的DTrace重新实现 - 可能对此有所帮助.

与strace一样,你只有fd,但是使用脚本功能很容易维护fd的文件名(除非有像dup这样有趣的东西).还有的是,示例脚本iotime illustates它.

#! /usr/bin/env stap

/*
 * Copyright (C) 2006-2007 Red Hat Inc.
 * 
 * This copyrighted material is made available to anyone wishing to use,
 * modify, copy, or redistribute it subject to the terms and conditions
 * of the GNU General Public License v.2.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * Print out the amount of time spent in the read and write systemcall
 * when each file opened by the process is closed. Note that the systemtap 
 * script needs to be running before the open operations occur for
 * the script to record data.
 *
 * This script could be used to to find out which files are slow to load
 * on a machine. e.g.
 *
 * stap iotime.stp -c 'firefox'
 *
 * Output format is:
 * timestamp pid (executabable) info_type path ...
 *
 * 200283135 2573 (cupsd) access /etc/printcap read: 0 write: 7063
 * 200283143 2573 (cupsd) iotime /etc/printcap time: 69
 *
 */

global start
global time_io

function timestamp:long() { return gettimeofday_us() - start }

function proc:string() { return sprintf("%d (%s)", pid(), execname()) }

probe begin { start = gettimeofday_us() }

global filehandles, fileread, filewrite

probe syscall.open.return {
  filename = user_string($filename)
  if ($return != -1) {
    filehandles[pid(), $return] = filename
  } else {
    printf("%d %s access %s fail\n", timestamp(), proc(), filename)
  }
}

probe syscall.read.return {
  p = pid()
  fd = $fd
  bytes = $return
  time = gettimeofday_us() - @entry(gettimeofday_us())
  if (bytes > 0)
    fileread[p, fd] += bytes
  time_io[p, fd] <<< time
}

probe syscall.write.return {
  p = pid()
  fd = $fd
  bytes = $return
  time = gettimeofday_us() - @entry(gettimeofday_us())
  if (bytes > 0)
    filewrite[p, fd] += bytes
  time_io[p, fd] <<< time
}

probe syscall.close {
  if ([pid(), $fd] in filehandles) {
    printf("%d %s access %s read: %d write: %d\n",
           timestamp(), proc(), filehandles[pid(), $fd],
           fileread[pid(), $fd], filewrite[pid(), $fd])
    if (@count(time_io[pid(), $fd]))
      printf("%d %s iotime %s time: %d\n",  timestamp(), proc(),
             filehandles[pid(), $fd], @sum(time_io[pid(), $fd]))
   }
  delete fileread[pid(), $fd]
  delete filewrite[pid(), $fd]
  delete filehandles[pid(), $fd]
  delete time_io[pid(),$fd]
}

它只能处理一定数量的文件,因为哈希映射的大小有限.

Answer 3

首先,您可能不需要跟踪,因为在fd和之间的映射path可用/proc/PID/fd/.

其次,也许你应该使用在C LD_PRELOAD技巧和过载open,seek和read系统调用.这里和那里有一些关于如何重载malloc/free的文章.

我想对于那些系统调用应用相同类型的技巧也不会有太大的不同.它需要在C中实现,但它应该比解析strace输出需要更少的代码并且更精确.