Logging NFSv3/v4 file opens by client and file

scotia

Active Member

Reaction score: 11
Messages: 111

Hi all,

I've got a bunch of NFS clients (v3 and v4) accessing an NFS server and I want to know what files they are opening.

Is there a way I can log NFS file opens (or whatever the call is) and IP address of the client?

I've searched for a DTrace probe/dwatch without luck.

Thanks
 

Peter Eriksson

Member

Reaction score: 23
Messages: 39

Hi all,

I've got a bunch of NFS clients (v3 and v4) accessing an NFS server and I want to know what files they are opening.

Is there a way I can log NFS file opens (or whatever the call is) and IP address of the client?

I've searched for a DTrace probe/dwatch without luck.

Thanks

Filenames (but no directories) & uid's:

#!/usr/sbin/dtrace -s

fbt::nfsvno_namei:entry {
printf("%s [uid=%d]",
stringof(args[1]->ni_cnd.cn_pnbuf),
args[1]->ni_cnd.cn_cred->cr_uid);
}

No IP addresses though...

To trace that requires more intricate stuff.
 

Peter Eriksson

Member

Reaction score: 23
Messages: 39

You can also find some other NFS-server-related Dtrace scripts at: freebsd-stuff (not the one you are looking for though).

tcpdump + wireshark can trace network packets + decode the NFS protocol so you might be able to see some stuff that way too...
 
OP
OP
scotia

scotia

Active Member

Reaction score: 11
Messages: 111

Thanks Peter,
nice one. As you said it only partially solves my challenge. I might try tcpdump against NFS to see what I can gather.
I ended up piping your dtrace into PERL:
Code:
/usr/sbin/dtrace -s /tmp/nfs.dtrace | perl -nle '($f,$uid)=($1,$2)if/:entry (.*) \[uid=(\d)\]/;if(not $seen{"$f$uid"}){print"$f $uid";$seen{"$f$uid"}=1}'
It made me wonder if there's a tool like 'sort' or 'uniq' that works with streams that never close...

I'm also surprised that NFSD doesn't have a debug or logging option.

Cheers,
Scott
 

Peter Eriksson

Member

Reaction score: 23
Messages: 39

I'm also surprised that NFSD doesn't have a debug or logging option.
I've also been a bit frustrated by the lack of debugging(visibility) options - so I've been patching the kernel a bit whenever I've had the need for seeing what is happening (when debugging problems). Some of those patches you can also find at the github project mentioned above.

The main reason that it isn't easy to link an IP address to NFS operations is that inside the kernel you don't have a hard "link" between those two. NFS packets may arrive via multiple paths (IPv4 and IPv6) and/or source IP addresses and they will be handled correctly since a NFS client is identified via "ClientID" - not IP addresses.

For NFSv4 you can display ClientID's associated with ClientAddr via the "nfsdumpstate" tool.
 
Top