I'm trying to learn about the behavior of a short-lived process that's created by one of my applications. I know these things about this process:
- Part of the name of the process.
- The name and PID of the application that will create this process.
- Approximately when the process will start (within 5-10 minutes).
- After the process has exited, the PID of the process.
Ideally, I would like to:
- Have the kernel (or something) notify my script that this process has started.
- Run a bunch of tools against the process (iostat, strace, etc).
Is there a way to have the kernel notify me that a certain process has started, so I can take some action on it?
Running something like while true; do ps -ef | grep ${MY_PROCESS_NAME}; done
seems bulky and bad. I would like to be able to be notified when it happens, rather than brute-force search for it.
Or, will I just have to run the tools against the parent process and all child processes, then filter through the output later? For example, strace -ff -o ./some.trace -p ${PARENT_PID}
.
Best Answer
You might want to look at execsnoop (assuming your kernel was configured with CONFIG_FTRACE, which is usually the case). This is one of many scripts from the Brendan Gregg trace and performance collection. With no args it shows all commands as they start on the system, or you can give it a regexp to watch.
For example, to look for commands that any existing or new
zsh
might be starting, do:It shows me this output when I start a new zsh:
Once you know the full name of the program being run, typically you would replace that file with a script that runs the original program after adding your hooks. If you cannot do that, you can use something like
fanotify(7)
to have your snooping program intervene before every file open is allowed to complete. Or perhapsinotifywatch
would be fast enough for you to attach anstrace
to the process.