In my example, the wc program is trying to open the test FIFO or named pipe.
These in-progress open syscalls seem not to be shown by fuser or lsof:
mknod /tmp/testpipe p wc /tmp/testpipe & timeout 0.2 strace -p $! |& timeout 0.1 cat; echo strace: Process 10103 attached open("/tmp/testpipe", O_RDONLY fuser /tmp/testpipe # no output lsof | grep testpipe # no output How to find processes trying to open some FIFO in Linux systems ?
As you hinted, the challenge you're seeing is that the open() call hasn't completed; it's blocking waiting for a writer to open. Since the pipe isn't open, yet, it won't show in fuser or lsof or in /proc/<pid>/fd; no file handle has been associated with it!
We can see what processes are waiting for a pipe to open; e.g.
% grep pipe_wait /proc/*/stack /proc/12104/stack:[<ffffffffa1665520>] pipe_wait+0x70/0xc0 So we can see PID 12104 is waiting for a pipe, but this doesn't tell us what pipe. But we can potentially use this information and the timeout strace you've already used to see...
e.g.
#!/bin/bash want=/tmp/testpipe cd /proc || exit grep pipe_wait */stack | cut -d/ -f1 | while read -r p do x=$(timeout 0.2 strace -p $p 2>&1) if [ -n "$(echo "$x" | grep $want)" ] then echo "Process $p is trying to open $want" ps -p "$p" fi done This results in output similar to
Process 12104 is trying to open /tmp/testpipe PID TTY TIME CMD 12104 pts/1 00:00:00 wc Assuming Linux here due to the appearance of strace. You did not specify, though. Similar mechanisms exist for *BSD systems, too.
It would seem to me you would need to hook into every open call and catch these that open your path. You can do so, at relatively low overhead, using ebpf. The bpftools package ship bpftrace, which can interpret scripts that do so.
In fact, if you install bpftrace on your system, you'll probably find a /usr/share/bpftrace/tools directory full of examples. You can simply run opensnoop from that!
inotifywaitto watch opens of the pipe. This question and answer don't give a script/command for your use case, but they show the general use and options that you should be able to customize: unix.stackexchange.com/questions/724480/…inotifywaitneeds me to begin searching for processes before these processes appear , but I'm looking for processes that are already running (blocking) at the time I'm searching for them.