fix filelife missing output (#729)

ba404cfe · Brendan Gregg · 4ast · 6e60fbc8 · ba404cfe · ba404cfe
Commit ba404cfe authored Oct 04, 2016 by Brendan Gregg Committed by 4ast Oct 04, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

man/man8/filelife.8 man/man8/filelife.8 +3 -3

tools/filelife.py tools/filelife.py +3 -0

No files found.
--- a/man/man8/filelife.8
+++ b/man/man8/filelife.8
@@ -9,9 +9,9 @@ on who deleted the file, the file age, and the file name. The intent is to
 provide information on short-lived files, for debugging or performance
 analysis.

-This works by tracing the kernel vfs_create() and vfs_delete() functions using
-dynamic tracing, and will need updating to match any changes to these
-functions.
+This works by tracing the kernel vfs_create() and vfs_delete() functions (and
+maybe more, see the source) using dynamic tracing, and will need updating to
+match any changes to these functions.

 This makes use of a Linux 4.5 feature (bpf_perf_event_output());
 for kernels older than 4.5, see the version under tools/old,

--- a/tools/filelife.py
+++ b/tools/filelife.py
@@ -120,6 +120,9 @@ if debug:
 # initialize BPF
 b = BPF(text=bpf_text)
 b.attach_kprobe(event="vfs_create", fn_name="trace_create")
+# newer kernels (say, 4.8) may don't fire vfs_create, so record (or overwrite)
+# the timestamp in security_inode_create():
+b.attach_kprobe(event="security_inode_create", fn_name="trace_create")
 b.attach_kprobe(event="vfs_unlink", fn_name="trace_unlink")

 # header