56 lines
1.5 KiB
Groff
56 lines
1.5 KiB
Groff
.TH mountsnoop 8 "2016-10-14" "USER COMMANDS"
|
|
.SH NAME
|
|
mountsnoop \- Trace mount() and umount() syscalls. Uses Linux eBPF/bcc.
|
|
.SH SYNOPSIS
|
|
.B mountsnoop
|
|
.SH DESCRIPTION
|
|
mountsnoop traces the mount() and umount() syscalls, showing which processes
|
|
are mounting and unmounting filesystems in what mount namespaces. This can be
|
|
useful for troubleshooting system and container setup.
|
|
|
|
This works by tracing the kernel sys_mount() and sys_umount() functions using
|
|
dynamic tracing, and will need updating to match any changes to this function.
|
|
|
|
This makes use of a Linux 4.8 feature (bpf_get_current_task()).
|
|
|
|
Since this uses BPF, only the root user can use this tool.
|
|
.SH REQUIREMENTS
|
|
CONFIG_BPF and bcc.
|
|
.SH FIELDS
|
|
.TP
|
|
COMM
|
|
Process name
|
|
.TP
|
|
PID
|
|
Process ID
|
|
.TP
|
|
TID
|
|
Thread ID
|
|
.TP
|
|
MNT_NS
|
|
Mount namespace inode number
|
|
.TP
|
|
CALL
|
|
System call, arguments, and return value
|
|
.SH OVERHEAD
|
|
This traces the kernel mount and umount functions and prints output for each
|
|
event. As the rate of these calls is generally expected to be very low, the
|
|
overhead is also expected to be negligible. If your system calls mount() and
|
|
umount() at a high rate, then test and understand overhead before use.
|
|
.SH SOURCE
|
|
This is from bcc.
|
|
.IP
|
|
https://github.com/iovisor/bcc
|
|
.PP
|
|
Also look in the bcc distribution for a companion _examples.txt file containing
|
|
example usage, output, and commentary for this tool.
|
|
.SH OS
|
|
Linux
|
|
.SH STABILITY
|
|
Unstable - in development.
|
|
.SH AUTHOR
|
|
Omar Sandoval
|
|
.SH SEE ALSO
|
|
mount(2)
|
|
umount(2)
|