Update opensnoop to filter by PID and TID (iovisor#739)

* Use real PID instead of TID in opensnoop

* Replaced -t for timestamp with -T

* Support TID as well as PID

* Update opensnoop example

* Update man

* Added missing documentation re -n option

* Minor: styling

Author: dinazil

man/man8/opensnoop.8

@@ -2,7 +2,7 @@
 .SH NAME
 opensnoop \- Trace open() syscalls. Uses Linux eBPF/bcc.
 .SH SYNOPSIS
-.B opensnoop [\-h] [\-t] [\-x] [\-p PID] [\-n name]
+.B opensnoop [\-h] [\-T] [\-x] [\-p PID] [\-t TID] [\-n name]
 .SH DESCRIPTION
 opensnoop traces the open() syscall, showing which processes are attempting
 to open which files. This can be useful for determining the location of config
@@ -24,7 +24,7 @@ CONFIG_BPF and bcc.
 \-h
 Print usage message.
 .TP
-\-t
+\-T
 Include a timestamp column.
 .TP
 \-x
@@ -33,6 +33,9 @@ Only print failed opens.
 \-p PID
 Trace this process ID only (filtered in-kernel).
 .TP
+\-t TID
+Trace this thread ID only (filtered in-kernel).
+.TP
 \-n name
 Only print processes where its name partially matches 'name'
 .SH EXAMPLES
@@ -43,7 +46,7 @@ Trace all open() syscalls:
 .TP
 Trace all open() syscalls, and include timestamps:
 #
-.B opensnoop \-t
+.B opensnoop \-T
 .TP
 Trace only open() syscalls that failed:
 #
@@ -64,6 +67,9 @@ Time of the call, in seconds.
 PID
 Process ID
 .TP
+TID
+Thread ID
+.TP
 COMM
 Process name
 .TP

tools/opensnoop.py

@@ -4,13 +4,14 @@
 # opensnoop Trace open() syscalls.
 #           For Linux, uses BCC, eBPF. Embedded C.
 #
-# USAGE: opensnoop [-h] [-t] [-x] [-p PID]
+# USAGE: opensnoop [-h] [-T] [-x] [-p PID] [-t TID] [-n NAME]
 #
 # Copyright (c) 2015 Brendan Gregg.
 # Licensed under the Apache License, Version 2.0 (the "License")
 #
 # 17-Sep-2015   Brendan Gregg   Created this.
-# 29-Apr-2016   Allan McAleavy updated for BPF_PERF_OUTPUT
+# 29-Apr-2016   Allan McAleavy  Updated for BPF_PERF_OUTPUT.
+# 08-Oct-2016   Dina Goldshtein Support filtering by PID and TID.
 
 from __future__ import print_function
 from bcc import BPF
@@ -20,21 +21,24 @@
 # arguments
 examples = """examples:
     ./opensnoop           # trace all open() syscalls
-    ./opensnoop -t        # include timestamps
+    ./opensnoop -T        # include timestamps
     ./opensnoop -x        # only show failed opens
     ./opensnoop -p 181    # only trace PID 181
+    ./opensnoop -t 123    # only trace TID 123
     ./opensnoop -n main   # only print process names containing "main"
 """
 parser = argparse.ArgumentParser(
     description="Trace open() syscalls",
     formatter_class=argparse.RawDescriptionHelpFormatter,
     epilog=examples)
-parser.add_argument("-t", "--timestamp", action="store_true",
+parser.add_argument("-T", "--timestamp", action="store_true",
     help="include timestamp on output")
 parser.add_argument("-x", "--failed", action="store_true",
     help="only show failed opens")
 parser.add_argument("-p", "--pid",
     help="trace this PID only")
+parser.add_argument("-t", "--tid",
+    help="trace this TID only")
 parser.add_argument("-n", "--name",
     help="only print process names containing this name")
 args = parser.parse_args()
@@ -47,67 +51,70 @@
 #include <linux/sched.h>
 
 struct val_t {
-    u32 pid;
+    u64 id;
     u64 ts;
     char comm[TASK_COMM_LEN];
     const char *fname;
 };
 
 struct data_t {
-    u32 pid;
+    u64 id;
     u64 ts;
     int ret;
     char comm[TASK_COMM_LEN];
     char fname[NAME_MAX];
 };
 
-BPF_HASH(args_filename, u32, const char *);
-BPF_HASH(infotmp, u32, struct val_t);
+BPF_HASH(infotmp, u64, struct val_t);
 BPF_PERF_OUTPUT(events);
 
 int trace_entry(struct pt_regs *ctx, const char __user *filename)
 {
     struct val_t val = {};
-    u32 pid = bpf_get_current_pid_tgid();
+    u64 id = bpf_get_current_pid_tgid();
+    u32 pid = id >> 32; // PID is higher part
+    u32 tid = id;       // Cast and get the lower part
 
     FILTER
     if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) {
-        val.pid = bpf_get_current_pid_tgid();
+        val.id = id;
         val.ts = bpf_ktime_get_ns();
         val.fname = filename;
-        infotmp.update(&pid, &val);
+        infotmp.update(&id, &val);
     }
 
     return 0;
 };
 
 int trace_return(struct pt_regs *ctx)
 {
-    u32 pid = bpf_get_current_pid_tgid();
+    u64 id = bpf_get_current_pid_tgid();
     struct val_t *valp;
     struct data_t data = {};
 
     u64 tsp = bpf_ktime_get_ns();
 
-    valp = infotmp.lookup(&pid);
+    valp = infotmp.lookup(&id);
     if (valp == 0) {
         // missed entry
         return 0;
     }
     bpf_probe_read(&data.comm, sizeof(data.comm), valp->comm);
     bpf_probe_read(&data.fname, sizeof(data.fname), (void *)valp->fname);
-    data.pid = valp->pid;
+    data.id = valp->id;
     data.ts = tsp / 1000;
     data.ret = PT_REGS_RC(ctx);
 
     events.perf_submit(ctx, &data, sizeof(data));
-    infotmp.delete(&pid);
-    args_filename.delete(&pid);
+    infotmp.delete(&id);
 
     return 0;
 }
 """
-if args.pid:
+if args.tid:  # TID trumps PID
+    bpf_text = bpf_text.replace('FILTER',
+        'if (tid != %s) { return 0; }' % args.tid)
+elif args.pid:
     bpf_text = bpf_text.replace('FILTER',
         'if (pid != %s) { return 0; }' % args.pid)
 else:
@@ -125,7 +132,7 @@
 
 class Data(ct.Structure):
     _fields_ = [
-        ("pid", ct.c_ulonglong),
+        ("id", ct.c_ulonglong),
         ("ts", ct.c_ulonglong),
         ("ret", ct.c_int),
         ("comm", ct.c_char * TASK_COMM_LEN),
@@ -137,7 +144,8 @@ class Data(ct.Structure):
 # header
 if args.timestamp:
     print("%-14s" % ("TIME(s)"), end="")
-print("%-6s %-16s %4s %3s %s" % ("PID", "COMM", "FD", "ERR", "PATH"))
+print("%-6s %-16s %4s %3s %s" %
+      ("TID" if args.tid else "PID", "COMM", "FD", "ERR", "PATH"))
 
 # process event
 def print_event(cpu, data, size):
@@ -165,8 +173,9 @@ def print_event(cpu, data, size):
         delta = event.ts - initial_ts
         print("%-14.9f" % (float(delta) / 1000000), end="")
 
-    print("%-6d %-16s %4d %3d %s" % (event.pid, event.comm,
-          fd_s, err, event.fname))
+    print("%-6d %-16s %4d %3d %s" %
+          (event.id & 0xffffffff if args.tid else event.id >> 32,
+           event.comm, fd_s, err, event.fname))
 
 # loop with callback to print_event
 b["events"].open_perf_buffer(print_event)

tools/opensnoop_example.txt

@@ -48,9 +48,9 @@ during application startup.
 
 
 The -p option can be used to filter on a PID, which is filtered in-kernel. Here
-I've used it with -t to print timestamps:
+I've used it with -T to print timestamps:
 
- ./opensnoop -tp 1956
+ ./opensnoop -Tp 1956
 TIME(s)       PID    COMM               FD ERR PATH
 0.000000000   1956   supervise           9   0 supervise/status.new
 0.000289999   1956   supervise           9   0 supervise/status.new
@@ -123,18 +123,22 @@ to the '-n' option.
 USAGE message:
 
 # ./opensnoop -h
-usage: opensnoop [-h] [-t] [-x] [-p PID]
+usage: opensnoop [-h] [-T] [-x] [-p PID] [-t TID] [-n NAME]
 
 Trace open() syscalls
 
 optional arguments:
-  -h, --help         show this help message and exit
-  -t, --timestamp    include timestamp on output
-  -x, --failed       only show failed opens
-  -p PID, --pid PID  trace this PID only
+  -h, --help            show this help message and exit
+  -T, --timestamp       include timestamp on output
+  -x, --failed          only show failed opens
+  -p PID, --pid PID     trace this PID only
+  -t TID, --tid TID     trace this TID only
+  -n NAME, --name NAME  only print process names containing this name
 
 examples:
     ./opensnoop           # trace all open() syscalls
-    ./opensnoop -t        # include timestamps
+    ./opensnoop -T        # include timestamps
     ./opensnoop -x        # only show failed opens
     ./opensnoop -p 181    # only trace PID 181
+    ./opensnoop -t 123    # only trace TID 123
+    ./opensnoop -n main   # only print process names containing "main"