tracing at filesystem level

tracing at filesystem level

[devzero]

Hello,

i`d like to be able to trace filesystem access at early boot time, i.e to see what files being opened/closed on early boot (and later on).

one possible way to do it is using nfs-root, so we can trace it at the network or server level -  but how can this be done without using network filesystem ?

i came across tracefs (http://www.filesystems.org/docs/tracefs-fast04/tracefs.pdf) which looks very promising, but it seems it`s not actively maintained.

isn`t there a standard way to do that with recent kernels ?
i searched for a while but didn`t find something appropriate....

regards
Roland

ps:
this is also very interesting for intrusion detection - think of virtual machine`s filesystem activity being watched trough serial console (i.e. 
with nothing running in userspace and without hackers ability to disable it)
____________________________________________________________________
Psssst! Schon vom neuen WEB.DE MultiMessenger gehört? 
Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: tracing at filesystem level

[Francis Moreau]

devzero@web.de writes:

> i`d like to be able to trace filesystem access at early boot time,
> i.e to see what files being opened/closed on early boot (and later
> on).
>
> one possible way to do it is using nfs-root, so we can trace it at
> the network or server level - but how can this be done without using
> network filesystem ?
>
> i came across tracefs
> (http://www.filesystems.org/docs/tracefs-fast04/tracefs.pdf) which
> looks very promising, but it seems it`s not actively maintained.
>
> isn`t there a standard way to do that with recent kernels ?  i
> searched for a while but didn`t find something appropriate....

Wouldn't inotify be appropriate for this ?

Francis

Re: tracing at filesystem level

[devzero]

hi francis, 

thanks for the hint!

i must admit, that i underestimated the capabilities of inotify - maybe i didn`t give it another try for too long....

what i didn`t expect is that i can use it for adding watches for thousands and thousands of files.
seems to work great and performs well.

meanwhile, i came across systemtap and found this is quite suitable, too.

regards
roland


> -----Ursprüngliche Nachricht-----
> Von: "Francis Moreau" <francis.moro@gmail.com>
> Gesendet: 22.11.08 08:50:35
> An: devzero@web.de
> CC: linux-fsdevel@vger.kernel.org
> Betreff: Re: tracing at filesystem level


> devzero@web.de writes:
> 
> > i`d like to be able to trace filesystem access at early boot time,
> > i.e to see what files being opened/closed on early boot (and later
> > on).
> >
> > one possible way to do it is using nfs-root, so we can trace it at
> > the network or server level - but how can this be done without using
> > network filesystem ?
> >
> > i came across tracefs
> > (http://www.filesystems.org/docs/tracefs-fast04/tracefs.pdf) which
> > looks very promising, but it seems it`s not actively maintained.
> >
> > isn`t there a standard way to do that with recent kernels ?  i
> > searched for a while but didn`t find something appropriate....
> 
> Wouldn't inotify be appropriate for this ?
> 
> Francis
> 
> 


_________________________________________________________________________
Sensationsangebot nur bis 30.11: WEB.DE FreeDSL - Telefonanschluss + DSL 
für nur 16,37 Euro/mtl.!* http://dsl.web.de/?ac=OM.AD.AD008K13805B7069a

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html