Sysdig绝对是可以跟SystemTap相媲美的工具,都是系统故障排查的利器,不论是开发人员还是运维人员都必须要掌握的一个工具。今天先介绍一下Sysdig的一些特性。官网上说Sysdig是Strace, Tcpdump, Lsof, Htop, Iftop等工具的合体,至于你信不信只有使用之后才能来惊叹我说的到底对不对。所以可以理解Sysdig主要功能就是系统级别的探测,捕捉服务器上的应用程序对CPU, Memory, I/O, Network的状况。
Sysdig最新版提供了Docker容器镜像,可以很方便的直接拉取Docker镜像,另一方它提供容器级别的信息采集指令(sysdig -pc container.name=your_container_name),支持查询指定容器之间的网络流量、指定容器的CPU使用率等。
公司旗下的商用软件Sysdig Cloud则是容器级别的系统信息和网络流量监控、调试软件,这个在CoreOS Fest 大会上有介绍,它支持Real-Time Dashboard, Historical Replay, Dynamic Topology and Intelligent Alert, 可以想象成Nagios对系统的监控。
软件安装请参考官方文档:http://www.sysdig.org/install/ 相对于SystemTap的安装Sysdig更容易些。
Sysdig的语法在record 和replay系统跟踪方面跟Tcpdump和perf很像;在系统性能分析方面的语法chisels又跟SystemTap和dstat的--top*很像,只不过SystemTap需要自己写tap(代码写好了,比Sysdig强大), Sysdig是已经帮你写好了;在交互式使用方面又跟htop很像。
不废话了,下面介绍一下基本的使用方法。
最简单的使用方法是直接输入sysdig, 他会捕获系统的每一个事件并且直接输出到屏幕。
每一个event都是一行信息,输出的格式如下:
*%evt.num %evt.time %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.args
evt.num 是一个自动增长的event number
evt.time 是时间戳
evt.cpu 是捕获到的在用的哪颗CPU
proc.name 是process name
thread.tid 是thread id,如果不是多线程,就是pid
evt.dir 是event方向,>代表inpute ,<代表output
evt.type 是event的操作名称,e.g. open or read
evt.args 是event 调用命令参数的列表
如果要保存信息的话,可以加上-w选项,限制捕捉行数用-n:
sysdig -n100 -w firstcapture.scap
如果是按大小区分捕获文件的话,可以用-C 1 默认捕获1M文件就分割到下一个文件,-W 5 参数只捕获5个文件
sysdig -C 1 -W 5 -w secondcapture.scap
生成的文件名是secondcapture.scap.{1..5}。
要阅读刚才捕获的文件,用-r参数:
sysdig -r firstcapture.scap
如果要对捕获的内容做具体的事件查询呢?请看下面
查询进程是mysqld的event:
sysdig -r firstcapture.scap proc.name=mysqld
看proc.name 是mysql 或者nginx的,并且event是read的event
sysdig -r firstcapture.scap proc.name=mysqld or proc.name=nginx and env.type=read
筛选的关键字可以用sysdig -l 来获得,他支持以下12中Field Class:
fd
process
evt
user
group
syslog
container
fdlist
k8s
mesos
span
evtin
# sysdig -l ---------------------- Field Class: fd fd.num the unique number identifying the file descriptor. fd.type type of FD. Can be ‘file‘, ‘directory‘, ‘ipv4‘, ‘ipv6‘, ‘unix‘, ‘pipe‘, ‘event‘, ‘signalfd‘, ‘eventpoll‘, ‘inotify‘ or ‘signal fd‘. fd.typechar type of FD as a single character. Can be ‘f‘ for file, 4 for IP v4 socket, 6 for IPv6 socket, ‘u‘ for unix socket, p for pipe, ‘e‘ for eventfd, ‘s‘ for signalfd, ‘l‘ for eventpoll, ‘i‘ for i notify, ‘o‘ for uknown. fd.name FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple. fd.directory If the fd is a file, the directory that contains it. fd.filename If the fd is a file, the filename without the path. fd.ip matches the ip address (client or server) of the fd. fd.cip client IP address. fd.sip server IP address. fd.lip local IP address. fd.rip remote IP address. fd.port (FILTER ONLY) matches the port (either client or server) of the fd. fd.cport for TCP/UDP FDs, the client port. fd.sport for TCP/UDP FDs, server port. fd.lport for TCP/UDP FDs, the local port. fd.rport for TCP/UDP FDs, the remote port. fd.l4proto the IP protocol of a socket. Can be ‘tcp‘, ‘udp‘, ‘icmp‘ or ‘ra w‘. fd.sockfamily the socket family for socket events. Can be ‘ip‘ or ‘unix‘. fd.is_server ‘true‘ if the process owning this FD is the server endpoint in the connection. fd.uid a unique identifier for the FD, created by chaining the FD numb er and the thread ID. fd.containername chaining of the container ID and the FD name. Useful when tryin g to identify which container an FD belongs to. fd.containerdirectory chaining of the container ID and the directory name. Useful whe n trying to identify which container a directory belongs to. fd.proto (FILTER ONLY) matches the protocol (either client or server) of the fd. fd.cproto for TCP/UDP FDs, the client protocol. fd.sproto for TCP/UDP FDs, server protocol. fd.lproto for TCP/UDP FDs, the local protocol. fd.rproto for TCP/UDP FDs, the remote protocol. fd.net matches the IP network (client or server) of the fd. fd.cnet client IP network. fd.snet server IP network. fd.lnet local IP network. fd.rnet remote IP network. ---------------------- Field Class: process proc.pid the id of the process generating the event. proc.exe the first command line argument (usually the executable name or a custom one). proc.name the name (excluding the path) of the executable generating the event. proc.args the arguments passed on the command line when starting the proc ess generating the event. proc.env the environment variables of the process generating the event. proc.cmdline full process command line, i.e. proc.name + proc.args. proc.exeline full process command line, with exe as first argument, i.e. pro c.exe + proc.args. proc.cwd the current working directory of the event. proc.nthreads the number of threads that the process generating the event cur rently has, including the main process thread. proc.nchilds the number of child threads that the process generating the eve nt currently has. This excludes the main process thread. proc.ppid the pid of the parent of the process generating the event. proc.pname the name (excluding the path) of the parent of the process gene rating the event. proc.apid the pid of one of the process ancestors. E.g. proc.apid[1] retu rns the parent pid, proc.apid[2] returns the grandparent pid, a nd so on. proc.apid[0] is the pid of the current process. proc. apid without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.apid=1234. proc.aname the name (excluding the path) of one of the process ancestors. E.g. proc.aname[1] returns the parent name, proc.aname[2] retur ns the grandparent name, and so on. proc.aname[0] is the name o f the current process. proc.aname without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.aname=bash. proc.loginshellid the pid of the oldest shell among the ancestors of the current process, if there is one. This field can be used to separate di fferent user sessions, and is useful in conjunction with chisel s like spy_user. proc.duration number of nanoseconds since the process started. proc.fdopencount number of open FDs for the process proc.fdlimit maximum number of FDs the process can open. proc.fdusage the ratio between open FDs and maximum available FDs for the pr ocess. proc.vmsize total virtual memory for the process (as kb). proc.vmrss resident non-swapped memory for the process (as kb). proc.vmswap swapped memory for the process (as kb). thread.pfmajor number of major page faults since thread start. thread.pfminor number of minor page faults since thread start. thread.tid the id of the thread generating the event. thread.ismain ‘true‘ if the thread generating the event is the main one in th e process. thread.exectime CPU time spent by the last scheduled thread, in nanoseconds. Ex ported by switch events only. thread.totexectime Total CPU time, in nanoseconds since the beginning of the captu re, for the current thread. Exported by switch events only. thread.cgroups all the cgroups the thread belongs to, aggregated into a single string. thread.cgroup the cgroup the thread belongs to, for a specific subsystem. E.g . thread.cgroup.cpuacct. thread.vtid the id of the thread generating the event as seen from its curr ent PID namespace. proc.vpid the id of the process generating the event as seen from its cur rent PID namespace. thread.cpu the CPU consumed by the thread in the last second. thread.cpu.user the user CPU consumed by the thread in the last second. thread.cpu.system the system CPU consumed by the thread in the last second. thread.vmsize For the process main thread, this is the total virtual memory f or the process (as kb). For the other threads, this field is ze ro. thread.vmrss For the process main thread, this is the resident non-swapped m emory for the process (as kb). For the other threads, this fiel d is zero. ---------------------- Field Class: evt evt.num event number. evt.time event timestamp as a time string that includes the nanosecond p art. evt.time.s event timestamp as a time string with no nanoseconds. evt.datetime event timestamp as a time string that includes the date. evt.rawtime absolute event timestamp, i.e. nanoseconds from epoch. evt.rawtime.s integer part of the event timestamp (e.g. seconds since epoch). evt.rawtime.ns fractional part of the absolute event timestamp. evt.reltime number of nanoseconds from the beginning of the capture. evt.reltime.s number of seconds from the beginning of the capture. evt.reltime.ns fractional part (in ns) of the time from the beginning of the c apture. evt.latency delta between an exit event and the correspondent enter event, in nanoseconds. evt.latency.s integer part of the event latency delta. evt.latency.ns fractional part of the event latency delta. evt.latency.human delta between an exit event and the correspondent enter event, as a human readable string (e.g. 10.3ms). evt.deltatime delta between this event and the previous event, in nanoseconds . evt.deltatime.s integer part of the delta between this event and the previous e vent. evt.deltatime.ns fractional part of the delta between this event and the previou s event. evt.outputtime this depends on -t param, default is %evt.time (‘h‘). evt.dir event direction can be either ‘>‘ for enter events or ‘<‘ for e xit events. evt.type The name of the event (e.g. ‘open‘). evt.type.is allows one to specify an event type, and returns 1 for events t hat are of that type. For example, evt.type.is.open returns 1 f or open events, 0 for any other event. syscall.type For system call events, the name of the system call (e.g. ‘open ‘). Unset for other events (e.g. switch or sysdig internal even ts). Use this field instead of evt.type if you need to make sur e that the filtered/printed value is actually a system call. evt.category The event category. Example values are ‘file‘ (for file operati ons like open and close), ‘net‘ (for network operations like so cket and bind), memory (for things like brk or mmap), and so on . evt.cpu number of the CPU where this event happened. evt.args all the event arguments, aggregated into a single string. evt.arg (FILTER ONLY) one of the event arguments specified by name or b y number. Some events (e.g. return codes or FDs) will be conver ted into a text representation when possible. E.g. ‘evt.arg.fd‘ or ‘evt.arg[0]‘. evt.rawarg (FILTER ONLY) one of the event arguments specified by name. E.g . ‘evt.rawarg.fd‘. evt.info for most events, this field returns the same value as evt.args. However, for some events (like writes to /dev/log) it provides higher level information coming from decoding the arguments. evt.buffer the binary data buffer for events that have one, like read(), r ecvfrom(), etc. Use this field in filters with ‘contains‘ to se arch into I/O data buffers. evt.buflen the length of the binary data buffer for events that have one, like read(), recvfrom(), etc. evt.res event return value, as a string. If the event failed, the resul t is an error code string (e.g. ‘ENOENT‘), otherwise the result is the string ‘SUCCESS‘. evt.rawres event return value, as a number (e.g. -2). Useful for range com parisons. evt.failed ‘true‘ for events that returned an error status. evt.is_io ‘true‘ for events that read or write to FDs, like read(), send, recvfrom(), etc. evt.is_io_read ‘true‘ for events that read from FDs, like read(), recv(), recv from(), etc. evt.is_io_write ‘true‘ for events that write to FDs, like write(), send(), etc. evt.io_dir ‘r‘ for events that read from FDs, like read(); ‘w‘ for events that write to FDs, like write(). evt.is_wait ‘true‘ for events that make the thread wait, e.g. sleep(), sele ct(), poll(). evt.wait_latency for events that make the thread wait (e.g. sleep(), select(), p oll()), this is the time spent waiting for the event to return, in nanoseconds. evt.is_syslog ‘true‘ for events that are writes to /dev/log. evt.count This filter field always returns 1 and can be used to count eve nts from inside chisels. evt.count.error This filter field returns 1 for events that returned with an er ror, and can be used to count event failures from inside chisel s. evt.count.error.file This filter field returns 1 for events that returned with an er ror and are related to file I/O, and can be used to count event failures from inside chisels. evt.count.error.net This filter field returns 1 for events that returned with an er ror and are related to network I/O, and can be used to count ev ent failures from inside chisels. evt.count.error.memory This filter field returns 1 for events that returned with an er ror and are related to memory allocation, and can be used to co unt event failures from inside chisels. evt.count.error.other This filter field returns 1 for events that returned with an er ror and are related to none of the previous categories, and can be used to count event failures from inside chisels. evt.count.exit This filter field returns 1 for exit events, and can be used to count single events from inside chisels. evt.around (FILTER ONLY) Accepts the event if it‘s around the specified ti me interval. The syntax is evt.around[T]=D, where T is the valu e returned by %evt.rawtime for the event and D is a delta in mi lliseconds. For example, evt.around[1404996934793590564]=1000 w ill return the events with timestamp with one second before the timestamp and one second after it, for a total of two seconds of capture. evt.abspath (FILTER ONLY) Absolute path calculated from dirfd and name duri ng syscalls like renameat and symlinkat. Use ‘evt.abspath.src‘ or ‘evt.abspath.dst‘ for syscalls that support multiple paths. ---------------------- Field Class: user user.uid user ID. user.name user name. user.homedir home directory of the user. user.shell user‘s shell. ---------------------- Field Class: group group.gid group ID. group.name group name. ---------------------- Field Class: syslog syslog.facility.str facility as a string. syslog.facility facility as a number (0-23). syslog.severity.str severity as a string. Can have one of these values: emerg, aler t, crit, err, warn, notice, info, debug syslog.severity severity as a number (0-7). syslog.message message sent to syslog. ---------------------- Field Class: container container.id the container id. container.name the container name. container.image the container image. container.type the container type, eg: docker or rkt ---------------------- Field Class: fdlist fdlist.nums for poll events, this is a comma-separated list of the FD numbe rs in the ‘fds‘ argument, returned as a string. fdlist.names for poll events, this is a comma-separated list of the FD names in the ‘fds‘ argument, returned as a string. fdlist.cips for poll events, this is a comma-separated list of the client I P addresses in the ‘fds‘ argument, returned as a string. fdlist.sips for poll events, this is a comma-separated list of the server I P addresses in the ‘fds‘ argument, returned as a string. fdlist.cports for TCP/UDP FDs, for poll events, this is a comma-separated lis t of the client TCP/UDP ports in the ‘fds‘ argument, returned a s a string. fdlist.sports for poll events, this is a comma-separated list of the server T CP/UDP ports in the ‘fds‘ argument, returned as a string. ---------------------- Field Class: k8s k8s.pod.name Kubernetes pod name. k8s.pod.id Kubernetes pod id. k8s.pod.label Kubernetes pod label. E.g. ‘k8s.pod.label.foo‘. k8s.pod.labels Kubernetes pod comma-separated key/value labels. E.g. ‘foo1:bar 1,foo2:bar2‘. k8s.rc.name Kubernetes replication controller name. k8s.rc.id Kubernetes replication controller id. k8s.rc.label Kubernetes replication controller label. E.g. ‘k8s.rc.label.foo ‘. k8s.rc.labels Kubernetes replication controller comma-separated key/value lab els. E.g. ‘foo1:bar1,foo2:bar2‘. k8s.svc.name Kubernetes service name (can return more than one value, concat enated). k8s.svc.id Kubernetes service id (can return more than one value, concaten ated). k8s.svc.label Kubernetes service label. E.g. ‘k8s.svc.label.foo‘ (can return more than one value, concatenated). k8s.svc.labels Kubernetes service comma-separated key/value labels. E.g. ‘foo1 :bar1,foo2:bar2‘. k8s.ns.name Kubernetes namespace name. k8s.ns.id Kubernetes namespace id. k8s.ns.label Kubernetes namespace label. E.g. ‘k8s.ns.label.foo‘. k8s.ns.labels Kubernetes namespace comma-separated key/value labels. E.g. ‘fo o1:bar1,foo2:bar2‘. ---------------------- Field Class: mesos mesos.task.name Mesos task name. mesos.task.id Mesos task id. mesos.task.label Mesos task label. E.g. ‘mesos.task.label.foo‘. mesos.task.labels Mesos task comma-separated key/value labels. E.g. ‘foo1:bar1,fo o2:bar2‘. mesos.framework.name Mesos framework name. mesos.framework.id Mesos framework id. marathon.app.name Marathon app name. marathon.app.id Marathon app id. marathon.app.label Marathon app label. E.g. ‘marathon.app.label.foo‘. marathon.app.labels Marathon app comma-separated key/value labels. E.g. ‘foo1:bar1, foo2:bar2‘. marathon.group.name Marathon group name. marathon.group.id Marathon group id. ---------------------- Field Class: span span.id tracer ID. This is a unique identifier that is used to match th e enter and exit tracer events for this span. It can also be us ed to match different spans belonging to a trace. span.time time of the span enter tracer as a time string that includes th e nanosecond part. span.ntags number of tags that this span has. span.nargs number of arguments that this span has. span.tags dot-separated list of the span‘s tags. span.tag one of the span‘s tags, specified by 0-based offset, e.g. ‘span .tag[1]‘. You can use a negative offset to pick elements from t he end of the tag list. For example, ‘span.tag[-1]‘ returns the last tag. span.args comma-separated list of event arguments. span.arg one of the span arguments, specified by name or by 0-based offs et. E.g. ‘span.tag.mytag‘ or ‘span.tag[1]‘. You can use a negat ive offset to pick elements from the end of the tag list. For e xample, ‘span.arg[-1]‘ returns the last argument. span.enterargs comma-separated list of the span‘s enter tracer event arguments . For enter tracers, this is the same as evt.args. For exit tra cers, this is the evt.args of the corresponding enter tracer. span.enterarg one of the span‘s enter arguments, specified by name or by 0-ba sed offset. For enter tracer events, this is the same as evt.ar g. For exit tracer events, this is the evt.arg of the correspon ding enter event. span.duration delta between this span‘s exit tracer event and the enter trace r event. span.duration.human delta between this span‘s exit tracer event and the enter event , as a human readable string (e.g. 10.3ms). ---------------------- Field Class: evt evtin.span.id (FILTER ONLY) the ID of the trace span containing the event. evtin.span.ntags (FILTER ONLY) the number of tags of the trace span containing t he event. evtin.span.nargs (FILTER ONLY) the number of arguments of the trace span contain ing the event. evtin.span.tags (FILTER ONLY) the comma-separated list of tags of the trace spa n containing the event. evtin.span.tag (FILTER ONLY) one of the tags of the trace span containing the event, specified by offset. E.g. ‘evtin.span.tag[1]‘. You can u se a negative offset to pick elements from the end of the tag l ist. For example, ‘evtin.span.tag[-1]‘ returns the last tag. evtin.span.args (FILTER ONLY) the full list of arguments of the trace span cont aining the event. evtin.span.arg (FILTER ONLY) one of the arguments of the trace span containing the event, specified by name or by offset. E.g. ‘evtin.span.ta g.mytag‘ or ‘evtin.span.tag[1]‘. You can use a negative offset to pick elements from the end of the tag list. For example, ‘ev tin.span.arg[-1]‘ returns the last argument. evtin.span.t.id (FILTER ONLY) same as evtin.span.id, but accepts only the event s generated by the thread that produced the span. evtin.span.t.ntags (FILTER ONLY) same as evtin.span.ntags, but accepts only the ev ents generated by the thread that produced the span. evtin.span.t.nargs (FILTER ONLY) same as evtin.span.nargs, but accepts only the ev ents generated by the thread that produced the span. evtin.span.t.tags (FILTER ONLY) same as evtin.span.tags, but accepts only the eve nts generated by the thread that produced the span. evtin.span.t.tag (FILTER ONLY) same as evtin.span.tag, but accepts only the even ts generated by the thread that produced the span. evtin.span.t.args (FILTER ONLY) same as evtin.span.args, but accepts only the eve nts generated by the thread that produced the span. evtin.span.t.arg (FILTER ONLY) same as evtin.span.arg, but accepts only the even ts generated by the thread that produced the span. evtin.span.p.id (FILTER ONLY) same as evtin.span.id, but accepts only the event s generated by the process that produced the span. evtin.span.p.ntags (FILTER ONLY) same as evtin.span.ntags, but accepts only the ev ents generated by the process that produced the span. evtin.span.p.nargs (FILTER ONLY) same as evtin.span.nargs, but accepts only the ev ents generated by the process that produced the span. evtin.span.p.tags (FILTER ONLY) same as evtin.span.tags, but accepts only the eve nts generated by the process that produced the span. evtin.span.p.tag (FILTER ONLY) same as evtin.span.tag, but accepts only the even ts generated by the process that produced the span. evtin.span.p.args (FILTER ONLY) same as evtin.span.args, but accepts only the eve nts generated by the process that produced the span. evtin.span.p.arg (FILTER ONLY) same as evtin.span.arg, but accepts only the even ts generated by the process that produced the span. evtin.span.s.id (FILTER ONLY) same as evtin.span.id, but accepts only the event s generated by the script that produced the span, i.e. by the p rocesses whose parent PID is the one of the span. evtin.span.s.ntags (FILTER ONLY) same as evtin.span.id, but accepts only the event s generated by the script that produced the span, i.e. by the p rocesses whose parent PID is the one of the span. evtin.span.s.nargs (FILTER ONLY) same as evtin.span.id, but accepts only the event s generated by the script that produced the span, i.e. by the p rocesses whose parent PID is the one of the span. evtin.span.s.tags (FILTER ONLY) same as evtin.span.id, but accepts only the event s generated by the script that produced the span, i.e. by the p rocesses whose parent PID is the one of the span. evtin.span.s.tag (FILTER ONLY) same as evtin.span.id, but accepts only the event s generated by the script that produced the span, i.e. by the p rocesses whose parent PID is the one of the span. evtin.span.s.args (FILTER ONLY) same as evtin.span.id, but accepts only the event s generated by the script that produced the span, i.e. by the p rocesses whose parent PID is the one of the span. evtin.span.s.arg (FILTER ONLY) same as evtin.span.id, but accepts only the event s generated by the script that produced the span, i.e. by the p rocesses whose parent PID is the one of the span.
如果不想要sysdig默认的输出格式,也可以自己定制,类似于top的定制。变量名必须用%开头。
# sysdig -r sysdigdump.sap -p "user:%user.name dir:%evt.arg.path" evt.type=chdir user:root dir:/ user:root dir:/
输出一个程序正在被哪个用户使用,被调用的命令参数是怎样的:
# sysdig -p"%user.name) %proc.name %proc.args" evt.type=execve and evt.arg.ptid=zsh root) git config --get oh-my-zsh.hide-status root) git symbolic-ref HEAD root) git rev-parse --short HEAD root) ls --color=tty --color=auto -hltr root) git config --get oh-my-zsh.hide-status root) git symbolic-ref HEAD root) git rev-parse --short HEAD
可以我在zsh的命令行上执行了ls 命令, 并且oh-my-zsh在后台悄悄地执行git config 命令,没有sysdig工具你是没法知道oh-my-zsh在没执行一次命令都在后台执行git config的,果断把oh-my-zsh自动更新给禁掉,以后可以每隔一段时间手动去更新oh-my-zsh。
查看哪个进程在/etc下写文件,同样效果lsof也可以实现,只是显示不如sysdig,而且sysdig还可以定制显示内容。
# root at shanker in ~/.oh-my-zsh on git:master o [9:22:59] # sysdig -p "user:%user.name process:%proc.name file:%fd.name" "evt.type=write and fd.name contains /etc" user:root process:vim file:/etc/ansible/.hosts.swp user:root process:vim file:/etc/ansible/.hosts.swp user:root process:vim file:/etc/ansible/.hosts.swp ^C# # root at shanker in ~/.oh-my-zsh on git:master o [9:27:32] # lsof -cv /etc COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME vmstat 59 root cwd DIR 202,1 4096 2 / vmstat 59 root rtd DIR 202,1 4096 2 / vmstat 59 root txt unknown /proc/59/exe vim 11547 root cwd DIR 202,1 4096 16386 /root vim 11547 root rtd DIR 202,1 4096 2 / vim 11547 root txt REG 202,1 2191736 1026 /usr/bin/vim.basic vim 11547 root mem REG 202,1 47712 418583 /lib/x86_64-linux-gnu/libnss_files-2.19.so vim 11547 root mem REG 202,1 47760 418575 /lib/x86_64-linux-gnu/libnss_nis-2.19.so vim 11547 root mem REG 202,1 97296 418568 /lib/x86_64-linux-gnu/libnsl-2.19.so vim 11547 root mem REG 202,1 39824 418566 /lib/x86_64-linux-gnu/libnss_compat-2.19.so vim 11547 root mem REG 202,1 10680 418582 /lib/x86_64-linux-gnu/libutil-2.19.so vim 11547 root mem REG 202,1 100728 396113 /lib/x86_64-linux-gnu/libz.so.1.2.8 vim 11547 root mem REG 202,1 18624 396035 /lib/x86_64-linux-gnu/libattr.so.1.1.0 vim 11547 root mem REG 202,1 252032 397658 /lib/x86_64-linux-gnu/libpcre.so.3.13.1 vim 11547 root mem REG 202,1 1840928 418580 /lib/x86_64-linux-gnu/libc-2.19.so vim 11547 root mem REG 202,1 141574 418570 /lib/x86_64-linux-gnu/libpthread-2.19.so vim 11547 root mem REG 202,1 3480880 895 /usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0 vim 11547 root mem REG 202,1 14664 418562 /lib/x86_64-linux-gnu/libdl-2.19.so vim 11547 root mem REG 202,1 27080 8084 /usr/lib/x86_64-linux-gnu/libgpm.so.2 vim 11547 root mem REG 202,1 31168 396033 /lib/x86_64-linux-gnu/libacl.so.1.1.0 vim 11547 root mem REG 202,1 134296 396097 /lib/x86_64-linux-gnu/libselinux.so.1 vim 11547 root mem REG 202,1 167096 396105 /lib/x86_64-linux-gnu/libtinfo.so.5.9 vim 11547 root mem REG 202,1 1071552 418560 /lib/x86_64-linux-gnu/libm-2.19.so vim 11547 root mem REG 202,1 149120 418572 /lib/x86_64-linux-gnu/ld-2.19.so vim 11547 root mem REG 202,1 1607664 1578 /usr/lib/locale/locale-archive vim 11547 root 0u CHR 136,7 0t0 10 /dev/pts/7 vim 11547 root 1u CHR 136,7 0t0 10 /dev/pts/7 vim 11547 root 2u CHR 136,7 0t0 10 /dev/pts/7 vim 11547 root 4u REG 202,1 12288 131619 /etc/ansible/.hosts.swp
想要看网络连接,使用文件描述法是ipv4即可:
sysdig fd.type=ipv4 and evt.type=write
如果使用container的情况下,输出格式需要重新格式化才能友好阅读,根据自己container的类型选择命令参数:
Using -pc or -pcontainer, the default format will be changed to a container-friendly one: %evt.num %evt.outputtime %evt.cpu %container.name (%container.id) %proc.name (%thread.tid:%thread.vtid) %evt.dir %evt.type %evt.info Using -pk or -pkubernetes, the default format will be changed to a kubernetes-friendly one: %evt.num %evt.outputtime %evt.cpu %k8s.pod.name (%container.id) %proc.name (%thread.tid:%thread.vtid) %evt.dir %evt.type %evt.info Using -pm or -pmesos, the default format will be changed to a mesos-friendly one: %evt.num %evt.outputtime %evt.cpu %mesos.task.name (%container.id) %proc.name (%thread.tid:%thread.vtid) %evt.dir %evt.type %evt.info
未完待续!
本文出自 “天涯海阁” 博客,请务必保留此出处http://shanker.blog.51cto.com/1189689/1768735
性能调优之综合篇 - Linux系统性能监控和故障排查利器Sysdig
原文地址:http://shanker.blog.51cto.com/1189689/1768735
