Differences between revisions 34 and 56 (spanning 22 versions)
Revision 34 as of 2007-10-14 08:08:15
Size: 4247
Editor: 202-156-12-12
Comment:
Revision 56 as of 2010-04-19 12:10:27
Size: 6736
Editor: 92
Comment: Correct linking
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:
Someone asked if there is a Linux equivalent of the [http://www.scit.wlv.ac.uk/cgi-bin/mansec?1+pfiles Solaris pfiles] tool. pfiles is a Solaris proc utility that reports information of all open files by the process id. [http://sources.redhat.com/systemtap/wiki/EugeneTeo Eugene] decided to write a similar tool for Linux using !SystemTap. Someone asked if there is a Linux equivalent of the [[http://www.scit.wlv.ac.uk/cgi-bin/mansec?1+pfiles|Solaris pfiles]] tool. pfiles is a Solaris proc utility that reports information of all open files by the process id. [[http://sources.redhat.com/systemtap/wiki/EugeneTeo|Eugene]] decided to write a similar tool for Linux using !SystemTap.
Line 14: Line 14:
The script is too long to be listed here. Please download the [attachment:pfiles script] (GPL) instead. This script is part of the standard [[http://sourceware.org/systemtap/examples/|SystemTap Examples]]. Get it here http://sourceware.org/systemtap/examples/process/pfiles.stp. Or if you have already downloaded the systemtap tarball, it's in ./testsuite/systemtap.examples/process/pfiles.stp or installed under /usr/share/doc/systemtap-*/examples.
Line 22: Line 22:
 * report locked open files ''[completed]''
 * report pathname information ''[completed]''
 * report socket information ''[not possible]''
 * report locked open files ''[completed 14/10/07]''
 * report pathname information ''[completed 13/10/07]''
 * report socket information ''[completed 19/01/08]''
Line 28: Line 28:

