Re: [PATCH] tracer for sys_open() - sreadahead

[Harald Hoyer]

Karel Zak wrote:
> On Thu, Feb 05, 2009 at 03:44:42PM +0100, Harald Hoyer wrote:
> > Ingo Molnar wrote:
> > > * Pavel Machek <pavel@xxxxxxx> wrote:
> > >
> > > > On Tue 2009-01-27 12:08:04, Kok, Auke wrote:
> > > > > This tracer monitors regular file open() syscalls. This is a fast
> > > > > and low-overhead alternative to strace, and does not allow or
> > > > > require to be attached to every process.
> > > > >
> > > > > The tracer only logs succesfull calls, as those are the only ones we
> > > > > are currently interested in, and we can determine the absolute path
> > > > > of these files as we log.
> > > > Maybe fanotify() should be used instead?
> > > >
> > > > Or maybe just plain strace? One slow boot should not really hurt...
> > > ptrace is out of question for good tracing because it's not a 
> > > transparent probe. (ptrace monopolizes the traced task - if we use that 
> > > then we break regular strace usage.)
> > >
> > > 	Ingo
> > Can strace can be used on init?
> >
> > $ man strace
> > ...
> >        On Linux, exciting as it would be, tracing the init process is forbidden.
> > ...
> >
> > Any hope getting _any_ mechanism in the kernel??
>
>  Do you remember Linux Auditing System? That's RH's baby with hooks to
>  all relevant syscalls. It would be better to fix/improve the current
>  kernel mechanisms that introduce a new one.
>
>     Karel


Yes, I do remember it, because this is how the current fedora readahead gathers 
its data. It delays the audit daemon, because there is no clean way to hook into 
the stream. I asked to add a second "channel" (auditd wants the kernel socket 
for its own)...

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/