dtrace discuss - Oct 2009 - Trace stdout

Hi *,
I''m very new with dtrace, but I have one problem and dtrace looks to be
a promising candidate for analysis.

I have solaris 10 system which has many, many processes all sending their stdout
to one file (one master process which starts all processes is started as
"nohup masterProc &") and all childs output ends up in nohup.out.

On a platform where I''m working on, it is strictly forbidden to write
anything  to stdout or stderr (tracing mechanism exists) so I have to figure out
which of the processes is writing to the file.

I have an idea which one is it, but I do not know exactly how to check.
Was thinking about syscall::write:entry, but I''m not sure...

Is there some "dtrace bible" going around?

Thanks in advance!
-- 
This message posted from opensolaris.org

Hi FrenKy,

You are on the right track. You can look at the write syscall. Here  
are a couple of one liners that may help

If you are looking for all the processes that are writing to any  
nohup,out anywhere in the system, then use

# dtrace -n syscall::write:entry''/strstr(fds 
[arg0].fi_pathname,"nohup.out")!=0/{printf("%s wrote to %s 
\n",execname,fds[arg0].fi_pathname)}''

If you know the exact nohup.out file name then

# dtrace -n syscall::write:entry''/fds[arg0].fi_pathname=="/tmp/ 
nohup.out"/{printf("%s wrote to
%s\n",execname,fds[arg0].fi_pathname)}''

[Replace /tmp/nohup,out to the name of the absolute path]

Note that these scripts will only catch the processes that are writing  
to nohup.out and not all the processes that have the nohup,out open.

Here is how this works. Basically you have registered for the  
syscall::write:entry event. (in DTrace terminology you have enabled a  
probe). When this event happens (in DTrace terminology when the probe  
fires) you check to see if this write is of interest using a predicate  
(between the two / /). In the predicate you are looking at the fds  
array that has a translation for all the fds of that process. The  
fi_pathname has the full name of the file. You are using arg0 as the  
index of the array as the first argument in write(2) is the file  
descriptor. If the file is of interest (in your case nohup,out) you  
then print out that the name of the process.

Now if you know the exact location of nohup,out, then a simple compare  
(==) is all you need. If you do not know the exact location or you  
want to look for all nohup,out writers then you use the strstr()  
function to do the compare.

Hope this helps.

Angelo


On Oct 13, 2009, at 4:20 AM, FrenKy wrote:
> Hi *,
> I''m very new with dtrace, but I have one problem and dtrace looks
to
> be a promising candidate for analysis.
>
> I have solaris 10 system which has many, many processes all sending  
> their stdout to one file (one master process which starts all  
> processes is started as "nohup masterProc &") and all childs
output
> ends up in nohup.out.
>
> On a platform where I''m working on, it is strictly forbidden to  
> write anything  to stdout or stderr (tracing mechanism exists) so I  
> have to figure out which of the processes is writing to the file.
>
> I have an idea which one is it, but I do not know exactly how to  
> check.
> Was thinking about syscall::write:entry, but I''m not sure...
>
> Is there some "dtrace bible" going around?
>
> Thanks in advance!
> -- 
> This message posted from opensolaris.org
> _______________________________________________
> dtrace-discuss mailing list
> dtrace-discuss at opensolaris.org

Hello,
Thanks, your advice was very helpful, and more to the point - it works :)

Here is my "enhanced" version :)

dtrace -x jstackstrsize=2048 -n
syscall::write:entry''/strstr(fds[arg0].fi_pathname,"nohup.out")!=0/{printf("%s,%d
wrote to %s\n",execname,pid,fds[arg0].fi_pathname); jstack();}''

My first encounter with dtrace was productive, nice tool in my book.

Frenky
-- 
This message posted from opensolaris.org