How can I "shadow" the filesystem on Linux?
An example for the LVM solution mentioned before.
Caveat: The filesystem you want to diff has to be on a lvm logical volume! (And you have to have some free space on disk.)
# lvcreate --size 2G --name your-fs-snapshot --snapshot /dev/vg0/your-fs Logical volume "your-fs-snapshot" created
This takes a snapshot of /dev/vg0/your-fs at that moment. Then, do the changes you want to have recorded.
You can mount your snapshot as a copy of your-fs in the original state and diff with the tool of your choice, e.g. diff.
# mount /dev/vg0/your-fs-snapshot /mnt # diff -q /original/volume/subdir /mnt/subdir
Do not forget to unmount and remove your snapshot, since while doing this, changes to the original volume are recorded as reverse diffs to the snapshot - until that fills up.
# umount /mnt # lvremove /dev/vg0/your-fs-snapshot Do you really want to remove active logical volume your-fs-snapshot? [y/n]: y Logical volume "your-fs-snapshot" successfully removed
Hint: If your logical volume contains a partition-table, you can add device entries via:
# kpartx -av /dev/vg0/your-disk-snapshot
You can create a LVM snapshot, then mount the snapshot, run the script, then do a diff between the snapshot and the original.
Before today's fancy snapshotting and tracing technologies, people solved this problem through clever use of the LD_PRELOAD environment variable, which lets you override C library functions with your own replacements (called function interposition). In this situation, you would wrap the open() system call, and when files are opened for writing you could:
- Preserve the original (e.g., with a
.bakextension or something) - Allow the installer to replace it
- Produce a diff of the original vs. the modified version.
The installwatch program is one example of this sort of thing. There are many other examples of this sort of solution, and there are also lots of other ways of using LD_PRELOAD to modify the behavior of binary programs.