Linux – strace a short-lived process

eventslinuxlinux-kernelprocess

I'm trying to learn about the behavior of a short-lived process that's created by one of my applications. I know these things about this process:

Part of the name of the process.
The name and PID of the application that will create this process.
Approximately when the process will start (within 5-10 minutes).
After the process has exited, the PID of the process.

Ideally, I would like to:

Have the kernel (or something) notify my script that this process has started.
Run a bunch of tools against the process (iostat, strace, etc).

Is there a way to have the kernel notify me that a certain process has started, so I can take some action on it?

Running something like while true; do ps -ef | grep ${MY_PROCESS_NAME}; done seems bulky and bad. I would like to be able to be notified when it happens, rather than brute-force search for it.

Or, will I just have to run the tools against the parent process and all child processes, then filter through the output later? For example, strace -ff -o ./some.trace -p ${PARENT_PID}.

Best Answer

You might want to look at execsnoop (assuming your kernel was configured with CONFIG_FTRACE, which is usually the case). This is one of many scripts from the Brendan Gregg trace and performance collection. With no args it shows all commands as they start on the system, or you can give it a regexp to watch.

For example, to look for commands that any existing or new zsh might be starting, do:

sudo /opt/perf-tools-master/bin/execsnoop zsh

It shows me this output when I start a new zsh:

Tracing exec()s issued by process name "zsh". Ctrl-C to end.
Instrumenting sys_execve
   PID   PPID ARGS
 21920  21919 /usr/libexec/grepconf.sh -c
 21923  21922 /usr/bin/tty -s
 21922  21919 /usr/bin/tput colors
 21924  21919 /usr/bin/dircolors --sh /etc/DIR_COLORS.256color
 21925  21919 /usr/bin/grep -qi ^COLOR.*none /etc/DIR_COLORS.256color
 21926  21919 /usr/libexec/grepconf.sh -c
 21928  21919 /usr/libexec/grepconf.sh -c
 21930  21919 uname -m
 21932  21919 /bin/grep -q /usr/lib64/qt-3.3/bin
 21934  21933 /usr/bin/id -u

Once you know the full name of the program being run, typically you would replace that file with a script that runs the original program after adding your hooks. If you cannot do that, you can use something like fanotify(7) to have your snooping program intervene before every file open is allowed to complete. Or perhaps inotifywatch would be fast enough for you to attach an strace to the process.

Related Solutions

Which script from /etc/init.d/ started the process

An easy way to follow the PPID chain backwards is with the pstree tool:

pstree -p PID

This will show all the parent processes of the specified PID, for example:

$ pstree 42284
-+= 00001 root /sbin/launchd
 \-+= 00199 jack /sbin/launchd
   \-+= 00254 jack /Applications/iTerm.app/Contents/MacOS/iTerm -psn_0_90134
     \-+= 00309 root login -fp jack
       \-+= 00310 jack -bash
         \--= 42284 jack vim site.txt

When vfork is called is parent process really suspended

Your question is partly based on bad naming convention. A "thread of control" in kernel-speak is a process in user-speak. So when you read that vfork "the calling thread is suspended" think "process" (or "heavyweight thread" if you like) not "thread" as in "multi-threaded process".

So yes, the parent process is suspended.

vfork semantics were defined for the very common case where a process (the shell most often) would fork, mess with some file descriptors, and then exec another process in place. The kernel folks realized they could save a huge amount of page copying overhead if they skipped the copy since the exec was just going to throw those copied pages away. A vforked child does have its own file descriptor table in the kernel, so manipulating that doesn't affect the parent process, keeping the semantics of fork unchanged.

Why? Because fork/exec was common, expensive, and wasteful

Given the more accurate definition of "kernel thread of control", the answer to can they run in parallel is clearly

No, the parent will be blocked by the kernel until the child exits or execs

How does the parent know the child has exited?

It doesn't, the kernel knows and keeps the parent from getting any CPU at all until the child has gone away.

As for the last question, I would suspect that the kernel would detect the child stack operations involved in a return and signal the child with an uncatchable signal or just kill it, but I don't know the details.

Best Answer

Related Solutions

Which script from /etc/init.d/ started the process

When vfork is called is parent process really suspended

Related Question