Differences between revisions 40 and 41
Revision 40 as of 2007-10-15 15:11:33
Size: 4488
Editor: 202-156-12-12
Comment:
Revision 41 as of 2007-10-15 15:11:52
Size: 4489
Editor: 202-156-12-12
Comment:
Deletions are marked like this. Additions are marked like this.
Line 26: Line 26:
I'm looking for volunteer developer to look into extending this script to report socket information (and maybe other information that are specific to Linux). Take a look at: http://kernelnewbies.org/KernelProjects/pfiles I'm looking for volunteer developer to look into extending this script to report socket information (and maybe other information that are specific to Linux).
Take a look at: http://kernelnewbies.org/KernelProjects/pfiles

pfiles for Linux

Problem

Someone asked if there is a Linux equivalent of the [http://www.scit.wlv.ac.uk/cgi-bin/mansec?1+pfiles Solaris pfiles] tool. pfiles is a Solaris proc utility that reports information of all open files by the process id. [http://sources.redhat.com/systemtap/wiki/EugeneTeo Eugene] decided to write a similar tool for Linux using SystemTap.

Scripts

The script is too long to be listed here. Please download the [attachment:pfiles script] (GPL) instead.

It is based on the example outputs in:

TODO:

  • report locked open files [completed 14/10/07]

  • report pathname information [completed 13/10/07]

  • report socket information [use lsof for now]

I'm looking for volunteer developer to look into extending this script to report socket information (and maybe other information that are specific to Linux). Take a look at: http://kernelnewbies.org/KernelProjects/pfiles

Output

$ pfiles
usage:  pfiles pid ...
  (report open files of each process)
$ pfiles `pgrep firefox` | head -n21 
3914:  -firefox-bin
  Current rlimit: 256 file descriptors
   0: S_IFCHR mode:0620 dev:0,11 ino:6 uid:500 gid:500 rdev:136,4
      O_RDWR 
      /dev/pts/4 (deleted)
   1: S_IFCHR mode:0620 dev:0,11 ino:6 uid:500 gid:500 rdev:136,4
      O_RDWR 
      /dev/pts/4 (deleted)
   2: S_IFCHR mode:0620 dev:0,11 ino:6 uid:500 gid:500 rdev:136,4
      O_RDWR 
      /dev/pts/4 (deleted)
   3: S_IFSOCK mode:0777 dev:0,5 ino:18253 uid:500 gid:500 rdev:0,0
      O_RDWR|O_NONBLOCK|O_NDELAY FD_CLOEXEC
      socket:[18253]
   4: S_IFREG mode:0664 dev:253,0 ino:16253091 uid:500 gid:500 rdev:0,0
      O_WRONLY 
      advisory write lock set by process 3914
      /home/eteo/.mozilla/firefox/4b7rsevm.default/.parentlock
   5: S_IFIFO mode:0600 dev:0,6 ino:18260 uid:500 gid:500 rdev:0,0
      O_RDONLY|O_NONBLOCK|O_NDELAY 
      pipe:[18260]

To gather more information about sockets, you can use lsof with pfiles.

$ sudo /usr/sbin/lsof -i | grep `pgrep firefox`
firefox-b  3914    eteo   47u  IPv4 184119       TCP w.x.y.z:33445->blog3.rhb.hosted.redhat.com:http (ESTABLISHED)
firefox-b  3914    eteo   49u  IPv4 184209       TCP w.x.y.z:35936->mail.samba.org:http (ESTABLISHED)

Lessons

You can write very useful systems tools that are not available in Linux with SystemTap. [http://sources.redhat.com/systemtap/wiki/WSPfiles pfiles] and [http://sources.redhat.com/systemtap/wiki/WSPlimit plimit] are excellent examples.

Reference

  • [http://www.cs.ui.ac.id/WebKuliah/IKI10100/resources/contest/OnlineJudge/gnudoc/libc/Descriptor_Flags.html The GNU C Library - Descriptor Flags]

    • Macro int FD_CLOEXEC
      • This flag specifies that the file descriptor should be closed when an exec function is invoked; see Executing a File. When a file descriptor is allocated (as with open or dup), this bit is initially cleared on the new file descriptor, meaning that descriptor will survive into the new program after exec .
  • [http://www.ecst.csuchico.edu/~beej/guide/ipc/flock.html File Locking]

    • F_GETLK
      • If you want to only check to see if there is a lock, but don't want to set one, you can use this command. It looks through all the file locks until it finds one that conflicts with the lock you specified in the struct flock. It then copies the conflicting lock's information into the struct and returns it to you. If it can't find a conflicting lock, fcntl() returns the struct as you passed it, except it sets the l_type field to F_UNLCK.
  • [http://samba.org/ftp/unpacked/junkcode/locktst.c locktst.c test] - Andrew's junkcode rocks!


WarStories

None: WSPfiles (last edited 2010-04-19 12:10:27 by 92)