##More information can be found at:
## * [[http://www.kernel.sg/blog/2008/01/18/running-pfiles-on-a-process-in-linux-to-report-open-files/|Running pfiles ##on a process in Linux to report open files]]
## * [[http://www.kernel.sg/blog/2008/01/20/fiddling-with-pfiles-to-gather-opened-socket-information/|Fiddling with ##pfiles to gather open socket information]]
Line 29: Line 34:
$ ./pfiles $ pfiles
Line 32: Line 37:
$ ./pfiles `pgrep firefox` | head -n21  3914: -firefox-bin $ pfiles `pgrep firefox-bin` | head -24
4
118: firefox-bin
Line 35: Line 40:
   0: S_IFCHR mode:0620 dev:0,11 ino:6 uid:500 gid:500 rdev:136,4
      O_RDWR
      /dev/pts/4 (deleted)
   1: S_IFCHR mode:0620 dev:0,11 ino:6 uid:500 gid:500 rdev:136,4
      O_RDWR
      /dev/pts/4 (deleted)
   2: S_IFCHR mode:0620 dev:0,11 ino:6 uid:500 gid:500 rdev:136,4
      O_RDWR
      /dev/pts/4 (deleted)
   3: S_IFSOCK mode:0777 dev:0,5 ino:18253 uid:500 gid:500 rdev:0,0
      O_RDWR|O_NONBLOCK|O_NDELAY FD_CLOEXEC
      socket:[18253]
   4: S_IFREG mode:0664 dev:253,0 ino:16253091 uid:500 gid:500 rdev:0,0
      O_WRONLY
      advisory write lock set by process 3914
      /home/eteo/.mozilla/firefox/4b7rsevm.default/.parentlock
   5: S_IFIFO mode:0600 dev:0,6 ino:18260 uid:500 gid:500 rdev:0,0
      O_RDONLY|O_NONBLOCK|O_NDELAY
      pipe:[18260]
   0: S_IFCHR mode:0666 dev:0,16 ino:205 uid:500 gid:500 rdev:1,3
      O_RDONLY|O_LARGEFILE
      /dev/null
   1: S_IFCHR mode:0666 dev:0,16 ino:205 uid:500 gid:500 rdev:1,3
      O_WRONLY|O_LARGEFILE
      /dev/null
   2: S_IFCHR mode:0666 dev:0,16 ino:205 uid:500 gid:500 rdev:1,3
      O_WRONLY|O_LARGEFILE
      /dev/null
   3: S_IFSOCK mode:0777 dev:0,5 ino:45113 uid:500 gid:500 rdev:0,0
      O_RDWR|O_NONBLOCK FD_CLOEXEC
      socket:[45113]
   4: S_IFIFO mode:0600 dev:0,6 ino:45115 uid:500 gid:500 rdev:0,0
      O_RDONLY
      pipe:[45115]
   5: S_IFIFO mode:0600 dev:0,6 ino:45115 uid:500 gid:500 rdev:0,0
      O_WRONLY
      pipe:[45115]
   6: S_IFREG mode:0664 dev:253,0 ino:17105675 uid:500 gid:500 rdev:0,0
      O_WRONLY
      advisory write lock set by process 4118
      /home/eteo/.mozilla/firefox/abcdefgh.default/.parentlock
$ pfiles `pgrep thunderbird-bin` | grep advisory -A1 -B2
   6: S_IFREG mode:0664 dev:253,0 ino:15729244 uid:500 gid:500 rdev:0,0
      O_WRONLY
      advisory write lock set by process 3610
      /home/eteo/.thunderbird/abcdefgh.default/.parentlock
Line 56: Line 69:
To gather more information about sockets, you can use lsof with pfiles. List all sockets opened by ntpd:
Line 59: Line 72:
$ sudo /usr/sbin/lsof -i | grep `pgrep firefox`
firefox-b 3914 eteo 47u IPv4 184119 TCP w.x.y.z:33445->blog3.rhb.hosted.redhat.com:http (ESTABLISHED)
firefox-b 3914 eteo 49u IPv4 184209 TCP w.x.y.z:35936->mail.samba.org:http (ESTABLISHED)
$ pfiles `pgrep ntpd` | grep -i port\:
      sockname: AF_INET 0.0.0.0 port: 123
      sockname: AF_INET6 0000:0000:0000:0000:0000:0000:0000:0000 port: 123
      sockname: AF_INET6 0000:0000:0000:0000:0000:0000:0000:0001 port: 123
      sockname: AF_INET6 fe80:0000:0000:0000:0218:8bff:febf:XXXX port: 123
      sockname: AF_INET 127.0.0.1 port: 123
      sockname: AF_INET 192.168.1.X port: 123
      sockname: AF_INET6 fe80:0000:0000:0000:0200:00ff:XXXX:0000 port: 123
      sockname: AF_INET 192.168.122.X port: 123
      sockname: AF_INET 10.64.68.X port: 123
}}}

List all AF_UNIX sockets with paths binded by pidgin:

{{{
$ pfiles `pgrep pidgin` | grep -i unix\ \/
       peername: AF_UNIX /tmp/orbit-eteo/linc-c7b-0-13f16bda309e6
       peername: AF_UNIX /var/run/dbus/system_bus_socket
       peername: AF_UNIX /tmp/.ICE-unix/3105
       sockname: AF_UNIX /tmp/orbit-eteo/linc-6a1b-0-3c1dac62998f6
       sockname: AF_UNIX /tmp/orbit-eteo/linc-6a1b-0-3c1dac62998f6
}}}

Compare pidgin’s output with the following. Now I know why nothing happens when I try to press ctrl+space in my pidgin chat window. Something is broken.

{{{
$ pfiles `pgrep firefox-bin` | grep -i unix\ \/ | grep scim
       peername: AF_UNIX /tmp/scim-bridge-0.3.0.socket-500@localhost:0.0
}}}

List opened files that are locked:

{{{
$ pfiles 2676 | grep advisory -A1 -B2
  3: S_IFREG mode:0644 dev:253,0 ino:459459 uid:0 gid:0 rdev:0,0
     O_RDWR FD_CLOEXEC
     advisory write lock set by process 2675
     /var/run/crond.pid
}}}

bind() was called with INADDR_ANY as its IP address:

