github.com/inspektor-gadget/inspektor-gadget@v0.28.1/docs/builtin-gadgets/trace/open.md (about)

     1  ---
     2  title: 'Using trace open'
     3  weight: 20
     4  description: >
     5    Trace open system calls.
     6  ---
     7  
     8  The trace open gadget streams events related to files opened inside pods.
     9  
    10  ### On Kubernetes
    11  
    12  Here we deploy a small demo pod "mypod":
    13  
    14  ```bash
    15  $ kubectl run --restart=Never -ti --image=busybox mypod -- sh -c 'while /bin/true ; do whoami ; sleep 3 ; done'
    16  ```
    17  
    18  Using the trace open gadget, we can see which processes open what files.
    19  We can simply filter for the pod "mypod" and omit specifying the node,
    20  thus tracing on all nodes for a pod called "mypod":
    21  
    22  ```bash
    23  $ kubectl gadget trace open --podname mypod
    24  K8S.NODE         K8S.NAMESPACE    K8S.POD          K8S.CONTAINER   PID    COMM               FD ERR PATH
    25  ip-10-0-30-247   default          mypod            mypod           18455  whoami              3   0 /etc/passwd
    26  ip-10-0-30-247   default          mypod            mypod           18521  whoami              3   0 /etc/passwd
    27  ip-10-0-30-247   default          mypod            mypod           18525  whoami              3   0 /etc/passwd
    28  ip-10-0-30-247   default          mypod            mypod           18530  whoami              3   0 /etc/passwd
    29  ^
    30  Terminating!
    31  ```
    32  
    33  Seems the whoami command opens "/etc/passwd" to map the user ID to a user name.
    34  We can leave trace open by hitting Ctrl-C.
    35  
    36  Finally, we need to clean up our pod:
    37  
    38  ```bash
    39  $ kubectl delete pod mypod
    40  ```
    41  
    42  
    43  ### With `ig`
    44  
    45  Let's start the gadget in a terminal:
    46  
    47  ```bash
    48  $ sudo ig trace open -c test-trace-open
    49  RUNTIME.CONTAINERNAME                                      PID        COMM             FD    ERR PATH
    50  ```
    51  
    52  Run a container that opens some files:
    53  
    54  ```bash
    55  $ docker run --name test-trace-open -it --rm busybox /bin/sh -c 'while /bin/true ; do whoami ; sleep 3 ; done'
    56  ```
    57  
    58  The tool will show the different files opened by the container:
    59  
    60  ```bash
    61  $ sudo ig trace open -c test-trace-open
    62  RUNTIME.CONTAINERNAME                                      PID        COMM             FD    ERR PATH
    63  test-trace-open                                            630417     whoami           3     0   /etc/passwd
    64  test-trace-open                                            630954     whoami           3     0   /etc/passwd
    65  ```
    66  
    67  If you want to get full paths in from the tool, you can run it with the `--full-path` flag. This
    68  will add the column `FULLPATH` that contains the absolute path of the file with symlinks resolved.
    69  
    70  ```bash
    71  $ sudo ./ig trace open -c test-trace-open-fullpath --full-path
    72  RUNTIME.CONTAINERNAME         PID        COMM             FD  ERR PATH                            FULLPATH
    73  test-trace-open-fullpath      1330356    cat              3   0   /etc/passwd                     /etc/passwd
    74  test-trace-open-fullpath      1330401    cat              3   0   ../etc/mtab                     /proc/22/mounts
    75  ```
    76  
    77  You can also filter by prefix paths using `--prefixes`.
    78  It will then only report events where opened files matched one of the given prefixes.
    79  
    80  ```bash
    81  RUNTIME.CONTAINERNAME                            PID        COMM             FD    ERR PATH
    82  test-trace-open-fullpath                         64069      touch            3     0   /tmp/foo/quux.txt
    83  test-trace-open-fullpath                         64034      bash             3     0   /tmp/bar.txt
    84  ```
    85  
    86  Note that this filtering occurs in eBPF.