Correct way to detect '/proc' file system? - linux

I'm writing a cross platform bash script. It needs to use this command #1:
cat /proc/$PID/cmdline
and if the procfs is not available (on OS X for example), it needs to fallback to this command #2:
ps -eo "pid command" | grep "^$PID"
My question is pretty simple: what is the correct way to detect if '/proc' file system exists?

The "proc filesystem" will almost always be mounted in /proc if present, but this does not have to be the case always (at least in theory). Probably a more portable way is to use mount -t proc to list mounted filesystems of type proc and extract the path from there. If the command returns no paths, procfs is not mounted and you can fall back to the alternative command.
Something along the lines of:
PROC_PATH=$(mount -t proc | egrep -o '/[^ ]+')
if [ "$PROC_PATH" ]; then
# use procfs
else
# use alternative
fi
On the other hand, ps should be more portable and always work, so maybe best solutions is just to use ps always?

Proc filesystem is mounted on /proc.
mount | awk '/proc/ {print $3}' This will show all mounted proc filesystems with full path

Related

Get files used by a binary

I am trying to locate a file used by a binary file during its execution. Using strace helps but its way too convoluted, macroed with grep is good enough, but does there exist an utility which can help me dump only files used by a binary?
you can try using:
lsof -p PID of the running process
lsof -c ssh would show all files opened by processes starting with the letter
Or try ltrace or maybe fuser
I've seen strace be used with some complex grep piping.. but it all depends on what exactly the end goal is.
You can also utilize the -e options in strace to filter, example is:
sudo strace -t -e trace=open,close,read,getdents,write,connect,accept whoami >/dev/null
and grep from there..

How to determine in bash if / mountpoint was mounted from other OS?

Im writing shell script to check if user may be doing some nasty things in Linux enviroment. One check i would like to do is determine if / filesyste was mounted using external OS (like using live SO) in previous mount.
First i think to exec script when boot to get the mount time in previous boot using journalctl and actual last mount using tune2fs, to compare it. But last mount using tune2fs gets current mount, not previous, because system is mounted when ckecks it.
Any idea to solve it?
Thanks!
dmesg's output shows about the mounting of / (and other infos as well). If your current OS's dmesg's output has that info, it was mounted by the current system.
You can use the output of dmesg in your script like :
#!/bin/bash
number=$(dmesg | grep -c "sdaN")
if [ $number == 0 ]; then
echo "It was not mounted by the current system"
else
echo "It was mounted by the current system"
fi

In Linux terminal, what would "grep -q '/dev/sda1' /proc/mounts || ..." do?

I want to make a bootable USB device by following this page.
http://planet-lab.org/node/172
It asks me to do these to steps:
umount /dev/sda*
grep -q /dev/sda1 /proc/mounts || dd if=PlanetLab-BootCD-3.3.usb of=/dev/sda1
But it makes me confused.
Since I think /dev/sda is my HDD, I thought it should be unmount /dev/sdb* in order to unmount USB device.
And I really don't understand what grep -q /dev/sda1 /proc/mounts is doing.
It seems to check whether "/dev/sda1" is mounted, but I don't exactly know what are the two parameters of grep command is doing. I know -q is for quiet.
And I also know dd can write an image to a drive.
The instructions state
assuming that the device is detected as /dev/sda
If the assumption is different from the actual mount point, you must modify the commands to match your configuration.
The grep -q is used to test for existence without cluttering the screen with the text which is found. The two parameters are
the text sought "/dev/sda1", and
the file in which the text is sought "/proc/mounts".
In other scripts, you may see something like
grep /dev/sda1 /proc/mounts >/dev/null
to achieve the same effect as the -q option.

How find out which process is using a file in Linux?

I tried to remove a file in Linux using rm -rf file_name, but got the error:
rm: file_name not removed. Text file busy
How can I find out which process is using this file?
You can use the fuser command, which is part of the psmisc package, like:
fuser file_name
You will receive a list of processes using the file.
You can use different flags with it, in order to receive a more detailed output.
You can find more info in the fuser's Wikipedia article, or in the man pages.
#jim's answer is correct -- fuser is what you want.
Additionally (or alternately), you can use lsof to get more information including the username, in case you need permission (without having to run an additional command) to kill the process. (THough of course, if killing the process is what you want, fuser can do that with its -k option. You can have fuser use other signals with the -s option -- check the man page for details.)
For example, with a tail -F /etc/passwd running in one window:
ghoti#pc:~$ lsof | grep passwd
tail 12470 ghoti 3r REG 251,0 2037 51515911 /etc/passwd
Note that you can also use lsof to find out what processes are using particular sockets. An excellent tool to have in your arsenal.
For users without fuser :
Although we can use lsof, there is another way i.e., we can query the /proc filesystem itself which lists all open files by all process.
# ls -l /proc/*/fd/* | grep filename
Sample output below:
l-wx------. 1 root root 64 Aug 15 02:56 /proc/5026/fd/4 -> /var/log/filename.log
From the output, one can use the process id in utility like ps to find program name
$ lsof | tree MyFold
As shown in the image attached:

strace entire operating system to get strace logs of all processes simultaneously

Currently, I am taking up the long method of doing this by getting a list of processes using the following command
sudo ps -eo pid,command | grep -v grep | awk '{print $1}' > pids.txt
And then iterating through the process ids and executing in background the strace of each process and generating logs for each process with the process id in the log's extension
filename="$1"
while read -r line
do
chmod +x straceProgram.sh
./straceProgram.sh $line &
done < "$filename"
straceProgram.sh
pid="$1"
sudo strace -p $pid -o log.$pid
However, the problem with this approach is that if there is any new process which gets started, it will not be straced since the strace is on the process ids stored in the pids.txt during the first run.
The list of pids.txt can be updated with new process ids, however, I was inquisitive on running a strace at an operating system level which would strace all the activities being performed.
Could there be a better way to do this?
If your resulting filesystem is going to be a kernel filesystem driver, I would recommend using tracefs to gather the information you require. I would recommend against making this a kernel filesystem unless you have a lot of time and a lot of testing resources. It is not trivial.
If you want an easier, safer alternative, write your filesystem using fuse. The downside is that performance is not quite as good and there are a few places where it cannot be used, but it is often acceptable. Note that there is already an implementation of a logging filesystem under fuse.
use the strace -f (fork) option, also I suggest the -s 9999 for more details

Resources