1, inode and block Overview
Files are stored on the hard disk, the hard disk of the smallest unit of storage called "sector" (a SECTOR), storing 512 bytes per sector.
Operating system reads the hard disk, it does not read a sector, so that the efficiency is too low, but a plurality of disposable continuous reading of sectors, i.e., a one-time read "block" (block).
This "block" composed of a plurality of sectors, is a minimum unit of file access. Size "chunks", the most common is 4KB, namely eight consecutive sector to form a block.
File data is stored in the "Blocks", it must also find a place to store meta-information file, such as the creator of the file, the file creation time, file size, and so on.
This area is called the meta-information stored in file inode, Chinese translation of "inode", also known as i-node.
A file must occupy one inode, but at least take up a block.
2, inode contains meta-information file
(1) inode contents:
The number of bytes of the file, UID owner, GID, perform read and write file permissions, timestamps, etc., but does not include the file name. The file name is stored in the directory entry directory
(2) Atime, Mtime, Ctime Detailed:
English nickname when Chinese translation Modify View command
Access Atime access time to read, write ls -lu
Modify Mtime modify the time to write, modify ls -l
Change / Create Ctime time to change / modify the file name creation time, write, modify, change permissions, do link ls -lc
3 structure, the directory file
(1) directory is a file
(2) file directory structure:
The file name 1 inode number 1
Filename 2 inode number 2
…… ……
Each has an inode number, inode number with the operating system to identify different files
Internal Linux system does not use file names, using inode number to identify the file. For a system, the file name inode number just another name for easy identification.
4, inode numbers
Internal (1) the step of opening the file system:
1> inode number of the file system to find the corresponding name
2> by inode number, inode information acquired
3> The inode information, where to find the data block file, read data
inode typically 128 bytes or 256 bytes, are recorded in each block in the inode number of the file is located, each record information block number occupies 4 bytes.
inode number is recorded on the block with a total of 12 direct and a indirect, indirect and one pair of a three indirect.
Indirect means that the 4-byte content inode recorded, pointed to a block, this block is not really stored in the content files, but true file block number information about the location of storage,
If the size of each block is 4KB, then the block number 1024 can store information, may be stored in an indirect file size: 1024 * 4 = 4096KB
Double indirection can accommodate a larger content file, then indirectly, i.e. an indirect basis, if at this time the default block size 4KB, the one pair of indirect content can be stored in the file size: 1024 * 1024 * 4 = 4096MB
I.e., during the indirect three double indirection indirect basis, if at this time the default block size 4KB, then a three indirect content can be stored in the file size: 1024 * 1024 * 1024 * 4 = 4096GB
5, delete a file corresponding to the inode number
(1) Format: find ./ -inum inode number -exec rm -i {} \;
(2) When the file name contains special symbols we can remove their inode number to reach the purpose of deleting files
8, to solve the inode run out of disk failure of
the method:
- Delete unused files
- The file backup, reformat the file system, specify the number of inode more
9, hard links (hard link)
(1) Method: ln source destination file
(2) Features:
Hard links to inode, inode number inode number and the same source file a new generation of hard linked files, not hard links for directories, must be in the same file system. Delete a file name, does not affect another visit.
10, a soft link (soft link)
(1) Method: ln -s source file or directory target file or directory
(2) Features:
Soft link to the file name, different new generation of soft link file inode number and source files, directories can also generate soft links, soft links and source files may not be in the same file system, the contents of soft-linked file is the path of the source file ,
Reading the source file will be automatically guided, but when the source file is moved or renamed, the soft link error.
11, compared to a hard link and soft link
Hard links Soft links
Point to inode number of the file name
inode number is different same same
You can not for the directory for directory can target directory
Can not across file systems across file systems across file system
Delete, rename, move the source file is not affected fail
Ln command to create a source file target file ln -s source file or directory target file or directory
12, the role of the log file
Log files are files used to run a variety of information recorded Linux system, the equivalent of Linux Host "Diary." Different log file records the different types of information, such as the Linux kernel messages, user logon events, program errors.
Log file for problem diagnosis and resolution system is helpful, because the program is running on a Linux system will usually system messages and error messages are written to the appropriate log file, so the system if there are problems will be "well documented" .
In addition, when the host under attack, the log file can also help find traces of the attacker
13, the classification of the log file
(1) the kernel and system log:
In the above system version 6, this log data generated by the same system service management rsyslog decided to kernel messages and messages to various system programs according to what position it is provided in the main configuration file /etc/rsyslog.conf.
/etc/rsyslog.conf profile, common configuration format and their meanings:
- . "": Higher rank than the back (including the grade) are recorded. For example: ". * Info"
- . "=": Only records that level. For example: ". = Debug"
- "!": In addition to the grades are recorded. For example: "! Info"
- "-": When recording information to be recorded, to keep the cache, write-once to a certain size, to take up less disk read and write performance. For example: "- / var / log / maillog"
(2) User Log:
For recording information on Linux system user login and exit the system, including user name, terminal login, login
Time, source host, the process is using manipulation.
(3) log:
Some applications will be selected by their own independent management of a log file instead of to the rsyslog service management for recording information on various events in the course of this program is running.
Position 14, the log file
Linux system log file itself and most of the default server program placed in the / var / log /. Share a part of the program log file, the log file using a single part of the program.
And some large server log because the log file is more than one, it will be established in / var / log / directory in the appropriate subdirectory to store the log file, it will ensure a clear structure of the log file directory, and can quickly locate the log file
15, and the common log file View
View the contents of the log files are stored command
/ Var / log / messages kernel messages and public log information about various applications, including start, I / O errors, network errors, and other program malfunction cat
/ Var / log / cron crond periodic scheduled task to generate time information such as cat
/ Var / log / dmesg boot cat during various time information, and the like
/ Var / log / maillog into the system or sent e-mail activity such as cat
/ Var / log / lastlog each user's most recent logon events last, lastlog
/ Var / log / secure user authentication time information related to security cat etc.
/ Var / log / wtmp each user login, logout and system startup and shutdown events users, who, w
/ Var / log / btmp failed, incorrect login attempts and authentication events lastb
Level 16, log messages
In the Linux kernel, according to the degree of importance of the different log message, which is divided into different levels of finite (numerical rating, the higher the priority, the more important messages)
Level of English representation and translation significance
0 cases EMERG (emergency) will lead to the host system unavailable
1 ALERT (warning) must immediately take measures to address the problem of
2 cases CRIT (critical) more serious
3 ERR (error) runtime error
4 WARNING important events (reminder) that may affect the function of the system, users need to be reminded of
5 NOTICE (note) does not affect the normal function, but note event
6 iNFO (information) general information
7 dEBUG (debug) program or system debugging information
8 none (no) not to record
17, log file analysis Note:
Overall, as a qualified system administrators should be vigilant and pay attention to all kinds of suspicious conditions, regular and random checks various system log files, including general information log, the network connection log, file transfer log and
User login log records. When checking these logs, we should pay attention to whether the anomaly time record or operations. For example some of the following phenomena should pay more attention to:
- In unconventional user login time, or IP address of the user logged into the system and not the same as in the past
- Login failed for user log records, especially those who try to enter continuous logging has repeatedly failed
- Illegal use or improper use of super user privileges
- Without cause or illegally re-start the network service records
- Abnormal logging, such as incomplete log, or a log file such as wtmp reason missing intermediate log file