Version: latest

trace_open

The trace_open gadget emits events when files are opened.

Getting started

Running the gadget:

kubectl gadget
ig

$ kubectl gadget run ghcr.io/inspektor-gadget/gadget/trace_open:latest [flags]

$ sudo ig run ghcr.io/inspektor-gadget/gadget/trace_open:latest [flags]

Flags

`--failed`

Show only failed events

Default value: "false"

`--pid`

Show only events generated by processes with this pid

Default value: ""

`--uid`

Show only events generated by processes with this uid

Default value: ""

Guide

This example shows how to use this gadget.

First, we need to run an application that generates some events.

kubectl gadget
ig

$ kubectl run --restart=Never --image=busybox mypod -- sh -c 'while /bin/true ; do whoami ; sleep 3 ; done'
pod/mypod created

$ docker run --name test-trace-open -d busybox /bin/sh -c 'while /bin/true ; do whoami ; sleep 3 ; done'

Then, let's run the gadget:

kubectl gadget
ig

Using the trace_open gadget, we can see which processes open what files. We can simply filter for the pod "mypod" and omit specifying the node, thus tracing on all nodes for a pod called "mypod":

$ kubectl gadget run trace_open:latest --podname mypod
K8S.NODE           K8S.NAMESPACE K8S.PODNAME   K8S.CONTAINE… COMM        PID     TID      UID      GID  FD FNAME                    MODE    ERROR
minikube-docker    default       mypod         mypod         true     511559  511559        0        0   0 /etc/ld.so.cache         ------… ENOEN
minikube-docker    default       mypod         mypod         true     511559  511559        0        0   0 /lib/x86_64-linux-gnu/g… ------… ENOEN
minikube-docker    default       mypod         mypod         true     511559  511559        0        0   0 /lib/x86_64-linux-gnu/g… ------… ENOEN
minikube-docker    default       mypod         mypod         true     511559  511559        0        0   0 /lib/x86_64-linux-gnu/t… ------… ENOEN
minikube-docker    default       mypod         mypod         true     511559  511559        0        0   0 /lib/x86_64-linux-gnu/t… ------… ENOEN
minikube-docker    default       mypod         mypod         true     511559  511559        0        0   0 /lib/x86_64-linux-gnu/t… ------… ENOEN
minikube-docker    default       mypod         mypod         true     511559  511559        0        0   0 /lib/x86_64-linux-gnu/t… ------… ENOEN
minikube-docker    default       mypod         mypod         true     511559  511559        0        0   0 /lib/x86_64-linux-gnu/x… ------… ENOEN
minikube-docker    default       mypod         mypod         true     511559  511559        0        0   0 /lib/x86_64-linux-gnu/x… ------… ENOEN
minikube-docker    default       mypod         mypod         true     511559  511559        0        0   0 /lib/x86_64-linux-gnu/x… ------… ENOEN
minikube-docker    default       mypod         mypod         true     511559  511559        0        0   0 /lib/x86_64-linux-gnu/l… ------… ENOEN
...
minikube-docker    default       mypod         mypod         whoami   511560  511560        0        0   0 /lib/x86_64/libm.so.6    ------… ENOEN
minikube-docker    default       mypod         mypod         whoami   511560  511560        0        0   3 /lib/libm.so.6           ------…
minikube-docker    default       mypod         mypod         whoami   511560  511560        0        0   3 /lib/libresolv.so.2      ------…
minikube-docker    default       mypod         mypod         whoami   511560  511560        0        0   3 /lib/libc.so.6           ------…
minikube-docker    default       mypod         mypod         whoami   511560  511560        0        0   3 /etc/passwd              ------…
^C

Seems the whoami command opens "/etc/passwd" to map the user ID to a user name. We can stop the gadget by hitting Ctrl-C.

$ sudo ig run trace_open:latest --containername test-trace-open
WARN[0000] Ignoring runtime "cri-o" with non-existent socketPath "/run/crio/crio.sock"
WARN[0000] Ignoring runtime "podman" with non-existent socketPath "/run/podman/podman.sock"
RUNTIME.CONTAINERNA… COMM                PID         TID         UID        GID  FD FNAME                    MODE       ERROR   TIMESTAMP
test-trace-open      true             515458      515458           0          0   0 /etc/ld.so.cache         ---------- ENOENT  2024-07-29T16:53:44.0…
test-trace-open      true             515458      515458           0          0   0 /lib/x86_64-linux-gnu/g… ---------- ENOENT  2024-07-29T16:53:44.0…
test-trace-open      true             515458      515458           0          0   0 /lib/x86_64-linux-gnu/g… ---------- ENOENT  2024-07-29T16:53:44.0…
test-trace-open      true             515458      515458           0          0   0 /lib/x86_64-linux-gnu/t… ---------- ENOENT  2024-07-29T16:53:44.0…
test-trace-open      true             515458      515458           0          0   0 /lib/x86_64-linux-gnu/t… ---------- ENOENT  2024-07-29T16:53:44.0…
test-trace-open      true             515458      515458           0          0   0 /lib/x86_64-linux-gnu/t… ---------- ENOENT  2024-07-29T16:53:44.0…
test-trace-open      true             515458      515458           0          0   0 /lib/x86_64-linux-gnu/t… ---------- ENOENT  2024-07-29T16:53:44.0…
test-trace-open      true             515458      515458           0          0   0 /lib/x86_64-linux-gnu/x… ---------- ENOENT  2024-07-29T16:53:44.0…
test-trace-open      true             515458      515458           0          0   0 /lib/x86_64-linux-gnu/x… ---------- ENOENT  2024-07-29T16:53:44.0…
test-trace-open      true             515458      515458           0          0   0 /lib/x86_64-linux-gnu/x… ---------- ENOENT  2024-07-29T16:53:44.0…
...
test-trace-open      whoami           515459      515459           0          0   0 /lib/tls/x86_64/libm.so… ---------- ENOENT  2024-07-29T16:53:44.0…
test-trace-open      whoami           515459      515459           0          0   0 /lib/tls/libm.so.6       ---------- ENOENT  2024-07-29T16:53:44.0…
test-trace-open      whoami           515459      515459           0          0   0 /lib/x86_64/x86_64/libm… ---------- ENOENT  2024-07-29T16:53:44.0…
test-trace-open      whoami           515459      515459           0          0   0 /lib/x86_64/libm.so.6    ---------- ENOENT  2024-07-29T16:53:44.0…
test-trace-open      whoami           515459      515459           0          0   0 /lib/x86_64/libm.so.6    ---------- ENOENT  2024-07-29T16:53:44.0…
test-trace-open      whoami           515459      515459           0          0   3 /lib/libm.so.6           ----------         2024-07-29T16:53:44.0…
test-trace-open      whoami           515459      515459           0          0   3 /lib/libresolv.so.2      ----------         2024-07-29T16:53:44.0…
test-trace-open      whoami           515459      515459           0          0   3 /lib/libc.so.6           ----------         2024-07-29T16:53:44.0…
test-trace-open      whoami           515459      515459           0          0   3 /etc/passwd              ----------         2024-07-29T16:53:44.0…
^C

Finally, clean the system:

kubectl gadget
ig

$ kubectl delete pod mypod

$ docker rm -f test-trace-open

trace_open

Getting started​

Flags​

--failed​

--pid​

--uid​

Guide​