开源的可以用IOtop软件查看!
Linux Kernel 2.6.20 以上的内核支持进程 IO 统计,可以用类似 iotop 这样的工具来监测每个进程对 IO 操作的情况,就像用 top 来实时查看进程内存、CPU 等占用情况那样。但是对于 2.6.20 以下的 Linux 内核版本就没那么幸运了,根据 Stack Overflow 的这篇回帖 给出的方法,VPSee 写了一个简单的 Python 脚本用来在 linux kernel < 2.6.20 下打印进程 IO 状况。
Kernel < 2.6.20
这个脚本的想法很简单,把 dmesg 的结果重定向到一个文件后再解析出来,每隔1秒钟打印一次进程 IO 读写的统计信息,执行这个脚本需要 root:
#!/usr/bin/python
# Monitoring per-process disk I/O activity
# written by http://www.vpsee.com
import sys, os, time, signal, re
class DiskIO:
def __init__(self, pname=None, pid=None, reads=0, writes=0):
self.pname = pname
self.pid = pid
self.reads = 0
self.writes = 0
def main():
argc = len(sys.argv)
if argc != 1:
print "usage: ./iotop"
sys.exit(0)
if os.getuid() != 0:
print "must be run as root"
sys.exit(0)
signal.signal(signal.SIGINT, signal_handler)
os.system('echo 1 > /proc/sys/vm/block_dump')
print "TASK PID READ WRITE"
while True:
os.system('dmesg -c > /tmp/diskio.log')
l = []
f = open('/tmp/diskio.log', 'r')
line = f.readline()
while line:
m = re.match(\
'^(\S+)\((\d+)\): (READ|WRITE) block (\d+) on (\S+)', line)
if m != None:
if not l:
l.append(DiskIO(m.group(1), m.group(2)))
line = f.readline()
continue
found = False
for item in l:
if item.pid == m.group(2):
found = True
if m.group(3) == "READ":
item.reads = item.reads + 1
elif m.group(3) == "WRITE":
item.writes = item.writes + 1
if not found:
l.append(DiskIO(m.group(1), m.group(2)))
line = f.readline()
time.sleep(1)
for item in l:
print "%-10s %10s %10d %10d" % \
(item.pname, item.pid, item.reads, item.writes)
def signal_handler(signal, frame):
os.system('echo 0 > /proc/sys/vm/block_dump')
sys.exit(0)
if __name__=="__main__":
main()
# Monitoring per-process disk I/O activity
# written by http://www.vpsee.com
import sys, os, time, signal, re
class DiskIO:
def __init__(self, pname=None, pid=None, reads=0, writes=0):
self.pname = pname
self.pid = pid
self.reads = 0
self.writes = 0
def main():
argc = len(sys.argv)
if argc != 1:
print "usage: ./iotop"
sys.exit(0)
if os.getuid() != 0:
print "must be run as root"
sys.exit(0)
signal.signal(signal.SIGINT, signal_handler)
os.system('echo 1 > /proc/sys/vm/block_dump')
print "TASK PID READ WRITE"
while True:
os.system('dmesg -c > /tmp/diskio.log')
l = []
f = open('/tmp/diskio.log', 'r')
line = f.readline()
while line:
m = re.match(\
'^(\S+)\((\d+)\): (READ|WRITE) block (\d+) on (\S+)', line)
if m != None:
if not l:
l.append(DiskIO(m.group(1), m.group(2)))
line = f.readline()
continue
found = False
for item in l:
if item.pid == m.group(2):
found = True
if m.group(3) == "READ":
item.reads = item.reads + 1
elif m.group(3) == "WRITE":
item.writes = item.writes + 1
if not found:
l.append(DiskIO(m.group(1), m.group(2)))
line = f.readline()
time.sleep(1)
for item in l:
print "%-10s %10s %10d %10d" % \
(item.pname, item.pid, item.reads, item.writes)
def signal_handler(signal, frame):
os.system('echo 0 > /proc/sys/vm/block_dump')
sys.exit(0)
if __name__=="__main__":
main()
Kernel >= 2.6.20
如果想用 iotop 来实时查看进程 IO 活动状况的话,需要下载和升级新内核(2.6.20 或以上版本)。编译新内核时需要打开 TASK_DELAY_ACCT 和 TASK_IO_ACCOUNTING 选项。解压内核后进入配置界面:
# tar jxvf linux-2.6.30.5.tar.bz2
# mv linux-2.6.30.5 /usr/src/
# cd /usr/src/linux-2.6.30.5
# make menuconfig
# mv linux-2.6.30.5 /usr/src/
# cd /usr/src/linux-2.6.30.5
# make menuconfig
选择 Kernel hacking –> Collect scheduler debugging info 和 Collect scheduler statistics,保存内核后编译内核:
# make; make modules; make modules_install; make install
修改 grub,确认能正确启动新内核:
# vi /boot/grub/menu.lst
出了新内核外,iotop 还需要 Python 2.5 或以上才能运行,所以如果当前 Python 是 2.4 的话需要下载和安装最新的 Python 包。这里使用源代码编译安装:
# tar jxvf Python-2.6.2.tar.bz2
# cd Python-2.6.2
# ./configure
# make; make install
# cd Python-2.6.2
# ./configure
# make; make install
别忘了下载 setuptools:
[code]# mv setuptools-0.6c9-py2.6.egg.sh setuptools-0.6c9-py2.6.egg
# sh setuptools-0.6c9-py2.6.egg
在 Python 中也可以像 gcc/gdb 那样调试程序,只要在运行 Python 程序时引入 pdb 模块(假设要调试的程序名为 d.py):
$ vi d.py
#!/usr/bin/python
def main():
i, sum = 1, 0
for i in xrange(100):
sum = sum + i
print sum
if __name__ == '__main__':
main()
$ python -m pdb d.py
#!/usr/bin/python
def main():
i, sum = 1, 0
for i in xrange(100):
sum = sum + i
print sum
if __name__ == '__main__':
main()
$ python -m pdb d.py
运行上面的命令后进入以下界面,可以输入类似 gdb 的命令来改变程序的执行流程:
$ python -m pdb 1.py
> d.py(3)()
-> def main():
(Pdb)
> d.py(3)()
-> def main():
(Pdb)
list 显示程序的最近代码段:
(Pdb) list
1 #!/usr/bin/python
2
3 -> def main():
4 i, sum = 1, 0
5 for i in xrange(100):
6 sum = sum + i
7 print sum
8
9 if __name__ == '__main__':
10 main()
[EOF]
next 或者 n 执行下一行代码:
(Pdb) next
> d.py(9)()
-> if __name__ == '__main__':
用 break 在第6行设置一个断点:
(Pdb) break d.py:6
Breakpoint 1 at d.py:6
(Pdb) list
1 #!/usr/bin/python
2
3 def main():
4 i, sum = 1, 0
5 -> for i in xrange(100):
6 B sum = sum + i
7 print sum
8
9 if __name__ == '__main__':
10 main()
[EOF]
Breakpoint 1 at d.py:6
(Pdb) list
1 #!/usr/bin/python
2
3 def main():
4 i, sum = 1, 0
5 -> for i in xrange(100):
6 B sum = sum + i
7 print sum
8
9 if __name__ == '__main__':
10 main()
[EOF]
如果想在函数处设置断点:
(Pdb) break d.main
d.py:3
(Pdb) list
1 #!/usr/bin/python
2
3 B def main():
4 -> i, sum = 1, 0
5 for i in xrange(100):
6 sum = sum + i
7 print sum
8
9 if __name__ == '__main__':
10 main()
[EOF]
d.py:3
(Pdb) list
1 #!/usr/bin/python
2
3 B def main():
4 -> i, sum = 1, 0
5 for i in xrange(100):
6 sum = sum + i
7 print sum
8
9 if __name__ == '__main__':
10 main()
[EOF]
还可以给断点加条件,比如设置条件只有当 sum > 50 的时候才 break:
(Pdb) break d.py:6, sum > 50
Breakpoint 1 at d.py:6
Breakpoint 1 at d.py:6
如果想查看某个变量的值,可以用 pp 命令打印出来:
(Pdb) step
> d.py(5)main()
-> for i in xrange(100):
(Pdb) pp sum
0
> d.py(5)main()
-> for i in xrange(100):
(Pdb) pp sum
0
可以直接在程序里使用 pdb 模块,import pdb 后 pdb.set_trace():
#!/usr/bin/python
import pdb
def main():
i, sum = 1, 0
for i in xrange(100):
sum = sum + i
pdb.set_trace()
print sum
if __name__ == '__main__':
main()
import pdb
def main():
i, sum = 1, 0
for i in xrange(100):
sum = sum + i
pdb.set_trace()
print sum
if __name__ == '__main__':
main()
这样只要运行程序 ./d.py 就可以直接运行到 print sum 处:
$ ./d.py
> d.py(9)main()
-> print sum
(Pdb)
> d.py(9)main()
-> print sum
(Pdb)
总结
IPdeny 下载以国家代码编制好的 IP 地址列表,比如下载 cn.zone:
有了国家的所有 IP 地址,要想屏蔽这些 IP 就很容易了,直接写个脚本逐行读取 cn.zone 文件并加入到 iptables 中:
#!/bin/bash
# Block traffic from a specific country
# written by vpsee.com
COUNTRY="cn"
IPTABLES=/sbin/iptables
EGREP=/bin/egrep
if [ "$(id -u)" != "0" ]; then
echo "you must be root" 1>&2
exit 1
fi
resetrules() {
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
}
resetrules
for c in $COUNTRY
do
country_file=$c.zone
IPS=$($EGREP -v "^#|^$" $country_file)
for ip in $IPS
do
echo "blocking $ip"
$IPTABLES -A INPUT -s $ip -j DROP
done
done
exit 0
以上脚本可以延伸成防ddos攻击!
