Add new mountsnoop tool (#750)

Filesystem mounting and unmounting affects an entire system, so this is a great candidate for system-wide tracing. mountsnoop.py watches all mounts and unmounts and is also mount namespace-aware, which is a requirement for working with containers. Signed-off-by: Omar Sandoval <osandov@fb.com>

Add new mountsnoop tool (#750)
Filesystem mounting and unmounting affects an entire system, so this is a great candidate for system-wide tracing. mountsnoop.py watches all mounts and unmounts and is also mount namespace-aware, which is a requirement for working with containers. Signed-off-by: Omar Sandoval <osandov@fb.com>
e822a818 · Omar Sandoval · 4ast · accd4cf5 · e822a818 · e822a818
Commit e822a818 authored Oct 16, 2016 by Omar Sandoval Committed by 4ast Oct 16, 2016
Showing with 494 additions and 0 deletions

man/man8/mountsnoop.8 man/man8/mountsnoop.8 +55 -0

tools/mountsnoop.py tools/mountsnoop.py +411 -0

tools/mountsnoop_example.txt tools/mountsnoop_example.txt +28 -0

No files found.
--- a/man/man8/mountsnoop.8
+++ b/man/man8/mountsnoop.8
+.TH mountsnoop 8  "2016-10-14" "USER COMMANDS"
+.SH NAME
+mountsnoop \- Trace mount() and umount() syscalls. Uses Linux eBPF/bcc.
+.SH SYNOPSIS
+.B mountsnoop
+.SH DESCRIPTION
+mountsnoop traces the mount() and umount() syscalls, showing which processes
+are mounting and unmounting filesystems in what mount namespaces. This can be
+useful for troubleshooting system and container setup.
+
+This works by tracing the kernel sys_mount() and sys_umount() functions using
+dynamic tracing, and will need updating to match any changes to this function.
+
+This makes use of a Linux 4.4 feature (bpf_perf_event_output()).
+
+Since this uses BPF, only the root user can use this tool.
+.SH REQUIREMENTS
+CONFIG_BPF and bcc.
+.SH FIELDS
+.TP
+COMM
+Process name
+.TP
+PID
+Process ID
+.TP
+TID
+Thread ID
+.TP
+MNT_NS
+Mount namespace inode number
+.TP
+CALL
+System call, arguments, and return value
+.SH OVERHEAD
+This traces the kernel mount and umount functions and prints output for each
+event. As the rate of these calls is generally expected to be very low, the
+overhead is also expected to be negligible. If your system calls mount() and
+umount() at a high rate, then test and understand overhead before use.
+.SH SOURCE
+This is from bcc.
+.IP
+https://github.com/iovisor/bcc
+.PP
+Also look in the bcc distribution for a companion _examples.txt file containing
+example usage, output, and commentary for this tool.
+.SH OS
+Linux
+.SH STABILITY
+Unstable - in development.
+.SH AUTHOR
+Omar Sandoval
+.SH SEE ALSO
+mount(2)
+umount(2)
--- a/tools/mountsnoop.py
+++ b/tools/mountsnoop.py
--- a/tools/mountsnoop_example.txt
+++ b/tools/mountsnoop_example.txt
+Demonstrations of mountsnoop.
+
+mountsnoop traces the mount() and umount syscalls system-wide. For example,
+running the following series of commands produces this output:
+
+# mount --bind /mnt /mnt
+# umount /mnt
+# unshare -m
+# mount --bind /mnt /mnt
+# umount /mnt
+
+# ./mountsnoop.py
+COMM             PID     TID     MNT_NS      CALL
+mount            710     710     4026531840  mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "") = 0
+umount           714     714     4026531840  umount("/mnt", 0x0) = 0
+unshare          717     717     4026532160  mount("none", "/", "", MS_REC|MS_PRIVATE, "") = 0
+mount            725     725     4026532160  mount("/mnt", "/mnt", "", MS_MGC_VAL|MS_BIND, "") = 0
+umount           728     728     4026532160  umount("/mnt", 0x0) = 0
+
+The output shows the calling command, its process ID and thread ID, the mount
+namespace the call was made in, and the call itself.
+
+The mount namespace number is an inode number that uniquely identifies the
+namespace in the running system. This can also be obtained from readlink
+/proc/$PID/ns/mnt.
+
+Note that because of restrictions in BPF, the string arguments to either
+syscall may be truncated.