Find path of executable having problem

mnassiri · July 10, 2013, 4:41pm

Hi

cannot find the path to a running process on a host.
I looked and tried some suggestions in forums to no avail.
can someone please help? I need to know where this process is starting from as we have several versions in multiple directories

--------- Process name

1201 1 0 Feb 14 ? 17151:37 ./pis2

--------- I'm running

uname -a
SunOS 5.10 Generic_141444-09 sun4v sparc SUNW,SPARC-Enterprise-T5120

----------- PS command options

ps [ -aAdeflcjLPyZ ] [ -o format ] [ -t termlist ]
[ -u userlist ] [ -U userlist ] [ -G grouplist ]
[ -p proclist ] [ -g pgrplist ] [ -s sidlist ] [ -z zonelist ]

------------------- content of /proc directory for the proccess

-r-------- 1 radmin tis 10184 Feb 14 2011 xmap
-r-------- 1 radmin tis 0 Feb 14 2011 watch
-r--r--r-- 1 radmin tis 256 Feb 14 2011 usage
-r-------- 1 radmin tis 1232 Feb 14 2011 status
-r-------- 1 radmin tis 1536 Feb 14 2011 sigact
lr-x------ 1 radmin tis 0 Feb 14 2011 root ->
-r-------- 1 radmin tis 6432 Feb 14 2011 rmap
-r--r--r-- 1 radmin tis 336 Feb 14 2011 psinfo
-r-------- 1 radmin tis 72 Feb 14 2011 priv
dr-x------ 2 radmin tis 9520 Feb 14 2011 path
-r-------- 1 radmin tis 119328 Feb 14 2011 pagedata
dr-x------ 2 radmin tis 1312 Feb 14 2011 object
dr-xr-xr-x 8 radmin tis 128 Feb 14 2011 lwp
-r--r--r-- 1 radmin tis 1856 Feb 14 2011 lusage
-r-------- 1 radmin tis 5432 Feb 14 2011 lstatus
-r--r--r-- 1 radmin tis 680 Feb 14 2011 lpsinfo
dr-x------ 2 radmin tis 8208 Feb 14 2011 fd
lr-x------ 1 radmin tis 0 Feb 14 2011 cwd ->
--w------- 1 radmin tis 0 Feb 14 2011 ctl
-r-------- 1 radmin tis 36 Feb 14 2011 cred
dr-x------ 2 radmin tis 32 Feb 14 2011 contracts
-r-------- 1 radmin tis 152 Feb 14 2011 auxv
-rw------- 1 radmin tis 922820608 Feb 14 2011 as
dr-x--x--x 5 radmin tis 832 Feb 14 2011 .
-r-------- 1 radmin tis 6432 Feb 9 2012 map

bartus11 · July 10, 2013, 5:00pm

Try:

pwdx 1201

Just_Ice · July 10, 2013, 5:03pm

your ./pis2 process is running under PID 1 with a PPID 0 which is quiet interesting ... i would suggest running lsof on the PID but that will not be accurate with that PID 1 (see man lsof ) ... try running the lsof on the different versions of the file ... also check if any of them execs to run in the background ...

also check the svcsadm for services that you are not familiar with ... if still an issue, reboot the server when you have the time and see if the process still comes up ...

DGPickett · July 10, 2013, 5:05pm

More generally 'lsof' tells you every file open in every process, including sockets and their connections.

jlliagre · July 10, 2013, 7:20pm

However, lsof is usually not available on Solaris machines. There are hopefully ways to get the information lsof provides with standard Solaris tools.

To get the full path of the command run you can use this simple command:

ls -l /proc/<pid>/path/a.out

mnassiri · July 10, 2013, 8:03pm

Hi - Thanks for ur replies

Just Ice & DGPickett>>
lsof was the first command I tried , but it is not available on this install. So no go there

---------------------------

jlliagre >> I will try your command s -l /proc/<pid>/path/a.out I tried to run other similar command but
could not see content just garble data. But I try it tomorrow as I'm not at work at this moment

-----------------------
bartus11 >> pwdx - Ok I will try it if it is available on the solaris

I usually had no problem finding this info on redhat with lsof or from proc directory ,, I tried bunch of other code I found online but no dice ..

I hope to have better luck the two commands suggested here .. I will report back

jlliagre · July 10, 2013, 8:09pm

pwdx is definitely a standard Solaris command and shows the current directory of a process. This is enough to answer your question given the relative PATH used to run your command.

The solution I suggested is more general and hopefully doesn't output garbled data.

achenle · July 11, 2013, 9:48pm

That will only be true if the process didn't change its current directory after starting.

