SystemTap on Linux
Hey.
Several years ago I wrote this article for the sandbox, dreaming of becoming part of the Habr community. Today, digging into the drafts, I discovered it unpublished (based on the materials of this article I wrote a page on the wiki ) and decided to publish it with the goal of collecting feedback and user cases from people using SystemTap in their work.
')
SystemTap is a tool that allows you to collect and analyze information about a running Linux system.
Unlike embedded tools such as netstat, ps, top, SystemTap was designed to provide more options for collecting and presenting information.
SystemTap is a command line interface and a scripting programming language.
System administrators can use SystemTap to monitor and analyze system performance, and software developers can use SystemTap to analyze application behavior in a running system.
Such companies as Red Hat, IBM, Oracle Corporation, Hitachi participate in the development of the SystemTap project.
The main idea of ​​SystemTap is to mark events and assign handlers to them.
During the execution of the script, SystemTap is monitoring events and, as soon as an event occurs, the kernel will execute the handler.
Events can be the start or end of a SystemTap session, the triggering of a timer, and others.
The handler is a sequence of script statements that will be executed after an event is triggered. Usually, handlers retrieve information from the event context or display information on the screen.
The SystemTap session begins when we run the script. At this time, the following sequence of actions occurs:
1. First, SystemTap checks the tapset library for the presence of the script;
2. Then SystemTap translates the script in C (programming language) and runs the system compiler to create a kernel module from the script;
3. SystemTap loads the module and activates all the events in the script;
4. As soon as an event occurs, the event handler is executed;
5. When all events are completed, the module is unloaded and the session ends;
There are 2 types of events in SystemTap: synchronous and asynchronous.
Synchronous events are bound to instructions in a specific place in the kernel code.
Examples of synchronous events:
- syscall.system_call
- vfs.file_operation
- kernel.function ("function")
- module ("module"). Function ("function")
Asynchronous events are not tied to a specific instruction or a specific place in the kernel code.
Examples of asynchronous events:
- begin - the start of the SystemTap session
- end - the end of the SystemTap session
- timer.event () - countdown timer (timer.s (4) - the event will fire every 4 seconds)
The event handler is enclosed in braces ({}).
To print to the screen, use the printf format output function (“format string \ n”, arguments), which is similar to the similar function in C (programming language).
Some SystemTap functions for use with printf ():
- pid () - process ID
- uid () - user ID
- execname () - process name
- cpu () - processor number
Script:
probe syscall.open
{
printf ("% s (% d) open \ n", execname (), pid ())
}
Result:
vmware-guestd (2206) open
hald (2360) open
hald (2360) open
hald (2360) open
df (3433) open
df (3433) open
df (3433) open
hald (2360) open
This is a review of the SystemTap technology.
To learn more about Systemtap I recommend that you visit the official site .
Several years ago I wrote this article for the sandbox, dreaming of becoming part of the Habr community. Today, digging into the drafts, I discovered it unpublished (based on the materials of this article I wrote a page on the wiki ) and decided to publish it with the goal of collecting feedback and user cases from people using SystemTap in their work.
')
1. What is SystemTap, for whom and why is it needed?
SystemTap is a tool that allows you to collect and analyze information about a running Linux system.
Unlike embedded tools such as netstat, ps, top, SystemTap was designed to provide more options for collecting and presenting information.
SystemTap is a command line interface and a scripting programming language.
System administrators can use SystemTap to monitor and analyze system performance, and software developers can use SystemTap to analyze application behavior in a running system.
Such companies as Red Hat, IBM, Oracle Corporation, Hitachi participate in the development of the SystemTap project.
2. How does SystemTap work?
The main idea of ​​SystemTap is to mark events and assign handlers to them.
During the execution of the script, SystemTap is monitoring events and, as soon as an event occurs, the kernel will execute the handler.
Events can be the start or end of a SystemTap session, the triggering of a timer, and others.
The handler is a sequence of script statements that will be executed after an event is triggered. Usually, handlers retrieve information from the event context or display information on the screen.
The SystemTap session begins when we run the script. At this time, the following sequence of actions occurs:
1. First, SystemTap checks the tapset library for the presence of the script;
2. Then SystemTap translates the script in C (programming language) and runs the system compiler to create a kernel module from the script;
3. SystemTap loads the module and activates all the events in the script;
4. As soon as an event occurs, the event handler is executed;
5. When all events are completed, the module is unloaded and the session ends;
3. How to write SystemTap scripts?
About events and systemtap
There are 2 types of events in SystemTap: synchronous and asynchronous.
Synchronous events are bound to instructions in a specific place in the kernel code.
Examples of synchronous events:
- syscall.system_call
- vfs.file_operation
- kernel.function ("function")
- module ("module"). Function ("function")
Asynchronous events are not tied to a specific instruction or a specific place in the kernel code.
Examples of asynchronous events:
- begin - the start of the SystemTap session
- end - the end of the SystemTap session
- timer.event () - countdown timer (timer.s (4) - the event will fire every 4 seconds)
About handlers in SystemTap
The event handler is enclosed in braces ({}).
To print to the screen, use the printf format output function (“format string \ n”, arguments), which is similar to the similar function in C (programming language).
Some SystemTap functions for use with printf ():
- pid () - process ID
- uid () - user ID
- execname () - process name
- cpu () - processor number
We write a script
Script:
probe syscall.open
{
printf ("% s (% d) open \ n", execname (), pid ())
}
Result:
vmware-guestd (2206) open
hald (2360) open
hald (2360) open
hald (2360) open
df (3433) open
df (3433) open
df (3433) open
hald (2360) open
This is a review of the SystemTap technology.
To learn more about Systemtap I recommend that you visit the official site .
Source: https://habr.com/ru/post/77502/
All Articles