{{{
$ pfiles `pgrep dnsmasq` | tail -4
 11: S_IFSOCK mode:0777 dev:0,5 ino:8996 uid:99 gid:40 rdev:0,0
     O_RDWR|O_NONBLOCK
     socket:[8996]
       sockname: AF_INET 0.0.0.0 port: 32771
Line 68: Line 126:
You can write very useful systems tools that are not available in Linux with !SystemTap. [http://sources.redhat.com/systemtap/wiki/WSPfiles pfiles] and [http://sources.redhat.com/systemtap/wiki/WSPlimit plimit] are excellent examples. You can write very useful systems tools that are not available in Linux with !SystemTap. [[http://sources.redhat.com/systemtap/wiki/WSPfiles|pfiles]] and [[http://sources.redhat.com/systemtap/wiki/WSPlimit|plimit]] are excellent examples.
Line 71: Line 129:
 * [http://www.cs.ui.ac.id/WebKuliah/IKI10100/resources/contest/OnlineJudge/gnudoc/libc/Descriptor_Flags.html The GNU C Library - Descriptor Flags]  * [[http://www.cs.ui.ac.id/WebKuliah/IKI10100/resources/contest/OnlineJudge/gnudoc/libc/Descriptor_Flags.html|The GNU C Library - Descriptor Flags]]
Line 73: Line 131:
     This flag specifies that the file descriptor should be closed when an exec function is invoked; see Executing a File. When a file descriptor is allocated (as with open or dup ), this bit is initially cleared on the new file descriptor, meaning that descriptor will survive into the new program after exec .
 * [http://www.ecst.csuchico.edu/~beej/guide/ipc/flock.html File Locking]
     This flag specifies that the file descriptor should be closed when an exec function is invoked; see Executing a File. When a file descriptor is allocated (as with open or dup), this bit is initially cleared on the new file descriptor, meaning that descriptor will survive into the new program after exec .
 * [[http://www.ecst.csuchico.edu/~beej/guide/ipc/flock.html|File Locking]]
Line 77: Line 135:
 * [http://samba.org/ftp/unpacked/junkcode/locktst.c locktst.c test] (Andrew's junkcode rocks!)  * [[http://samba.org/ftp/unpacked/junkcode/locktst.c|locktst.c test]] - Andrew's junkcode rocks!

pfiles for Linux

Problem

Someone asked if there is a Linux equivalent of the Solaris pfiles tool. pfiles is a Solaris proc utility that reports information of all open files by the process id. Eugene decided to write a similar tool for Linux using SystemTap.

Scripts

This script is part of the standard SystemTap Examples. Get it here http://sourceware.org/systemtap/examples/process/pfiles.stp. Or if you have already downloaded the systemtap tarball, it's in ./testsuite/systemtap.examples/process/pfiles.stp or installed under /usr/share/doc/systemtap-*/examples.

It is based on the example outputs in:

TODO:

  • report locked open files [completed 14/10/07]

  • report pathname information [completed 13/10/07]

  • report socket information [completed 19/01/08]

Output

$ pfiles
usage:  pfiles pid ...
  (report open files of each process)
$ pfiles `pgrep firefox-bin` | head -24
4118:  firefox-bin
  Current rlimit: 256 file descriptors
   0: S_IFCHR mode:0666 dev:0,16 ino:205 uid:500 gid:500 rdev:1,3
      O_RDONLY|O_LARGEFILE
      /dev/null
   1: S_IFCHR mode:0666 dev:0,16 ino:205 uid:500 gid:500 rdev:1,3
      O_WRONLY|O_LARGEFILE
      /dev/null
   2: S_IFCHR mode:0666 dev:0,16 ino:205 uid:500 gid:500 rdev:1,3
      O_WRONLY|O_LARGEFILE
      /dev/null
   3: S_IFSOCK mode:0777 dev:0,5 ino:45113 uid:500 gid:500 rdev:0,0
      O_RDWR|O_NONBLOCK FD_CLOEXEC
      socket:[45113]
   4: S_IFIFO mode:0600 dev:0,6 ino:45115 uid:500 gid:500 rdev:0,0
      O_RDONLY
      pipe:[45115]
   5: S_IFIFO mode:0600 dev:0,6 ino:45115 uid:500 gid:500 rdev:0,0
      O_WRONLY
      pipe:[45115]
   6: S_IFREG mode:0664 dev:253,0 ino:17105675 uid:500 gid:500 rdev:0,0
      O_WRONLY
      advisory write lock set by process 4118
      /home/eteo/.mozilla/firefox/abcdefgh.default/.parentlock
$ pfiles `pgrep thunderbird-bin` | grep advisory -A1 -B2
   6: S_IFREG mode:0664 dev:253,0 ino:15729244 uid:500 gid:500 rdev:0,0
      O_WRONLY
      advisory write lock set by process 3610
      /home/eteo/.thunderbird/abcdefgh.default/.parentlock

