I have been debugging a problem with Redhat cluster, and was curious if a specific process was getting executed. On my Solaris 10 hosts I can run execsnoop to observe system-wide process creation, but there isn’t anything comparable on my Linux hosts. The best I’ve found is systemtap, which provides the kprocess.exec probe to monitor exec()‘s. To access this probe, you can stash the following in a file of your choosing:
probe kprocess.exec {
printf("%s (pid: %d) is exec'ing %sn", execname(), pid(), filename)
}
Once the file is created, you can execute the stap program to enable the exec probe:
$ stap -v exec.stp
This will produce output similar to the following:
modclusterd (pid: 5125) is exec'ing /usr/sbin/clustat
clurgmgrd (pid: 5129) is exec'ing /usr/share/cluster/clusterfs.sh
clusterfs.sh (pid: 5130) is exec'ing /usr/bin/dirname
clusterfs.sh (pid: 5131) is exec'ing /usr/bin/dirname
clusterfs.sh (pid: 5132) is exec'ing /usr/bin/dirname
clusterfs.sh (pid: 5134) is exec'ing /bin/basename
clusterfs.sh (pid: 5135) is exec'ing /sbin/consoletype
clusterfs.sh (pid: 5138) is exec'ing /usr/bin/readlink
While systemtap is missing various features that are available in DTrace, it’s still a super useful tool!