1mountsnoop(8)               System Manager's Manual              mountsnoop(8)
2
3
4

NAME

6       mountsnoop - Trace mount() and umount() syscalls. Uses Linux eBPF/bcc.
7

SYNOPSIS

9       mountsnoop
10

DESCRIPTION

12       mountsnoop traces the mount() and umount() syscalls, showing which pro‐
13       cesses are mounting and unmounting filesystems  in  what  mount  names‐
14       paces. This can be useful for troubleshooting system and container set‐
15       up.
16
17       This works by tracing the kernel sys_mount() and sys_umount() functions
18       using  dynamic  tracing, and will need updating to match any changes to
19       this function.
20
21       This makes use of a Linux 4.8 feature (bpf_get_current_task()).
22
23       Since this uses BPF, only the root user can use this tool.
24

REQUIREMENTS

26       CONFIG_BPF and bcc.
27

FIELDS

29       COMM   Process name
30
31       PID    Process ID
32
33       TID    Thread ID
34
35       MNT_NS Mount namespace inode number
36
37       CALL   System call, arguments, and return value
38

OVERHEAD

40       This traces the kernel mount and umount functions and prints output for
41       each event. As the rate of these calls is generally expected to be very
42       low, the overhead is also expected to be  negligible.  If  your  system
43       calls  mount()  and  umount()  at a high rate, then test and understand
44       overhead before use.
45

SOURCE

47       This is from bcc.
48
49              https://github.com/iovisor/bcc
50
51       Also look in the bcc distribution for a  companion  _examples.txt  file
52       containing example usage, output, and commentary for this tool.
53

OS

55       Linux
56

STABILITY

58       Unstable - in development.
59

AUTHOR

61       Omar Sandoval
62

SEE ALSO

64       mount(2) umount(2)
65
66
67
68USER COMMANDS                     2016-10-14                     mountsnoop(8)
Impressum