Created
October 9, 2024 06:48
-
-
Save maurorappa/1d56fbc513a8988a27f4d9a410d0575d to your computer and use it in GitHub Desktop.
Who does adjust my clock?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from man adjtimex : | |
| Linux uses David L. Mills' clock adjustment algorithm (see RFC 1305). The system call adjtimex() reads and optionally sets adjustment parameters for this algorithm. | |
| on Centos7 , you can use systemtap to monitor who calls this syscall. | |
| you need to install all kernel development and debuginfo packages and only then you can run this: | |
| #cat clock.stp | |
| probe kernel.function("sys_adjtimex") { printf("time adjusted by %s(%d)\n",execname(), pid()); } | |
| #stap -p4 clock.stp | |
| /root/.systemtap/cache/8a/stap_8ad42e72a9aa0b8416bab438afb7c930_2145.ko | |
| #staprun /root/.systemtap/cache/8a/stap_8ad42e72a9aa0b8416bab438afb7c930_2145.ko | |
| time adjusted by OsEngine(92827) | |
| time adjusted by OsEngine(92827) | |
| time adjusted by OsEngine(92827) | |
| on Rocky8, you can use the kernel tracing framework and ebpf, which it’s much safer : | |
| # cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_adjtimex/format | |
| name: sys_enter_adjtimex | |
| ID: 345 | |
| format: | |
| ….. | |
| field:int common_pid; offset:4; size:4; signed:1; | |
| ….. | |
| # bpftrace -e 'tracepoint:syscalls:sys_enter_adjtimex {printf("clock adjusted by pid %d\n",pid)}' | |
| Attaching 1 probe... | |
| clock adjusted by pid 199758 | |
| clock adjusted by pid 199758 | |
| clock adjusted by pid 199758 | |
| clock adjusted by pid 199758 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment