How to read any process’ /proc/pid/io

diskioproc

I'm trying to monitor disk activity of each process. One way that I found how to do this is to read /proc/pid/io file and compare fields with previous read. That works fine except my monitoring process seem to be able to read only some io files (for example it has no permissions to read apache's). How to read io of others? Also perhaps there is a better way of achieving this goal?

Edit Obviously I could run the process as root, but I'd like to avoid that

Best Answer

Use iotop.

It should be available in your repo for a Redhat/Centos/Fedora machine (if it is not already installed).

It outputs a similar info as top, but instead of the CPU/memory stats, you will get the IO stats (Disk reads, writes and swapin).

The options -p , -u and --only might be of interest to you.

For example, to see the IO activity of the process with ID 5435, use:

iotop -p 5435

From the man page:

   -p PID, --pid=PID
          A list of processes/threads to monitor (all by default).

   -u USER, --user=USER
          A list of users to monitor (all by default)

   -P, --processes
          Only show processes. Normally iotop shows all threads.

Related Solutions

Files bigger than max(off64_t) on Solaris, eg “/proc/../as”

There are on Solaris x86-64 some very large files, whose size exceeds 2⁶³, that is, the maximum size representable in an off64_t. This includes the file representing a process's address space in proc (/proc/<pid>/as).

To deal with these files:

Don't use fopen, fseek, etc. Don't trust the libc stream routines, which (on the versions of Solaris I tested) mangle badly the "illegal" offsets.
Use open64, read.
To seek:
```
static off64_t lseeku64(int file, uint64_t offset /* eg from pr_argv */)
{
#ifndef __sun
  if (offset > 0x7FFFFFFFFFFFFFFFllu) return -1;
#endif
  return lseek64(file, offset, SEEK_SET);
}
```
That is, on Solaris, we know that we can do this cast because of inspection of the OpenSolaris sources, but we should avoid assuming it works on other platforms with psinfo and pr_argv (eg AIX).

But, pass in your very large offset, and it does all "just work".

Log All Commands Executed with Arguments – Easy Methods

Yes, there is a kernel facility: the audit subsystem. The auditd daemon does the logging, and the command auditctl sets up the logging rules. You can log all calls to a specific system alls, with some filtering. If you want to log all commands executed and their arguments, log the execve system call:

auditctl -a exit,always -S execve

To specifically trace the invocation of a specific program, add a filter on the program executable:

auditctl -a exit,always -S execve -F path=/usr/bin/rrdtool

The logs show up in /var/log/audit.log, or wherever your distribution puts them. You need to be root to control the audit subsystem.

Once you're done investigating, use the same command line with -d instead of -a to delete a logging rule, or run auditctl -D to delete all audit rules.

For debugging purposes, replacing the program by a wrapper script gives you more flexibility to log things like the environment, information about the parent process, etc.

Best Answer

Related Solutions

Files bigger than max(off64_t) on Solaris, eg “/proc/../as”

Log All Commands Executed with Arguments – Easy Methods

Related Question