List all sockets opened by ntpd:

$ pfiles `pgrep ntpd` | grep -i port\:
      sockname: AF_INET 0.0.0.0  port: 123
      sockname: AF_INET6 0000:0000:0000:0000:0000:0000:0000:0000  port: 123
      sockname: AF_INET6 0000:0000:0000:0000:0000:0000:0000:0001  port: 123
      sockname: AF_INET6 fe80:0000:0000:0000:0218:8bff:febf:XXXX  port: 123
      sockname: AF_INET 127.0.0.1  port: 123
      sockname: AF_INET 192.168.1.X  port: 123
      sockname: AF_INET6 fe80:0000:0000:0000:0200:00ff:XXXX:0000  port: 123
      sockname: AF_INET 192.168.122.X  port: 123
      sockname: AF_INET 10.64.68.X  port: 123

List all AF_UNIX sockets with paths binded by pidgin:

$ pfiles `pgrep pidgin` | grep -i unix\ \/
       peername: AF_UNIX /tmp/orbit-eteo/linc-c7b-0-13f16bda309e6
       peername: AF_UNIX /var/run/dbus/system_bus_socket
       peername: AF_UNIX /tmp/.ICE-unix/3105
       sockname: AF_UNIX /tmp/orbit-eteo/linc-6a1b-0-3c1dac62998f6
       sockname: AF_UNIX /tmp/orbit-eteo/linc-6a1b-0-3c1dac62998f6

Compare pidgin’s output with the following. Now I know why nothing happens when I try to press ctrl+space in my pidgin chat window. Something is broken.

$ pfiles `pgrep firefox-bin` | grep -i unix\ \/ | grep scim
       peername: AF_UNIX /tmp/scim-bridge-0.3.0.socket-500@localhost:0.0

List opened files that are locked:

$ pfiles 2676 | grep advisory -A1 -B2
  3: S_IFREG mode:0644 dev:253,0 ino:459459 uid:0 gid:0 rdev:0,0
     O_RDWR FD_CLOEXEC
     advisory write lock set by process 2675
     /var/run/crond.pid

bind() was called with INADDR_ANY as its IP address:

$ pfiles `pgrep dnsmasq` | tail -4
 11: S_IFSOCK mode:0777 dev:0,5 ino:8996 uid:99 gid:40 rdev:0,0
     O_RDWR|O_NONBLOCK
     socket:[8996]
       sockname: AF_INET 0.0.0.0  port: 32771

Lessons

You can write very useful systems tools that are not available in Linux with SystemTap. pfiles and plimit are excellent examples.

Reference

  • The GNU C Library - Descriptor Flags

    • Macro int FD_CLOEXEC
      • This flag specifies that the file descriptor should be closed when an exec function is invoked; see Executing a File. When a file descriptor is allocated (as with open or dup), this bit is initially cleared on the new file descriptor, meaning that descriptor will survive into the new program after exec .
  • File Locking

    • F_GETLK
      • If you want to only check to see if there is a lock, but don't want to set one, you can use this command. It looks through all the file locks until it finds one that conflicts with the lock you specified in the struct flock. It then copies the conflicting lock's information into the struct and returns it to you. If it can't find a conflicting lock, fcntl() returns the struct as you passed it, except it sets the l_type field to F_UNLCK.
  • locktst.c test - Andrew's junkcode rocks!


WarStories

None: WSPfiles (last edited 2010-04-19 12:10:27 by 92)