Tracing open() syscalls during boot with journald
For debugging purposes, I needed to figure out which processes open and change particular set of config files early during boot process. I could have used inotify and setup a watch for these files, but since I was also interested to learn what other files the unknown processes open, I figured that this is an ideal opportunity for checking out eBPF tracing ecosystem. And it turned out that it’s not just a nice example of how to (not) use bcc tools, but in this post we will also learn a bit about systemd journal.