Brief intro to `strace` : Finding all files a process is opening in GNU/Linux
Many times while debugging, we need to find all the files (e.g. shared libraries, configuration files, caches, logs, dumps, state files, journals, and so on) a process is opening for reading data from to get hints about the program's design and workflow.
Otherwise we want to follow the lengthy route of reading the source code of the program, we could leverage the powerful system call tracing tool
strace to get the job done fairly easily.
strace binary comes with the
strace package; so we need to install it first (if not done already):
% dpkg -S "$(command -v strace)" strace: /usr/bin/strace
The above snippet is from my
dpkg packaging based system, although the same should be true for
rpm packaging based systems.
strace binary is mostly used for tracing system calls and signals. As we're planning to get the files opened by a process, we're looking for the
open(2) call specifically.
Let's assume the program we want to check is named
foobar and we need to pass
--name spam argument to it i.e. from the shell we would run it as:
foobar --name spam
Now to trace the syscalls made by the program we need to run it as an argument to
strace, with necessary arguments e.g.:
strace foobar --name spam
As the above would trace all system calls
foobar is making, not just
open(); let's narrow down the traced calls to
strace -e trace=open foobar --name spam
-e option lets us to apply filtering, by using
-e trace=open we're
trace-ing only the
-e open is a shorthand for
-e trace=open, so we can also write:
strace -e open foobar --name spam
Now we'll get all the files opened by
foobar i.e. any issues of
If we want to track all the child processes of
foobar as well, we need to issue the
strace -f -e open foobar --name spam
strace allows us to express multiple command line options combinedly:
strace -fe open foobar --name spam
We can also trace multiple calls by comma separating them e.g.:
strace -fe open,write foobar --name spam
We can even trace a process that has already been started by passing the PID (Process ID) of the running process we want to trace with the
strace -fe open,write -p <PID>
So for example, if the PID is
strace -fe open,write -p 1234
strace dumps output to STDERR (Standard error, file descriptor 2), we can tell it to save the output to a file instead by providing the file path with the
-o option e.g.:
strace -fe open foobar --name spam -o /tmp/foobar.straced strace -fe open,write -p 1234 -o ~/spamegg.straced
This is essentially same as doing:
strace -fe open foobar --name spam 2>/tmp/foobar.straced strace -fe open,write -p 1234 2>~/spamegg.straced
with the exception that in the later case the file opening and STDERR redirection is done by the shell itself whereas
strace does the writing itself internally in the former case.
strace is a powerful tool when comes to debugging, the above is just the tip of the iceberg.
As always, check out the
man page (
man strace) to get more ideas.
CommentsComments powered by Disqus