trace_open
The trace_open gadget emits events when files are opened.
Getting started
Running the gadget:
- kubectl gadget
- ig
$ kubectl gadget run ghcr.io/inspektor-gadget/gadget/trace_open:latest [flags]
$ sudo ig run ghcr.io/inspektor-gadget/gadget/trace_open:latest [flags]
Flags
--failed
Show only failed events
Default value: "false"
--pid
Show only events generated by processes with this pid
Default value: ""
--uid
Show only events generated by processes with this uid
Default value: ""
Guide
This example shows how to use this gadget.
First, we need to run an application that generates some events.
- kubectl gadget
- ig
$ kubectl run --restart=Never --image=busybox mypod -- sh -c 'while /bin/true ; do whoami ; sleep 3 ; done'
pod/mypod created
$ docker run --name test-trace-open -d busybox /bin/sh -c 'while /bin/true ; do whoami ; sleep 3 ; done'
Then, let's run the gadget:
- kubectl gadget
- ig
Using the trace_open gadget, we can see which processes open what files. We can simply filter for the pod "mypod" and omit specifying the node, thus tracing on all nodes for a pod called "mypod":
$ kubectl gadget run trace_open:latest --podname mypod
K8S.NODE K8S.NAMESPACE K8S.PODNAME K8S.CONTAINE… COMM PID TID UID GID FD FNAME MODE ERROR
minikube-docker default mypod mypod true 511559 511559 0 0 0 /etc/ld.so.cache ------… ENOEN
minikube-docker default mypod mypod true 511559 511559 0 0 0 /lib/x86_64-linux-gnu/g… ------… ENOEN
minikube-docker default mypod mypod true 511559 511559 0 0 0 /lib/x86_64-linux-gnu/g… ------… ENOEN
minikube-docker default mypod mypod true 511559 511559 0 0 0 /lib/x86_64-linux-gnu/t… ------… ENOEN
minikube-docker default mypod mypod true 511559 511559 0 0 0 /lib/x86_64-linux-gnu/t… ------… ENOEN
minikube-docker default mypod mypod true 511559 511559 0 0 0 /lib/x86_64-linux-gnu/t… ------… ENOEN
minikube-docker default mypod mypod true 511559 511559 0 0 0 /lib/x86_64-linux-gnu/t… ------… ENOEN
minikube-docker default mypod mypod true 511559 511559 0 0 0 /lib/x86_64-linux-gnu/x… ------… ENOEN
minikube-docker default mypod mypod true 511559 511559 0 0 0 /lib/x86_64-linux-gnu/x… ------… ENOEN
minikube-docker default mypod mypod true 511559 511559 0 0 0 /lib/x86_64-linux-gnu/x… ------… ENOEN
minikube-docker default mypod mypod true 511559 511559 0 0 0 /lib/x86_64-linux-gnu/l… ------… ENOEN
...
minikube-docker default mypod mypod whoami 511560 511560 0 0 0 /lib/x86_64/libm.so.6 ------… ENOEN
minikube-docker default mypod mypod whoami 511560 511560 0 0 3 /lib/libm.so.6 ------…
minikube-docker default mypod mypod whoami 511560 511560 0 0 3 /lib/libresolv.so.2 ------…
minikube-docker default mypod mypod whoami 511560 511560 0 0 3 /lib/libc.so.6 ------…
minikube-docker default mypod mypod whoami 511560 511560 0 0 3 /etc/passwd ------…
^C
Seems the whoami command opens "/etc/passwd" to map the user ID to a user name. We can stop the gadget by hitting Ctrl-C.
$ sudo ig run trace_open:latest --containername test-trace-open
RUNTIME.CONTAINERNA… COMM PID TID UID GID FD FNAME MODE ERROR TIMESTAMP
test-trace-open true 515458 515458 0 0 0 /etc/ld.so.cache ---------- ENOENT 2024-07-29T16:53:44.0…
test-trace-open true 515458 515458 0 0 0 /lib/x86_64-linux-gnu/g… ---------- ENOENT 2024-07-29T16:53:44.0…
test-trace-open true 515458 515458 0 0 0 /lib/x86_64-linux-gnu/g… ---------- ENOENT 2024-07-29T16:53:44.0…
test-trace-open true 515458 515458 0 0 0 /lib/x86_64-linux-gnu/t… ---------- ENOENT 2024-07-29T16:53:44.0…
test-trace-open true 515458 515458 0 0 0 /lib/x86_64-linux-gnu/t… ---------- ENOENT 2024-07-29T16:53:44.0…
test-trace-open true 515458 515458 0 0 0 /lib/x86_64-linux-gnu/t… ---------- ENOENT 2024-07-29T16:53:44.0…
test-trace-open true 515458 515458 0 0 0 /lib/x86_64-linux-gnu/t… ---------- ENOENT 2024-07-29T16:53:44.0…
test-trace-open true 515458 515458 0 0 0 /lib/x86_64-linux-gnu/x… ---------- ENOENT 2024-07-29T16:53:44.0…
test-trace-open true 515458 515458 0 0 0 /lib/x86_64-linux-gnu/x… ---------- ENOENT 2024-07-29T16:53:44.0…
test-trace-open true 515458 515458 0 0 0 /lib/x86_64-linux-gnu/x… ---------- ENOENT 2024-07-29T16:53:44.0…
...
test-trace-open whoami 515459 515459 0 0 0 /lib/tls/x86_64/libm.so… ---------- ENOENT 2024-07-29T16:53:44.0…
test-trace-open whoami 515459 515459 0 0 0 /lib/tls/libm.so.6 ---------- ENOENT 2024-07-29T16:53:44.0…
test-trace-open whoami 515459 515459 0 0 0 /lib/x86_64/x86_64/libm… ---------- ENOENT 2024-07-29T16:53:44.0…
test-trace-open whoami 515459 515459 0 0 0 /lib/x86_64/libm.so.6 ---------- ENOENT 2024-07-29T16:53:44.0…
test-trace-open whoami 515459 515459 0 0 0 /lib/x86_64/libm.so.6 ---------- ENOENT 2024-07-29T16:53:44.0…
test-trace-open whoami 515459 515459 0 0 3 /lib/libm.so.6 ---------- 2024-07-29T16:53:44.0…
test-trace-open whoami 515459 515459 0 0 3 /lib/libresolv.so.2 ---------- 2024-07-29T16:53:44.0…
test-trace-open whoami 515459 515459 0 0 3 /lib/libc.so.6 ---------- 2024-07-29T16:53:44.0…
test-trace-open whoami 515459 515459 0 0 3 /etc/passwd ---------- 2024-07-29T16:53:44.0…
^C
Finally, clean the system:
- kubectl gadget
- ig
$ kubectl delete pod mypod
$ docker rm -f test-trace-open