2

I'm quite new to Linux and I have not really a clue on how to do this.

I've got a directory and I'd like to monitor (output to shell) when a file inside that directory get's a file lock and when it is released.

It would be okay to know as well other things, like when a file is created and similar, but I'm mainly interested about the locks.

I don't need to know which process does the lock, it's more about the order in which this happens.

I'm pretty sure some tool for this exists (I already installed dtrace but after --help I decided to ask a question here).

Any pointers warm-heartedly appreciated. I'm running a fedora 14 box if that matters.

hakre
  • 431
  • Have a look at this answer: http://unix.stackexchange.com/questions/6068/is-it-possible-to-find-out-what-program-or-script-created-a-given-file/6080#6080 – Stéphane Gimenez Oct 05 '11 at 22:27
  • @StéphaneGimenez: The suggestion was really good, but I totally failed with both approaches. But that's my fault (not able to get LoggedFS to build and auditctl is installed but I can't get it log because of some errors). – hakre Oct 05 '11 at 23:26

1 Answers1

3

I haven't checked that you will get what you want with it, but the first thing I'd try is the audit subsystem. Make sure that the auditd daemon is started, then use auditctl to configure what you want to log. For ordinary filesystem accesses, you would do

auditctl -w /path/to/directory
auditctl -a exit,always -S fnctl -S open -S flock -F dir=/path/to/directory

The -S option can be used to restrict the logging to specific syscalls. The logs appear in /var/log/audit/audit.log on Debian, and probably on Fedora as well.

If you do know which process(es) may lock the file, then consider running strace on these processes (and only looking at the file-related system calls, or further restricting to specific syscalls).

strace -s9999 -o foo.strace -e file foo
Gilles 'SO- stop being evil'
  • 829,060
  • auditctl -a exit,always -w /path/to/directory -> Error: watch option can't be given with a syscall, I already learned that exit is related to syscall from the manpage. But it didn't help me ;). About strace, I have not tried, as I test a process I launch and it exists (like PHP CGI, but in CLI), is there an option to make strace start the command like with dbg? I think I should be able to dig through the strace output, should be interesting anyway. – hakre Oct 05 '11 at 23:30
  • just installed strace, I already see I can add the command behind, will try with it --- edit: this is cool! – hakre Oct 05 '11 at 23:43
  • @hakre Oops, -w implicitly sets -a. Fixed. In the forme I've given, strace starts the command foo. To attach to a running process, use strace -p1234 where 1234 is the pid. – Gilles 'SO- stop being evil' Oct 05 '11 at 23:43
  • when I remove -S fnctl,open I get auditctl to run and can see the log (same location as on debian). If I don't remove it, I get: Syscall name unknown: fnctl,open. I think fnctl is especially interesting regarding the file-locks. - edit just seeing, it's probably fcntl. However the error message is still the same, maybe the , is not correct or something, will check the manpage. strace does not show any log information. – hakre Oct 06 '11 at 00:06
  • I got this to run now: auditctl -a exit,always -F arch=b64 -S fcntl -S open -F dir=/path/to/dir, but it looks like that I still get no locking info (at least not the one I'm looking for, it's a PHP script, I might need to look into PHP sources if I'm looking in the wrong place). Thanks for your help so far, this is the second time! – hakre Oct 06 '11 at 00:19
  • @hakre There are several system calls that can implement locks. Add at least flock to your list. Strace outputs to a file (foo.strace in my example); you should start with it, so you can see what syscall your program uses to implement locks. – Gilles 'SO- stop being evil' Oct 06 '11 at 00:35
  • I first looked into foo.strace, but I could not see any locking calls. About the files in question it's only open() and unlink(). I might want to check the command line parameters though. I've just seen that not using -e file logs everything (it's only a small script, so was still ok) and there I have flock()'s inside. – hakre Oct 06 '11 at 00:49
  • Okay, I think I now understood a bit more. I need to specify the actual system calls, in my case, those are: open,close,flock,fcntl,fstat,pwrite,write,read. strace is really cool tool to get a view on what's going on. Thanks again for your help. – hakre Oct 06 '11 at 01:00