The pmap utility will show you the executable:

bash-3.2$ pmap $$
22255:    bash
08044000      16K rw---    [ stack ]
08050000     644K r-x--  /usr/bin/bash
08100000      80K rwx--  /usr/bin/bash
08114000     180K rwx--    [ heap ]
FE980000      56K r-x--  /lib/libsocket.so.1
FE99E000       4K rw---  /lib/libsocket.so.1
FEBE0000    1280K r-x--  /usr/lib/libc/libc_hwcap1.so.1
FED20000      28K rwx--  /usr/lib/libc/libc_hwcap1.so.1
FED27000       8K rwx--  /usr/lib/libc/libc_hwcap1.so.1
FED30000     624K r-x--  /lib/libnsl.so.1
FEDDC000      16K rw---  /lib/libnsl.so.1
FEDE0000      20K rw---  /lib/libnsl.so.1
FEEE0000      64K rwx--    [ anon ]
FEEF8000       4K rwxs-    [ anon ]
FEF00000      24K rwx--    [ anon ]
FEF10000       4K rwx--    [ anon ]
FEF20000       4K r-x--  /lib/libdl.so.1
FEF30000       4K rwx--    [ anon ]
FEF40000     180K r-x--  /lib/libcurses.so.1
FEF7D000      28K rw---  /lib/libcurses.so.1
FEF84000       8K rw---  /lib/libcurses.so.1
FEF90000       4K rwx--    [ anon ]
FEFA0000       4K rw---    [ anon ]
FEFB0000       4K rw---    [ anon ]
FEFBE000     180K r-x--  /lib/ld.so.1
FEFFB000       8K rwx--  /lib/ld.so.1
FEFFD000       4K rwx--  /lib/ld.so.1
 total      3480K

jlliagre · July 12, 2013, 11:42am

Good point.

Indeed, there are many ways to skin a cat !

DGPickett · July 16, 2013, 3:07pm

The lsof tool is open source written at Perdue originally, so you can port it in if the local security model allows. Vic Abell's Home Page

Since all executables are sym linked into /proc as a.out on Solaris, that is the native solution. The ls -l of the sym link shows the ortiginal position. It might get funny if the executable is deleted, as in sent to */lost+found/ until all fd are closed.

achenle · July 16, 2013, 10:18pm

/proc/[pid]/object/a.out is not a soft link in Solaris 10:

-bash-3.00$ ls -la /proc/$$/object/a.out
-r-xr-xr-x   1 root     bin       611132 May  2  2007 /proc/5181/object/a.out

Nor Solaris 11:

-bash-4.1$ ls -la /proc/$$/object/a.out
-r-xr-xr-x   1 root     bin      1377712 Sep 19  2012 /proc/7275/object/a.out

If it were a soft link as it is on Linux, finding the actual binary would be trivial in all cases.

jlliagre · July 17, 2013, 2:29am

@achenle, it is trivial and it is a soft link on Solaris too. You misread my answer, I'm not suggesting the "object" subdirectory but the "path" one:

# uname -a
SunOS s10u10.local.net 5.10 Generic_147441-01 i86pc i386 i86pc
# ls -l /proc/$$/object/a.out
-r-xr-xr-x   3 root     bin       171412 May  2  2011 /proc/2059/object/a.out
# ls -l /proc/$$/path/a.out
lrwxrwxrwx   1 root     root           0 Jul 17 08:22 /proc/2059/path/a.out -> /usr/bin/ksh

$ uname -a
SunOS s11-1 5.11 11.1 i86pc i386 i86pc
$ ls -l /proc/$$/object/a.out
-r-xr-xr-x   4 root     bin      2558000 Sep 19  2012 /proc/3390/object/a.out
$ ls -l /proc/$$/path/a.out
lrwxrwxrwx   1 jlliagre staff          0 Jul 17 08:26 /proc/3390/path/a.out -> /usr/bin/amd64/ksh

achenle · July 17, 2013, 10:18am

Well, thanks. Learn something new every day.

I wonder when that was added to Solaris. I'm guessing Solaris 10.

DGPickett · July 17, 2013, 3:17pm

No, 17 years old, but /proc is an area many try to stay out of! If nothing else, it is not UNIX portable. It is probably mostly fake, like /dev/fd/0 -- not really there, but intercepted and equivalents used, like dup( 0 ) for open( "/dev/fd/0", ... ). http://en.wikipedia.org/wiki/Procfs\#Solaris

jlliagre · July 17, 2013, 4:17pm

Yes.
This was added to Solaris in June 2004 (Solaris Express) and in Solaris 10 first release next year.