How to Track Child Process Using Strace

How to track child process using strace?

strace -f to trace child process that's fork()ed.

I need to trace all child processes created by given process in Linux (or POSIX system)

If you mean get that info at a certain moment of time it's not that simple, you may want to check my answers to these questions for additional things to consider:

Linux: the most reliable way to terminate a family of processes
Python script to monitor process and sub-processes

IMHO the easiest way to obtain various process information at a certain moment is from files under the /proc/<pid> directory, see http://man7.org/linux/man-pages/man5/proc.5.html

If you want the (historical) info for the entire lifespan of a process strace may capture some of it (but it can be performance impacting, donno if that works for you): https://superuser.com/questions/79869/will-strace-watch-system-calls-recursively-on-child-processes-of-the-main-proces

Why strace -f can't trace the child progress after |?

From the strace manual (emphasis mine).

-f Trace child processes as they are created by
currently traced processes as a result of the fork(2),
vfork(2) and clone(2) system calls.

The traced process in your case is the first cat process. The second cat process is not a child of the first cat process. The fork is done by the shell.

One way to achieve what you want is to trace the shell:

strace -f bash -c "cat a.txt| cat"

tracking all child process spawned by a root process

sttace can provide that info. But you may have to parse the output to get just the info you are interested in.

strace -f -e trace=process <executable>

That will trace all child processes of <executable> and will trace only the process related syscalls (essentially wait, fork, clone and exec).

Strace, how to see the fork syscall?

Current versions of Linux provide a system call named clone(2) (see https://linux.die.net/man/2/clone and scroll down to the description of sys_clone), which is a general system call for creating new tasks. There are options to determine exactly what resources the new task should share with its parent (memory, file descriptors, etc), so that the system call can be used to create new processes or new threads or anything in between. Although the kernel still provides a fork system call for backward compatibility, current versions of glibc implement fork() in terms of clone(2) instead.

Thus, even though you may see a call to fork() in the source code of sh, the output of strace will show a clone system call. So you should look for that instead of fork.

PID of all child processes of a command

Update: In the comments below my answer it turned out that:

I need something that observes the creation of all child processes during a span of time. Given that, filtering to isolate my subtree will not be difficult.

... was the intention behind the question and it was for debugging purposes.

In that case I'd recommend to use strace like this:

strace -f command

-f will track child processes - recursively. Since forking and exec-ing requires system calls, strace will list any child creation plus the pids.

Original answer:

You can use pgrep for that:

run_process &
pid=${!}
pgrep --parent "${pid}"
wait # wait for run_process to finish

Btw, you may want to use the pstree command, it is nice to use:

run_process &
pid=${!}
pstree -p "${pid}"
wait # wait for run_process to finish

Anyhow, you'll need to install pstree.

How to Track Child Process Using Strace