Created
January 21, 2022 13:35
-
-
Save robbmanes/ae49a32a6d878ec5d91991115a4ca879 to your computer and use it in GitHub Desktop.
PPC64LE unmount watcher systemtap for RHEL7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# unmount-watcher.stp | |
# Watches for filesystem unmounts and prints additional information about them. | |
# Authored by Robb Manes <robbmanes@protonmail.com> | |
# Execute by running: | |
# stap unmount-watcher.stp > unmount-watcher.out | |
# In containerized environments, the unmounting process may belong to a different process namespace, so it's useful to print the | |
# entire tree to determine where it came from. | |
# This is borrowed from https://sourceware.org/systemtap/examples/network/connect_stat.stp | |
function process_tree () { | |
cur_proc = task_current(); | |
parent_pid = task_pid(task_parent (cur_proc)); | |
printf("\t"); | |
while (parent_pid != 0) { | |
printf ("%s (%d),%d,%d -> ", task_execname(cur_proc), task_pid(cur_proc), task_uid(cur_proc),task_gid (cur_proc)); | |
cur_proc = task_parent(cur_proc); | |
parent_pid = task_pid(task_parent (cur_proc)); | |
} | |
# init process | |
if (task_pid (cur_proc) == 1) { | |
printf ("%s (%d),%d,%d\n", task_execname(cur_proc), task_pid(cur_proc), task_uid(cur_proc),task_gid (cur_proc)); | |
} | |
} | |
probe begin { | |
printf("Watching all \"umount\" system calls...\n"); | |
} | |
probe syscall.umount { | |
printf("[%s] Unmount issued by process %s (PID %d)\n", | |
ctime(gettimeofday_s()), | |
execname(), | |
pid()); | |
process_tree(); | |
} | |
probe end { | |
printf("Exiting \"umount\" watcher...\n"); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment