Re: noob q.: trying to trace syscalls in Jessie... why do I get unselected "events" in the trace?

"Frantisek Rysanek" <Frantisek.Rysanek@xxxxxxx> · Fri, 28 Apr 2017 20:09:20 +0200

Dear gentlemen,

thanks again for your suggestions.

I've given a fleeting try to both systemtap and lttng, in Debian 
Jessie using the pre-built = packaged versions of said probe tools. 
In both cases I pretty soon ended up at some error message, 
effectively instructing me to solve a kernel module version mismatch 
or tweak some .config entry in the running kernel to get the 
kernel-space tracer modules loaded. Which I could do, but don't 
really have enough time or motivation right now - maybe next time :-) 
Or perhaps I'm jusy lazy. Basically... these two tools need a kernel 
"helper", need debugging symbol information (quite obviously, to 
print function args) and are "out of tree", so they need some 
additional manual care, syncing of versions and whatnot - not a big 
surprise. Also, the fact that they need "debugging symbols" is a 
deterrent for me to use them on a customer's production system 
(perhaps as a last resort).  

The related quick follow-up reading has pointed me to some really 
cool tools I didn't know about yet, such as the Trace Compass. Wow, 
this could come in handy.  

:-) initially I thought "well there appears to be some kernel-space
tracing framework, I used to read about it now and then at LWN" and
upon a deeper dive I realize, that these are actually maybe *four*
such frameworks or tools, living side by side, or sharing some common
instrumentation snippets at the back end... That's Linux :-) History
in the making. Never ending evolution.

I'm getting off topic here. Essentially I'm writing this message to 
somehow "close this thread", although I don't yet have a resolution 
of the particular problem I'm facing. In reality it won't be me 
hunting the problem down on the live system, I'm trying to instruct 
someone "behind the scenes" :-)  

And although this is already way off topic in this "tracing" mailing
list, I'm attaching a couple of snippets that I collected on the
broader topic or task at hand, which is trying to pinpoint some
anomaly in system timebase steering, looking almost like 
a leap second bug, or some such, happening semi-randomly 
at midnight on the edge of a new month. I don't want to be more 
specific - there are likely historical versions of Linux and NTPd in 
play, possibly some custom cron jobs in the OS, there is definitely 
proprietary software running in the system. I'm attaching my 
"snippets" "for the record" - for the benefit of people googling 
about this stuff in the future, be it tracing-related or 
timing-related.

After some homework, I'm able to 
1) trace events in the kernel
2) strace ntpd in the user space (as a key suspect)
3) increase the "log level" in ntpd, and 
4) capture NTP traffic on Ethernet using tcpdump, 
all at the same time, which should make it easier to correlate the
traces. I've added an hourly cron job to insert a "real time"
timestamp into the kernel trace via 
   'date >trace_marker'
and I've instructed strace (-tt) to include realtime time stamps 
too... 
Ultimately, as the kernel event trace and the user-space strace both 
log the same syscall occurrences from ntpd, they areeffectively
a mirror copy of each other, which makes it easier to fix the kernel
trace against wall time (and to look for discrepancies in the flow of
the system wall time, compared to the monotonic clock used in the
kernel trace).

Thanks for your polite attention and for all your help :-)
Have a nice weekend...

Frank Rysanek