lsof is a tool that lists open files in the current system. In the Linux environment, everything exists in the form of a file. Through the file, you can not only access regular data, but also access network connections and hardware. Such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, etc., the system allocates a file descriptor for the application in the background, regardless of the nature of the file, the file descriptor is for the application and The interaction between basic operating systems provides a common interface. Because the application's open file descriptor list provides a lot of information about the application itself. Therefore, the lsof tool can view this list to monitor and troubleshoot the system.
Meaning of output information
Enter lsof in the terminal to display the files opened by the system. Because lsof needs to access core memory and various files, it must be run as the root user to fully exert its functions.
[root@queen ~]# lsof /root/
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
aliyun-se 757 root cwd DIR 253,1 4096 131073 /root
bash 17433 root cwd DIR 253,1 4096 131073 /root
lsof 17460 root cwd DIR 253,1 4096 131073 /root
lsof 17461 root cwd DIR 253,1 4096 131073 /root
Each line displays an open file. If no conditions are specified, all files opened by all processes will be displayed by default.
The meaning of lsof outputting each column of information is as follows:
COMMAND: process name PID: process identifier
USER: process owner
FD: File descriptor. The application identifies the file through the file descriptor. Such as cwd, txt, etc. TYPE: file type, such as DIR, REG, etc.
DEVICE: Specify the name of the disk
SIZE: the size of the file
NODE: Inode (identification of file on disk)
NAME: the exact name of the file opened
lsof common options meaning
lsof filename #显示打开指定文件的所有进程
lsof -c 进程 -c 进程 #显示指定进程名现在打开的文件,可以同时列出多个程序的
lsof -p pid1,pid2... #查看指定进程号的进程打开了哪些文件
lsof -i #列出所有的网络连接
lsof -i[:service|port] #列出谁在使用某个特定的tcp/udp端口
service --> /etc/service中的 service name (可以不只一个)
port --> 端口号 (可以不只一个)
lsof usage example
Recover deleted files
(1.1) If a process has opened a file in the system, but this file was accidentally deleted by us, at this time we hope to restore the accidentally deleted file. If the process corresponding to a file that was accidentally deleted is not closed, the file can be recovered.
(1.2) The FD file descriptor in Linux is the same concept as the file handle in windows. A process opens a file and a corresponding file descriptor is generated. If the process closes the file, the file descriptor Or the file handle will be released accordingly.
(1.3) The common problem in the production environment is that some maintenance personnel or development colleagues use the tail command to view logs in real time. Then another person uses the rm command to delete, which will cause the disk space will not be really released, because the file you want to delete, and the process is in use, the file handle is not released, that is, tail
What is a file
- The file is actually a link to the inode. The inode link contains all the attributes of the file, such as permissions and owner, data block address (the file is stored in these data blocks on the disk). When you delete (rm) a file, the actual The link to the inode is deleted, and the content of the inode is not deleted. The process may still be in use. Only when all links of the inode are completely removed, then these data blocks will be able to write new data.
- The proc file system can help us recover data. Each process on the system has a directory and its own name in / proc, which contains an fd (file descriptor) subdirectory (the process needs all links to open files). If To delete a file from the file system, there is also an inode reference:
/proc/进程号/fd/文件描述符
You need to know the process number (pid) and file descriptor (fd) of the open file. These can be easily obtained through the lsof tool
Use the lsof command to troubleshoot
- If you know the file name, you can directly use the following command
lsof |grep file
- But if you do n’t know which file, or many files have this situation, you need to use the following command
lsof |grep deleted
- Use the kill command to release the file handle to free up space.
Suppose we accidentally deleted / var / log / messages
[root@queen home]# lsof | grep deleted
rsyslogd 759 root 4w REG 253,1 268564 264140 /var/log/messages (deleted)
in:imjour 759 781 root 4w REG 253,1 268564 264140 /var/log/messages (deleted)
rs:main 759 782 root 4w REG 253,1 268564 264140 /var/log/messages (deleted)
## 4是句柄号
[root@queen home]# ls -l /proc/759/fd/4
l-wx------ 1 root root 64 Oct 10 15:56 /proc/759/fd/4 -> /var/log/messages (deleted)
[root@queen home]# cp /proc/759/fd/4 /var/log/message
[root@queen home]# ls -l /var/log/message
-rw------- 1 root root 268564 Mar 5 14:16 /var/log/message