Comment by westurner

Np. Distributed tracing tools for containers already do this but none have a --diff feature for logging what changed in changed files.

Does this command also track renames?

  sudo dtrace -n 'vfs::*:entry { printf("%-16s %-6d %s", execname, pid, probefunc); }'

Isn't it just a list of syscalls instead of vfs:*?

Actually, re: Dtrace on MacOS with SIP and apparently without sufficient symbols installed to trace kernel syscalls these days: https://jade.fyi/blog/misadventures-in-dtrace/ :

> My advice, and what I actually did, is to put macOS in a UTM.app VM with nothing of value in it, disable SIP in the VM, and do all further testing in there.

> Once inside a VM with SIP disabled (or with dtrace enabled as a fine-grained policy), DTrace works. dtruss gives some output like the following:

FWIU it is possible to trace Linux containers on Mac OS with e.g. cilium, only if the Linux containers are hosted in a Linux VM.