We have configured a Solaris zone to enable D-Trace functionality.
OS: SunOS vmsdev21dtrace1 5.10 Generic_147440-01 sun4v sparc SUNW,SPARC-Enterprise-T5220
We have been using D-Trace to monitor user activity (directory/file access..) on several Solaris 10 based servers, which consist of Global Solaris Zone servers.
D-Trace works perfectly when run on the Global Zone servers however, it runs into several problems when run in Solaris Zone containers.
The problem we are experiencing when D-Trace is run in a Solaris zone is that the built in D-Trace macro “cwd” fails to execute as expected; throwing the following error:
dtrace: error on enabled probe ID 3 (ID 4569: syscall::open64:return): invalid kernel access in action #2 at DIF offset 0
To put the error message into context, I have included the following code snippet:
arg0 > 0
uid == trace_uid_0 && execname != "bash"
printf("File READ: %s\n",this->file);
As can be seen I am simply doing a printf ‘cwd’ to detect whenever a user reads a file in the syscall::open64:return call.
Once the printf("CWD: %s",cwd); line is removed from the code, the D-Trace script works as expected.
Taking all this into account; is this is a bug in D-Trace or due to the fact that we are trying to get it to run in a virtualized platform ?
Furthermore, is there a workaround we could try to capture the CWD, bearing in mind the number of providers within a Solaris Zone we have to work with is limited.