System tap

System tap

One stap to know

T-Dose 6 November 2010

Marcel Nijenhof

marcel.nijenhof@proxy.nl

http://pion.xs4all.nl/lezingen/system-tap2010.pdf

Index

• Introduction

• What is system tap

• Small examples

• System tap examples

Marcel Nijenhof

• Proxy

– Employee

– Unix administrator

• LPI Nederland

– Board member – Proctor

• NLLGG

– Board member 10 Years

Why only one stap?

The command line interface to system tap

stap

Compare system tap with other tools

• Placing printf statements in the code

– But without recompilation

• strace

– But then on all processes

• iostat, vmstat, top

– But more details available

• dtrace

– But that is for solaris

What is system tap

• A interface to collect data from the kernel

– Creates kernel probes

– Collects information during the probes

• A scripting language

– AWK like language

• probe

• code

– Processes data

• Print

• Filter

• Summarize

• Insert these statements in the running code!

Probes

• System calls

– syscall.open – vm.brk

– kprocess.create

– kernel.function("<function>")

• Timed events

– begin – end

– timer.s, timer.ms, timer.us

• Trace points

Probe code

• Functions

– uid()

– execname() – printf()

• Variables

– Created and typed automatically – Hashes

– global/local – Operators

• c like syntax

Systemtap script

• Generates kernel module

– C code compiled to module – Module loaded in the kernel – Creates the kernel probes – Creates the statistics

• Results of the probes

– Processed by user process – Creates output

hello.stp

• The script:

#!/usr/bin/stap probe begin {

  printf ("Hello world\n")   exit ()

}

• The execution:

# ./hello.stp Hello world

#

open.stp

• Print file open events with the time:

#!/usr/bin/stap global start_time probe begin {

  start_time=gettimeofday_ns() }

probe syscall.open {

  printf ("%16u\t%s\t%s(%d) open (%s)\n",

         gettimeofday_ns()­start_time, ctime(gettimeofday_s()),          execname(), pid(), argstr)

}

• 53398704690   Sun Oct 31 21:45:01 2010 crond(1105)

         open ("/etc/passwd", O_RDONLY|O_CLOEXEC|O_CLOEXEC)

Statistics

• Count events during a period

– Create hash tables for types of events – Creates hash tables for processes

– Summarizes sizes

• Print results after a period

– Clear hashes – Start again

time.stp

• Just print the time every second probe timer.s(1) {

        printf ("%20s\n", ctime(gettimeofday_s())) }

• Tue Nov  2 22:46:16 2010 Tue Nov  2 22:46:17 2010 Tue Nov  2 22:46:18 2010

Statistics of file open

• global open;

probe timer.s(10) {

printf ("%20s: %i\n", ctime(gettimeofday_s()), open) open = 0

}

probe syscall.open { open++

}

• Tue Nov 2 22:52:42 2010: 0 Tue Nov 2 22:52:52 2010: 0 Tue Nov 2 22:53:02 2010: 523 Tue Nov 2 22:53:12 2010: 672 Tue Nov 2 22:53:22 2010: 504

Lets use hashes for processes

• global open_s;

probe timer.s(10) {

printf ("%20s:\n", ctime(gettimeofday_s())) foreach (execname in open_s­ limit 10) {

printf ("\t%i: %s\n", open_s[execname],        execname)

}

delete open_s }

probe syscall.open {

open_s[execname()]++

}

Result

15: sleep

Tue Nov  2 23:21:20 2010:

2457: ps 510: top 126: df 112: file 108: du

Tue Nov  2 23:21:30 2010:

2184: ps 680: top

But what about the: Pid, Opened file

global open_s;

probe timer.s(10) {

  foreach ([pid, exec, file] in open_s­ limit 10) {     printf ("\t%i: %i\\%s ­> %s\n",

       open_s[pid, exec, file], pid, exec, file)     }

  delete open_s }

probe syscall.open {

  open_s[pid(), execname(), user_string($filename)]++

}

System tap examples (documentation)

• iotop

– Gives the io per process every 5 seconds

• topsys

– Gives a count of system calls of the last 5 seconds

iotop

Thu Nov  4 21:15:38 2010 , Average:   2Kb/sec, Read:      13Kb, Write:      0Kb

     UID      PID     PPID       CMD   DEVICE    T        BYTES      500     1441     1419      ls     vda1    R        13657      500     1441     1419      bash     vda1    R      531

Thu Nov  4 21:15:43 2010 , Average: 333Kb/sec, Read:     835Kb, Write:    830Kb

     UID      PID     PPID       CMD   DEVICE    T        BYTES      500     1442     1419      cp     dm­1    R       854522      500     1442     1419      cp     dm­3    W       850714      500     1442     1419      bash     vda1    R      531

systap

      SYSCALL      COUNT

      brk     129464

       read         47

      fcntl         40

      ppoll         25

      nanosleep         20

       rt_sigprocmask      4

      write      2

       select      2

      clock_gettime      2

       gettimeofday      1

       epoll_wait      1

Questions

Presentation

• Documentation

– http://sourceware.org/systemtap/documentation.html

• Tutorial

• Beginner's Guide

• Language Reference

• Tapset Reference

– http://pion.xs4all.nl/lezingen/System-tap2010.pdf

• Copyright: CC Some rights reserved

– The proxy logo and the presentation template – The lpi logo

– The nllgg logo

Note: Clipart from http://www.openclipart.org