[systemd-devel] Seeking advice for configuring SystemCallFilter=
Mantas Mikulėnas
grawity at gmail.com
Fri Jan 22 13:36:31 PST 2016
On Fri, Jan 22, 2016 at 11:17 PM, David Timothy Strauss <
david at davidstrauss.net> wrote:
> Rebooting an old thread now that we're finally testing this out.
>
> > "strace" should do the job. It should give you a pretty good idea of all
> syscalls a process uses. That's what I used when testing SyscallFilters=.
>
> This turns out to be less useful than it seems.
>
> There are two major ways to invoke strace, each with caveats:
>
> - Launch the process with strace. This captures everything from the
> first syscall to daemonized operation, but it's hard to create an
> equivalent context and environment versus how the service runs normally.
> This is especially bad for socket-activated services because those may
> actually use fewer or different syscalls than if they have to open their
> own listener sockets.
> - Attach to an existing process. This allows seeing behavior under
> systemd, but it misses early service startup because the PID is only
> knowable after the service has started. We've specifically seen issues
> where some syscalls are only used in early service startup.
>
> There's a third way:
ExecStart=/usr/bin/strace -D -ff -o /tmp/myservice.trace /usr/bin/myservlce
--foo
--
Mantas Mikulėnas <grawity at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20160122/e8d22fe7/attachment.html>
More information about the systemd-devel
mailing list