def main(): parser = argparse.ArgumentParser( description='trace mount() and umount() syscalls') parser.add_argument("--ebpf", action="store_true", help=argparse.SUPPRESS) parser.add_argument("-P", "--parent_process", action="store_true", help="also snoop the parent process") parser.add_argument("--cgroupmap", help="trace cgroups in this BPF map only") parser.add_argument("--mntnsmap", help="trace mount namespaces in this BPF map only") args = parser.parse_args() mounts = {} umounts = {} global bpf_text bpf_text = filter_by_containers(args) + bpf_text if args.ebpf: print(bpf_text) exit() b = bcc.BPF(text=bpf_text) mount_fnname = b.get_syscall_fnname("mount") b.attach_kprobe(event=mount_fnname, fn_name="syscall__mount") b.attach_kretprobe(event=mount_fnname, fn_name="do_ret_sys_mount") umount_fnname = b.get_syscall_fnname("umount") b.attach_kprobe(event=umount_fnname, fn_name="syscall__umount") b.attach_kretprobe(event=umount_fnname, fn_name="do_ret_sys_umount") b['events'].open_perf_buffer( functools.partial(print_event, mounts, umounts, args.parent_process)) if args.parent_process: print('{:16} {:<7} {:<7} {:16} {:<7} {:<11} {}'.format( 'COMM', 'PID', 'TID', 'PCOMM', 'PPID', 'MNT_NS', 'CALL')) else: print('{:16} {:<7} {:<7} {:<11} {}'.format('COMM', 'PID', 'TID', 'MNT_NS', 'CALL')) while True: try: b.perf_buffer_poll() except KeyboardInterrupt: exit()
if args.pid: bpf_text = bpf_text.replace('FILTER_PID', 'if (pid != %s) { return 0; }' % args.pid) if args.port: sports = [int(sport) for sport in args.port.split(',')] sports_if = ' && '.join(['sport != %d' % sport for sport in sports]) bpf_text = bpf_text.replace( 'FILTER_PORT', 'if (%s) { currsock.delete(&tid); return 0; }' % sports_if) if args.uid: bpf_text = bpf_text.replace('FILTER_UID', 'if (uid != %s) { return 0; }' % args.uid) if args.errors: bpf_text = bpf_text.replace('FILTER_ERRORS', 'ignore_errors = 0;') bpf_text = filter_by_containers(args) + bpf_text bpf_text = bpf_text.replace('FILTER_PID', '') bpf_text = bpf_text.replace('FILTER_PORT', '') bpf_text = bpf_text.replace('FILTER_UID', '') bpf_text = bpf_text.replace('FILTER_ERRORS', '') # selecting output format - 80 characters or wide, fitting IPv6 addresses header_fmt = "%8s %-12.12s %-4s %-15s %-5s %5s %2s" output_fmt = b"%8d %-12.12s %-4.4s %-15.15s %5d %-5s %2d" error_header_fmt = "%3s " error_output_fmt = b"%3s " error_value_fmt = str if args.wide: header_fmt = "%10s %-12.12s %-4s %-39s %-5s %5s %2s" output_fmt = b"%10d %-12.12s %-4s %-39s %5d %-5s %2d" error_header_fmt = "%-25s "
parser = argparse.ArgumentParser( description="Trace system tps", formatter_class=argparse.RawDescriptionHelpFormatter, epilog=examples) parser.add_argument("--cgroupmap", help="trace cgroups in this BPF map only") parser.add_argument("--mntnsmap", help="trace mount namespaces in this BPF map only") args = parser.parse_args() # read BPF program module_path = os.path.dirname(__file__) filename = module_path + '/exit.c' with open(filename, mode="r") as file: prog = file.read() prog = filter_by_containers(args) + prog # load BPF program b = BPF(text=prog) # header print("Start monitoring the sys_read system call") def sys_exit_close(cpu, data, size): event = b["close_events"].event(data) print( str(event.comm) + " " + str(event.pid) + " " + str(event.fd) + " " + str(event.ret))