dtrace discuss - Aug 2010 - dtrace file/directory removal

Hi,

I have a Solaris 10 system and I see the a directory gets deleted in the 
middle of the night by one of the process, but I don''t know which one.

I tried the  following example (replacing zfs with ufs):

#!/usr/sbin/dtrace -ws

/*
 *
 * filemon_zfs.d - Monitors specific file access
 *               Written using DTrace.
 *
 *
 * $Id: filemon_zfs.d 1 2010-03-12 14:16:26Z sergio $
 *
 * USAGE:       filemon_zfs.d
 *
 *  eg,
 *       ./filemon_zfs.d /var/adm/messages   # Monitor access to 
/var/adm/messages
 *
 * Must be root or with DTrace role privilege
 *
 * NOTES: This script uses dtrace so it should work on Solaris or 
OpenSolaris
 *
 * THANKS: The students of a DTrace course for the idea
 *
 * COPYRIGHT: Copyright (c) 2008 Sergio Rodriguez de Guzman Martinez
 *
 * CDDL HEADER START
 *
 *  The contents of this file are subject to the terms of the
 *  Common Development and Distribution License, Version 1.0 only
 *  (the "License").  You may not use this file except in compliance
 *  with the License.
 *
 *  You can obtain a copy of the license at Docs/cddl1.txt
 *  or http://www.opensolaris.org/os/licensing.
 *  See the License for the specific language governing permissions
 *  and limitations under the License.
 *
 * CDDL HEADER END
 *
 * Author: Sergio Rodriguez de Guzman [Madrid, Spain]
 *
 * 12-03-2010  Sergio Rodriguez de Guzman   Created this.
 *
 *
 */

#pragma D option quiet

BEGIN
{
        printf ("%20s%20s%8s%10s%10s\n", "DATE",
"CMD", "R/W/D", "USER",
"PID");
}

zfs_read:entry,
zfs_getpage:entry
{
       self->filepath = args[0]->v_path;
}

zfs_write:entry,
zfs_putpage:entry
{
       self->filepath = args[0]->v_path;
}

zfs_write:return,
zfs_putpage:return
/ strstr(stringof(self->filepath), $1) != NULL /
{
       printf("%20Y%20s%8s%10d%10d\n",
                walltimestamp, execname, "W", uid, pid);
       self->filepath = 0;
}

zfs_read:return,
zfs_getpage:return
/ strstr(stringof(self->filepath), $1) != NULL /
{
       printf("%20Y%20s%8s%10d%10d\n",
                walltimestamp, execname, "R", uid, pid);
       self->filepath = 0;
}

zfs_remove:entry
{
        self->filepath = strjoin( stringof(args[0]->v_path), "/"
);
        self->filepath = strjoin( self->filepath, stringof(args[1]) );
}

zfs_remove:return
/ strstr(stringof(self->filepath), $1) != NULL /
{
        printf("%20Y%20s%8s%10d%10d\n",
                walltimestamp, execname, "D", uid, pid);
}

But when I create and remove a directory I only get a read/write event.

Thank you
Markus

Would something like 

 dtrace -qn syscall::rmdir:entry''{printf("%s(%d) removed
%s\n",execname,pid,copyinstr(arg0))}''

do the trick?

-Angelo

 
On Aug 4, 2010, at 4:49 PM, Markus Moeller wrote:
> Hi,
> 
> I have a Solaris 10 system and I see the a directory gets deleted in the
middle of the night by one of the process, but I don''t know which one.
> 
> I tried the  following example (replacing zfs with ufs):
> 
> #!/usr/sbin/dtrace -ws
> 
> /*
> *
> * filemon_zfs.d - Monitors specific file access
> *               Written using DTrace.
> *
> *
> * $Id: filemon_zfs.d 1 2010-03-12 14:16:26Z sergio $
> *
> * USAGE:       filemon_zfs.d
> *
> *  eg,
> *       ./filemon_zfs.d /var/adm/messages   # Monitor access to
/var/adm/messages
> *
> * Must be root or with DTrace role privilege
> *
> * NOTES: This script uses dtrace so it should work on Solaris or
OpenSolaris
> *
> * THANKS: The students of a DTrace course for the idea
> *
> * COPYRIGHT: Copyright (c) 2008 Sergio Rodriguez de Guzman Martinez
> *
> * CDDL HEADER START
> *
> *  The contents of this file are subject to the terms of the
> *  Common Development and Distribution License, Version 1.0 only
> *  (the "License").  You may not use this file except in
compliance
> *  with the License.
> *
> *  You can obtain a copy of the license at Docs/cddl1.txt
> *  or http://www.opensolaris.org/os/licensing.
> *  See the License for the specific language governing permissions
> *  and limitations under the License.
> *
> * CDDL HEADER END
> *
> * Author: Sergio Rodriguez de Guzman [Madrid, Spain]
> *
> * 12-03-2010  Sergio Rodriguez de Guzman   Created this.
> *
> *
> */
> 
> #pragma D option quiet
> 
> BEGIN
> {
>       printf ("%20s%20s%8s%10s%10s\n", "DATE",
"CMD", "R/W/D", "USER", "PID");
> }
> 
> zfs_read:entry,
> zfs_getpage:entry
> {
>      self->filepath = args[0]->v_path;
> }
> 
> zfs_write:entry,
> zfs_putpage:entry
> {
>      self->filepath = args[0]->v_path;
> }
> 
> zfs_write:return,
> zfs_putpage:return
> / strstr(stringof(self->filepath), $1) != NULL /
> {
>      printf("%20Y%20s%8s%10d%10d\n",
>               walltimestamp, execname, "W", uid, pid);
>      self->filepath = 0;
> }
> 
> zfs_read:return,
> zfs_getpage:return
> / strstr(stringof(self->filepath), $1) != NULL /
> {
>      printf("%20Y%20s%8s%10d%10d\n",
>               walltimestamp, execname, "R", uid, pid);
>      self->filepath = 0;
> }
> 
> zfs_remove:entry
> {
>       self->filepath = strjoin( stringof(args[0]->v_path),
"/" );
>       self->filepath = strjoin( self->filepath, stringof(args[1]) );
> }
> 
> zfs_remove:return
> / strstr(stringof(self->filepath), $1) != NULL /
> {
>       printf("%20Y%20s%8s%10d%10d\n",
>               walltimestamp, execname, "D", uid, pid);
> }
> 
> But when I create and remove a directory I only get a read/write event.
> 
> Thank you
> Markus 
> 
> _______________________________________________
> dtrace-discuss mailing list
> dtrace-discuss at opensolaris.org


Angelo Rajadurai, 
Principal Software Engineer

Oracle Developers, Applications and Partners
p: +1 650 633 7351
Email: angelo.rajadurai at oracle.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20100804/a5196081/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ora_logo_small.gif
Type: image/gif
Size: 2059 bytes
Desc: not available
URL:
<http://mail.opensolaris.org/pipermail/dtrace-discuss/attachments/20100804/a5196081/attachment.gif>