环境
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- IP networking (IPv4 or IPv6)
问题
- 如何判断哪个进程从网络接口中删除了IP地址?
- IP地址从绑定或以太网接口随机消失,如何判断哪个程序负责?
决议
创建delip.stp文件,如下:
#!/usr/bin/env stap #Usage: stap delip.stp global AF_INET = 2; global AF_INET6 = 10; probe begin { printf ("Probing started... ") } probe end { printf("Probing stopped. ") } probe kernel.function("__inet_del_ifa").call { printf("%s: %s(%d) deleting IPv4 address %s from device %s ", ctime(gettimeofday_s()), execname(), pid(), format_ipaddr($ifap->ifa_address, AF_INET), kernel_string($in_dev->dev->name)) } probe module("ipv6").function("inet6_addr_del").return { printf("%s: %s(%d) deleting IPv6 address %s from device index %d ", ctime(gettimeofday_s()), execname(), pid(), format_ipaddr($pfx, AF_INET6), $ifindex) }
此脚本需要SystemTap:
- 什么是SystemTap以及如何使用它?
SystemTap首先要求系统在RHN / RHSM中注册到debuginfo通道:
- 如何下载debuginfo包?
运行以下命令以安装SystemTap并设置所需的debuginfo:
yum install systemtap stap-prep
运行上面的脚本:
stap delip.stp
然后重现消失的IP。
有关示例输出和触发SystemTap探针的示例,请参阅下面的“诊断步骤”部分。
如果更改IP的命令是通用工具(如ip或ifconfig),您可能希望使用auditd来监视该工具的执行情况。审计守护程序可以报告用户名和父PID,以识别运行该命令的人员:
- 如何配置auditd audit daemon以监视特定文件?
根源
- IP addresses are stored in a list of
struct in_ifaddrin astruct in_device, which is pointed to by*ip_ptrinstruct net_device. - IP地址存储在struct in_device中的struct in_ifaddr列表中,该结构由struct net_device中的* ip_ptr指向。
- The function which removes an IP from that list is
inet_del_ifa()which is a wrapper for__inet_del_ifa() - 从该列表中删除IP的函数是inet_del_ifa(),它是__inet_del_ifa()的包装器
- The above SystemTap script watches which processname and PID calls
__inet_del_ifa()then says which IP that process is deleting from which interface. - 上面的SystemTap脚本监视哪个processname和PID调用__inet_del_ifa()然后说明该进程正在从哪个接口删除哪个IP。
诊断步骤
上面的SystemTap脚本将产生如下输出:
# stap delip.stp Probing started... Wed Nov 5 06:27:53 2014: ip(19838) deleting IP address 192.168.0.1 from device dummy0
此输出是以下命令的结果:
# modprobe dummy # ip addr add 192.168.0.1/24 dev dummy0 # ip addr del 192.168.0.1/24 dev dummy0
这也适用于IPv6地址:
# ip addr add 2001::1/128 dev dummy0 # ip addr del 2001::1/128 dev dummy0 # stap delip.stp Probing started... Thu Nov 6 02:31:40 2014: ip(27573) deleting IPv6 address 2001:0000:0000:0000:0000:0000:0000:0001 from device index 3
可以使用ip link确定IPv6设备索引
# ip link | egrep "^3" 3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN