Does Linux keep track of all files accessed by a process?
Is there a way to track all file I / O for a given process? All I really need is the location of the files that are read / written from a particular process (and ideally if it is a read or write operation, although this is not that important).
I can start a process and track it, rather than attach to an existing process, which I assumed is much simpler. Is there any wrapper utility I can run while this will control file access?
source to share
Try this as a starter:
lsof -p <PID>
this command will list all open files, fd, sockets ...
For your special needs, see what I can suggest as a php script monitoring solution:
php foo.php & _pid=$!
lsof -r1 -p $_pid
kill %1 # if you want to kill PHP
As a better alternative, I recommend using strace
:
strace -f -t -e trace=file php foo.php
or for an already running process:
strace -f -t -e trace=file -p <PID>
source to share
Something like this can reduce the performance impact of monitoring file activity.
$ watch -n 2.0 timeout 0.2 strace -p `pgrep myprogram` -fe trace=file
Where myprogram
is the process name, 2.0
is the period of inactivity between each monitoring period, and 0.2
is the length of the monitoring period in seconds.
source to share
strace is an amazing tool, but its output is a bit verbose.
If you want, you can use a tool I wrote that handles the strace output and provides a CSV report of all files accessed (including TCP sockets) with the following details:
1. File name
2. Read / write bytes
3. Number of read / write operations
4. Number of times the file was opened
It can be started on new processes or already running processes (using the / proc / fd data).
I found this useful for debugging scenarios and performance analysis.
You can find it here: iotrace
Output example:
Filename, Read bytes, Written bytes, Opened, Read op, Write op
/dev/pts/1,1,526512,0,1,8904
socket_127.0.0.1:47948->127.0.0.1:22,1781764,396,0,8905,11
myfile.txt,65,0,9,10,0
pipe:[3339],0,0,0,1,0
After that, you can process the CSV data in Excel or other tools for sorting or other required analysis.
The downside is that you have to download and compile, and this is not always 100% accurate.
source to share
While this may not give you enough control (yet?), I wrote a program that meets your needs at least partially, using the linux kernel fanotify and unshare to monitor only files modified by a particular process and its children. Compared to strace, it's pretty fast (;
It can be found at https://github.com/tycho-kirchner/shournal
Shell example:
$ shournal -e sh -c 'echo hi > foo1; echo hi2 > foo2'
$ shournal -q --history 1
...
Written file(s):
/tmp/foo1 (3 bytes) Hash: 15349503233279147316
/tmp/foo2 (4 bytes) Hash: 2770363686119514911
source to share