trace_mount
The trace_mount gadget emits events when mount and unmount system calls are made.
Getting started
Running the gadget:
- kubectl gadget
- ig
$ kubectl gadget run ghcr.io/inspektor-gadget/gadget/trace_mount:latest [flags]
$ sudo ig run ghcr.io/inspektor-gadget/gadget/trace_mount:latest [flags]
Flags
--pid
Show only events generated by process with this PID
Default value: ""
Guide
First, we need to run an application that generates some events.
- kubectl gadget
- ig
$ kubectl run mypod --restart=Never --image=busybox -- sh -c 'while /bin/true ; do mount /mnt /mnt ; sleep 3 ; done'
pod/mypod created
$ docker run --privileged --name test-trace-mount -d busybox /bin/sh -c 'while /bin/true ; do mount /bar /foo ; sleep 3 ; done'
Then, let's run the gadget:
- kubectl gadget
- ig
Using the trace_mount gadget, we can see which processes mount and unmount filesystems.
We can simply filter for the pod mypod and omit specifying the node,
thus tracing on all nodes for a pod called mypod:
$ kubectl gadget run trace_mount:latest --podname mypod
K8S.NODE K8S.NAMESPACE K8S.PODNAME K8S.CONTAINERNAME COMM PID TID DELTA FLAGS CALL ERROR
minikube-docker default mypod mypod mount 36469 36469 3318 MS_SILENT mount("/mnt", "/mnt", "ext… ENOENT
minikube-docker default mypod mypod mount 36469 36469 1321 MS_SILENT mount("/mnt", "/mnt", "ext… ENOENT
minikube-docker default mypod mypod mount 36469 36469 1187 MS_SILENT mount("/mnt", "/mnt", "ext… ENOENT
minikube-docker default mypod mypod mount 36469 36469 1655 MS_SILENT mount("/mnt", "/mnt", "squ… ENOENT
minikube-docker default mypod mypod mount 36469 36469 1257 MS_SILENT mount("/mnt", "/mnt", "vfa… ENOENT
minikube-docker default mypod mypod mount 36469 36469 1211 MS_SILENT mount("/mnt", "/mnt", "fus… ENOENT
minikube-docker default mypod mypod mount 36474 36474 3496 MS_SILENT mount("/mnt", "/mnt", "ext… ENOENT
minikube-docker default mypod mypod mount 36474 36474 1638 MS_SILENT mount("/mnt", "/mnt", "ext… ENOENT
^C
We can stop the gadget by hitting Ctrl-C.
$ sudo ig run trace_mount:latest --containername test-trace-mount
WARN[0000] Ignoring runtime "cri-o" with non-existent socketPath "/run/crio/crio.sock"
RUNTIME.CONTAINERNAME COMM PID TID DELTA FLAGS CALL ERROR
test-trace-mount mount 51158 51158 3460 MS_SILENT mount("/bar", "/foo", "ext3", MS_SILENT,… ENOENT
test-trace-mount mount 51158 51158 1250 MS_SILENT mount("/bar", "/foo", "ext2", MS_SILENT,… ENOENT
test-trace-mount mount 51158 51158 130208 MS_SILENT mount("/bar", "/foo", "ext4", MS_SILENT,… ENOENT
test-trace-mount mount 51158 51158 1762 MS_SILENT mount("/bar", "/foo", "squashf", MS_SILE… ENOENT
test-trace-mount mount 51158 51158 1200 MS_SILENT mount("/bar", "/foo", "vfat", MS_SILENT,… ENOENT
test-trace-mount mount 51158 51158 1199 MS_SILENT mount("/bar", "/foo", "fuseblk", MS_SILE… ENOENT
^C
Finally, clean the system:
- kubectl gadget
- ig
$ kubectl delete pod mypod
$ docker rm -f test-trace-mount