add opensnoop tool

README.md

@@ -155,6 +155,7 @@ bpftrace contains various tools, which also serve as examples of programming in
 - tools/[gethostlatency.bt](tools/gethostlatency.bt): Show latency for getaddrinfo/gethostbyname[2] calls. [Examples](tools/gethostlatency_example.txt).
 - tools/[killsnoop.bt](tools/killsnoop.bt): Trace signals issued by the kill() syscall. [Examples](tools/killsnoop_example.txt).
 - tools/[loads.bt](tools/loads.bt): Print load averages. [Examples](tools/loads_example.txt).
+- tools/[opensnoop.bt](tools/loads.bt): Trace open() syscalls showing filenames. [Examples](tools/opensnoop_example.txt).
 - tools/[pidpersec.bt](tools/pidpersec.bt): Count new procesess (via fork). [Examples](tools/pidpersec_example.txt).
 - tools/[vfscount.bt](tools/vfscount.bt): Count VFS calls. [Examples](tools/vfscount_example.txt).
 - tools/[vfsstat.bt](tools/vfsstat.bt): Count some VFS calls, with per-second summaries. [Examples](tools/vfsstat_example.txt).

man/man8/opensnoop.8

+.TH opensnoop 8  "2018-09-08" "USER COMMANDS"
+.SH NAME
+opensnoop.bt \- Trace open() syscalls. Uses bpftrace/eBPF.
+.SH SYNOPSIS
+.B opensnoop.bt
+.SH DESCRIPTION
+opensnoop traces the open() syscall, showing which processes are attempting
+to open which files. This can be useful for determining the location of config
+and log files, or for troubleshooting applications that are failing, specially
+on startup.
+
+This works by tracing the open() sysscall tracepoint.
+
+Since this uses BPF, only the root user can use this tool.
+.SH REQUIREMENTS
+CONFIG_BPF and bcc.
+.SH EXAMPLES
+.TP
+Trace all open() syscalls:
+#
+.B opensnoop.bt
+.SH FIELDS
+PID
+Process ID
+.TP
+TID
+Thread ID
+.TP
+COMM
+Process name
+.TP
+FD
+File descriptor (if success), or -1 (if failed)
+.TP
+ERR
+Error number (see the system's errno.h)
+.TP
+PATH
+Open path
+.SH OVERHEAD
+This traces the open tracepoint and prints output for each event. As the
+rate of this is generally expected to be low (< 1000/s), the overhead is also
+expected to be negligible. If you have an application that is calling a high
+rate of open()s, then test and understand overhead before use.
+.SH SOURCE
+This is from bpftrace.
+.IP
+https://github.com/iovisor/bpftrace
+.PP
+Also look in the bpftrace distribution for a companion _examples.txt file containing
+example usage, output, and commentary for this tool.
+
+This is a bpftrace version of the bcc tool of the same name. The bcc tool
+may provide more options and customizations.
+.IP
+https://github.com/iovisor/bcc
+.SH OS
+Linux
+.SH STABILITY
+Unstable - in development.
+.SH AUTHOR
+Brendan Gregg
+.SH SEE ALSO
+statsnoop(8), execsnoop(8)

tools/opensnoop.bt

+/*
+ * opensnoop	Trace open() syscalls.
+ *		For Linux, uses bpftrace and eBPF.
+ *
+ * Also a basic example of bpftrace.
+ *
+ * USAGE: opensnoop.bt
+ *
+ * This is a bpftrace version of the bcc tool of the same name.
+ *
+ * Copyright 2018 Netflix, Inc.
+ * Licensed under the Apache License, Version 2.0 (the "License")
+ *
+ * 08-Sep-2018	Brendan Gregg	Created this.
+ */
+
+BEGIN
+{
+	printf("Tracing open syscalls... Hit Ctrl-C to end.\n");
+	printf("%-6s %-16s %4s %3s %s\n", "PID", "COMM", "FD", "ERR", "PATH");
+}
+
+tracepoint:syscalls:sys_enter_open
+{
+	$file = *(ctx + 16);
+	@filename[tid] = $file;
+}
+
+tracepoint:syscalls:sys_exit_open
+/@filename[tid]/
+{
+	$ret = *(ctx + 16);
+	$fd = $ret > 0 ? $ret : 0 - 1;
+	$errno = $ret > 0 ? 0 : 0 - $ret;
+
+	printf("%-6d %-16s %4d %3d %s\n", pid, comm, $fd, $errno,
+	    str(@filename[tid]));
+	delete(@filename[tid]);
+}

tools/opensnoop_example.txt

+Demonstrations of opensnoop, the Linux bpftrace/eBPF version.
+
+
+opensnoop traces the open() syscall system-wide, and prints various details.
+Example output:
+
+# bpftrace opensnoop.bt
+Attaching 3 probes...
+Tracing open syscalls... Hit Ctrl-C to end.
+PID    COMM               FD ERR PATH
+2440   snmp-pass           4   0 /proc/cpuinfo
+2440   snmp-pass           4   0 /proc/stat
+25706  ls                  3   0 /etc/ld.so.cache
+25706  ls                  3   0 /lib/x86_64-linux-gnu/libselinux.so.1
+25706  ls                  3   0 /lib/x86_64-linux-gnu/libc.so.6
+25706  ls                  3   0 /lib/x86_64-linux-gnu/libpcre.so.3
+25706  ls                  3   0 /lib/x86_64-linux-gnu/libdl.so.2
+25706  ls                  3   0 /lib/x86_64-linux-gnu/libpthread.so.0
+25706  ls                  3   0 /proc/filesystems
+25706  ls                  3   0 /usr/lib/locale/locale-archive
+25706  ls                  3   0 .
+1744   snmpd               8   0 /proc/net/dev
+1744   snmpd              21   0 /proc/net/if_inet6
+1744   snmpd              21   0 /sys/class/net/eth0/device/vendor
+1744   snmpd              21   0 /sys/class/net/eth0/device/device
+1744   snmpd              21   0 /proc/sys/net/ipv4/neigh/eth0/retrans_time_ms
+1744   snmpd              21   0 /proc/sys/net/ipv6/neigh/eth0/retrans_time_ms
+1744   snmpd              21   0 /proc/sys/net/ipv6/conf/eth0/forwarding
+1744   snmpd              21   0 /proc/sys/net/ipv6/neigh/eth0/base_reachable_time_ms
+1744   snmpd              -1   2 /sys/class/net/lo/device/vendor
+1744   snmpd              21   0 /proc/sys/net/ipv4/neigh/lo/retrans_time_ms
+1744   snmpd              21   0 /proc/sys/net/ipv6/neigh/lo/retrans_time_ms
+1744   snmpd              21   0 /proc/sys/net/ipv6/conf/lo/forwarding
+1744   snmpd              21   0 /proc/sys/net/ipv6/neigh/lo/base_reachable_time_ms
+2440   snmp-pass           4   0 /proc/cpuinfo
+2440   snmp-pass           4   0 /proc/stat
+22884  pickup             12   0 maildrop
+2440   snmp-pass           4   0 /proc/cpuinfo
+2440   snmp-pass           4   0 /proc/stat
+
+While tracing, at "ls" command was launched: the libraries it uses can be seen
+as they were opened. Also, the snmpd process opened various /proc and /sys
+files (reading metrics).
+was starting up: a new process).
+
+opensnoop can be useful for discovering configuration and log files, if used
+during application startup.
+
+
+There is another version of this tool in bcc: https://github.com/iovisor/bcc
+The bcc version provides command line options to customize the output.