-
Omar Sandoval authored
Filesystem mounting and unmounting affects an entire system, so this is a great candidate for system-wide tracing. mountsnoop.py watches all mounts and unmounts and is also mount namespace-aware, which is a requirement for working with containers. Signed-off-by:Omar Sandoval <osandov@fb.com>
e822a818
mountsnoop_example.txt 1.13 KiB
Demonstrations of mountsnoop.
mountsnoop traces the mount() and umount syscalls system-wide. For example,
running the following series of commands produces this output:
# mount --bind /mnt /mnt
# umount /mnt
# unshare -m
# mount --bind /mnt /mnt
# umount /mnt
# ./mountsnoop.py
COMM PID TID MNT_NS CALL
mount 710 710 4026531840 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "") = 0
umount 714 714 4026531840 umount("/mnt", 0x0) = 0
unshare 717 717 4026532160 mount("none", "/", "", MS_REC|MS_PRIVATE, "") = 0
mount 725 725 4026532160 mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "") = 0
umount 728 728 4026532160 umount("/mnt", 0x0) = 0
The output shows the calling command, its process ID and thread ID, the mount
namespace the call was made in, and the call itself.
The mount namespace number is an inode number that uniquely identifies the
namespace in the running system. This can also be obtained from readlink
/proc/$PID/ns/mnt.
Note that because of restrictions in BPF, the string arguments to either
syscall may be truncated.