monitor-cgroup.bt

#!/usr/bin/bpftrace
// # BPFTRACE_STRLEN=120 bpftrace cgroup_monitor.bt
#include <linux/kernfs.h>


BEGIN
{
        printf("Trace cgroup file/dir create or delete... Hit Ctrl-C to end.\n");
        printf("%-19s %-10s %-8s", "TIME", "PID", "COMM");
        printf(" %-16s %s \n", "Probe","PATH/FNAME");
}



kprobe:__kernfs_create_file
{
    time("%Y-%m-%d %H:%M:%S "); 
	$kn = (struct kernfs_node *)arg0;
    printf(" %-8d %-16s ", pid, comm);
    printf("%16s %s/%s/%s\n", probe, str($kn->parent->name), str($kn->name), str(arg1));
	printf("%-39s ", kstack);
}

kprobe:kernfs_remove_by_name_ns 
{
    time("%Y-%m-%d %H:%M:%S "); 
    $kn = (struct kernfs_node *)arg0;
	printf(" %-8d %-16s ", pid, comm);
    printf("%16s %s/%s/%s\n", probe, str($kn->parent->name), str($kn->name), str(arg1));
}


kprobe:kernfs_remove
{
    time("%Y-%m-%d %H:%M:%S "); 
    $kn = (struct kernfs_node *)arg0;
	printf(" %-8d %-16s ", pid, comm);
    printf("%16s %s/%s/%s\n", probe, str($kn->parent->name), str($kn->name), str(arg1));
}
/*
kprobe:cgroup_rmdir
{
    time("%Y-%m-%d %H:%M:%S "); 
    $kn = (struct kernfs_node *)arg0;
	printf(" %-8d %-16s ", pid, comm);
    printf("%16s %s/%s/%s\n", probe, str($kn->parent->name), str($kn->name), str(arg1));
	printf("%-39s ", kstack);
}
*/

END {
    printf("Stopping monitoring cgroup file/dir create or delete...\n");
}