Some people ask a file is being written by one process and they want to check this process, but they cannot find the process even with sof.
This question is very common and there are many solutions, here we introduce a straightforward method.
In Linux, each file will be stored on one device and of course there will be a relative inode, then we can use vfs.write to know who is writing the inode on one specified device continuously. Luckily there is inodewatch.stp in the installation package of systemtap, it locates at /usr/local/share/doc/systemtap/examples/io. It is used foe above.
Let take a look at the code:
- "color:rgb(85, 85, 85)">$ cat inodewatch.stp
- #! /usr/bin/env stap
- probe vfs.write, vfs.read
- {
- # dev and ino are defined by vfs.write and vfs.read
- if (dev == MKDEV($1,$2) # major/minor device
- && ino == $3)
- printf ("%s(%d) %s 0x%x/%u\n",
- execname(), pid(), probefunc(), dev, ino)
- }
This usage of this method is stap inodewatch.stp major minor ino. Let's create this scenario,: dd will continuously write on one file, we find out the ino of this file and its major and minor of its device, we can find the answer by executing stap.
Let's take a look at the scenario codes:
- $ pwd
- /home/chuba
- $ df
- Filesystem 1K-blocks Used Available Use% Mounted on
- ...
- /dev/sdb1 1621245336 825209568 713681236 54% /home
- ...
- $ ls -al /dev/sdb1
- brw-rw---- 1 root disk 8, 17 Oct 24 11:22 /dev/sdb1
- $ rm -f test.dat && dd if=/dev/zero of=test.dat
- ^C9912890+0 records in
- 9912890+0 records out
- 5075399680 bytes (5.1 GB) copied, 26.8189 s, 189 MB/s
This terminal will simulate the file write, at the same time another terminal will check which process is doing this. Here we can find the major/minor of the device is 8/17.
- $ stat -c '%i' test.dat
- 25337884
- $ sudo stap /usr/local/share/doc/systemtap/examples/io/inodewatch.stp 8 17 25337884
- dd(740) vfs_write 0x800011/25337884
- dd(740) vfs_write 0x800011/25337884
- dd(740) vfs_write 0x800011/25337884
- dd(740) vfs_write 0x800011/25337884
- dd(740) vfs_write 0x800011/25337884
- dd(740) vfs_write 0x800011/25337884
- ...
Have you noticed that dd is the process, PID is 740. It's done. Mission completed.