I have a nice idea for optimizing the readahead behaviour of a system: why not “learn” this behaviour during boot, incrementally improving it each run?

Now you’d probably say: do you want to run all your processes with a LD_PRELOAD, modify your libc or your kernel. ;-)

Well, the last certainly is the easiest way, and you do not need to modify recent kernels actually. There is a tiny audit system included that you can easily use to attach to “open” and “execve” ioctls. Each time these are called, a message is sent over netlink. Supposedly this is very efficient. It is included in recent 2.6 kernels.

Now what I’d like to do is have a daemon record the first time a file is opened or run using this hook. I had a look at “auditd”, the tool written by the author of that kernel extension. I log into a ramdisk, and stop logging after 60 seconds (when my system certainly is up; if you are running sysvinit you can stop it at S99 of course)

Well, so far for the theory. Practise is a bit different, unfortunately. Somehow, auditd is missing a couple of events and I get quite some “lost audits” logged to the console. I’m not really sure how they fit together

  • according to these lost events the queue is far from its maximum, so auditd seems to be processing events quite okay.

The other problem is the amount of events logged - a lot of accesses to /proc are logged (fortunately I havn’t tried combining this with bootchart…) that play absolutely no role for readahead, but occur in big numbers.

While the audit framework and auditd should allow me to put a filter onto the device id, all open and execve calls are somehow logged with device=00:00 so no way in filtering there. :-(

But this is a problem I probably can fix quite easily by filtering myself in auditd. It’s opensource, after all. The first problem is more difficult.