tools: add filegone to trace why file gone (iovisor#4333)

Author: curu

README.md

@@ -114,6 +114,7 @@ pair of .c and .py files, and some are directories of files.
 - tools/[ext4dist](tools/ext4dist.py): Summarize ext4 operation latency distribution as a histogram. [Examples](tools/ext4dist_example.txt).
 - tools/[ext4slower](tools/ext4slower.py): Trace slow ext4 operations. [Examples](tools/ext4slower_example.txt).
 - tools/[filelife](tools/filelife.py): Trace the lifespan of short-lived files. [Examples](tools/filelife_example.txt).
+- tools/[filegone](tools/filegone.py): Trace why file gone (deleted or renamed). [Examples](tools/filegone_example.txt).
 - tools/[fileslower](tools/fileslower.py): Trace slow synchronous file reads and writes. [Examples](tools/fileslower_example.txt).
 - tools/[filetop](tools/filetop.py): File reads and writes by filename and process. Top for files. [Examples](tools/filetop_example.txt).
 - tools/[funccount](tools/funccount.py): Count kernel function calls. [Examples](tools/funccount_example.txt).

man/man8/filegone.8

@@ -0,0 +1,65 @@
+.TH filegone 8  "2022-11-18" "USER COMMANDS"
+.SH NAME
+filegone \- Trace why file gone (deleted or renamed). Uses Linux eBPF/bcc.
+.SH SYNOPSIS
+.B filegone [\-h] [\-p PID]
+.SH DESCRIPTION
+This traces why file gone/vanished, providing information on who deleted or
+renamed the file. 
+
+This works by tracing the kernel vfs_unlink() , vfs_rmdir() , vfs_rename
+functions.
+
+Since this uses BPF, only the root user can use this tool.
+.SH REQUIREMENTS
+CONFIG_BPF and bcc.
+.SH OPTIONS
+.TP
+\-h
+Print usage message.
+.TP
+\-p PID
+Trace this process ID only (filtered in-kernel).
+.SH EXAMPLES
+.TP
+Trace all file gone events
+#
+.B filegone
+.TP
+Trace file gone events caused by PID 181:
+#
+.B filegone \-p 181
+.SH FIELDS
+.TP
+TIME
+Time of the event.
+.TP
+PID
+Process ID that renamed/deleted the file.
+.TP
+COMM
+Process name for the PID.
+.TP
+ACTION
+action on file: 'DELETE' or 'RENAME'
+.TP
+FILE
+Filename.
+.SH OVERHEAD
+This traces the kernel VFS file rename and delete functions and prints output
+for each event. As the rate of this is generally expected to be low
+(< 1000/s), the overhead is also expected to be negligible.
+This is from bcc.
+.IP
+https://github.com/iovisor/bcc
+.PP
+Also look in the bcc distribution for a companion _examples.txt file containing
+example usage, output, and commentary for this tool.
+.SH OS
+Linux
+.SH STABILITY
+Unstable - in development.
+.SH AUTHOR
+Curu Wong
+.SH SEE ALSO
+filelife(8)

tools/filegone.py

@@ -0,0 +1,152 @@
+#!/usr/bin/python
+# @lint-avoid-python-3-compatibility-imports
+#
+# filegone    Trace why file gone (deleted or renamed).
+#             For Linux, uses BCC, eBPF. Embedded C.
+#
+# USAGE: filegone [-h] [-p PID]
+#
+# Licensed under the Apache License, Version 2.0 (the "License")
+#
+# 08-Nov-2022 Curu. modified from filelife
+
+from __future__ import print_function
+from bcc import BPF
+import argparse
+from time import strftime
+
+# arguments
+examples = """examples:
+    ./filegone           # trace all file gone events
+    ./filegone -p 181    # only trace PID 181
+"""
+parser = argparse.ArgumentParser(
+    description="Trace why file gone (deleted or renamed)",
+    formatter_class=argparse.RawDescriptionHelpFormatter,
+    epilog=examples)
+parser.add_argument("-p", "--pid",
+    help="trace this PID only")
+parser.add_argument("--ebpf", action="store_true",
+    help=argparse.SUPPRESS)
+args = parser.parse_args()
+debug = 0
+
+# define BPF program
+bpf_text = """
+#include <uapi/linux/ptrace.h>
+#include <linux/fs.h>
+#include <linux/sched.h>
+
+struct data_t {
+    u32 pid;
+    u8 action;
+    char comm[TASK_COMM_LEN];
+    char fname[DNAME_INLINE_LEN];
+    char fname2[DNAME_INLINE_LEN];
+};
+
+BPF_PERF_OUTPUT(events);
+
+// trace file deletion and output details
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 12, 0)
+int trace_unlink(struct pt_regs *ctx, struct inode *dir, struct dentry *dentry)
+#else
+int trace_unlink(struct pt_regs *ctx, struct user_namespace *ns, struct inode *dir, struct dentry *dentry)
+#endif
+{
+    u32 pid = bpf_get_current_pid_tgid() >> 32;
+
+    FILTER
+
+    struct data_t data = {};
+    struct qstr d_name = dentry->d_name;
+    if (d_name.len == 0)
+        return 0;
+
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+    data.pid = pid;
+    data.action = 'D';
+    bpf_probe_read(&data.fname, sizeof(data.fname), d_name.name);
+
+    events.perf_submit(ctx, &data, sizeof(data));
+
+    return 0;
+}
+
+// trace file rename
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 12, 0)
+int trace_rename(struct pt_regs *ctx, struct inode *old_dir, struct dentry *old_dentry,
+struct inode *new_dir, struct dentry *new_dentry)
+{
+#else
+int trace_rename(struct pt_regs *ctx, struct renamedata *rd)
+{
+    struct dentry *old_dentry = rd->old_dentry;
+    struct dentry *new_dentry = rd->new_dentry;
+#endif
+
+    u32 pid = bpf_get_current_pid_tgid() >> 32;
+
+    FILTER
+
+    struct data_t data = {};
+    struct qstr s_name = old_dentry->d_name;
+    struct qstr d_name = new_dentry->d_name;
+    if (s_name.len == 0 || d_name.len == 0)
+        return 0;
+
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+    data.pid = pid;
+    data.action = 'R';
+    bpf_probe_read(&data.fname, sizeof(data.fname), s_name.name);
+    bpf_probe_read(&data.fname2, sizeof(data.fname), d_name.name);
+    events.perf_submit(ctx, &data, sizeof(data));
+
+    return 0;
+}
+"""
+
+
+def action2str(action):
+    if chr(action) == 'D':
+        action_str = "DELETE"
+    else:
+        action_str = "RENAME"
+    return action_str
+
+if args.pid:
+    bpf_text = bpf_text.replace('FILTER',
+        'if (pid != %s) { return 0; }' % args.pid)
+else:
+    bpf_text = bpf_text.replace('FILTER', '')
+
+if debug or args.ebpf:
+    print(bpf_text)
+    if args.ebpf:
+        exit()
+
+# initialize BPF
+b = BPF(text=bpf_text)
+b.attach_kprobe(event="vfs_unlink", fn_name="trace_unlink")
+b.attach_kprobe(event="vfs_rmdir", fn_name="trace_unlink")
+b.attach_kprobe(event="vfs_rename", fn_name="trace_rename")
+
+# header
+print("%-8s %-7s %-16s %6s %s" % ("TIME", "PID", "COMM", "ACTION", "FILE"))
+
+# process event
+def print_event(cpu, data, size):
+    event = b["events"].event(data)
+    action_str = action2str(event.action)
+    file_str = event.fname.decode('utf-8', 'replace')
+    if action_str == "RENAME":
+        file_str = "%s > %s" % (file_str, event.fname2.decode('utf-8', 'replace'))
+    print("%-8s %-7d %-16s %6s %s" % (strftime("%H:%M:%S"), event.pid,
+        event.comm.decode('utf-8', 'replace'), action_str, file_str))
+
+b["events"].open_perf_buffer(print_event)
+while 1:
+    try:
+        b.perf_buffer_poll()
+    except KeyboardInterrupt:
+        exit()

tools/filegone_example.txt

@@ -0,0 +1,26 @@
+Demonstrations of filegone, the Linux eBPF/bcc version.
+
+
+filegone traces why file gone, either been deleted or renamed
+For example:
+
+# ./filegone 
+18:30:56 22905   vim               DELETE .fstab.swpx
+18:30:56 22905   vim               DELETE .fstab.swp
+18:31:00 22905   vim               DELETE .viminfo
+18:31:00 22905   vim               RENAME .viminfo.tmp > .viminfo
+18:31:00 22905   vim               DELETE .fstab.swp
+
+USAGE message:
+
+usage: filegone.py [-h] [-p PID]
+
+Trace why file gone (deleted or renamed)
+
+optional arguments:
+  -h, --help         show this help message and exit
+  -p PID, --pid PID  trace this PID only
+
+examples:
+    ./filegone           # trace all file gone events
+    ./filegone -p 181    # only trace PID 181