preface
We all know that under Linux, “everything is a file”, so sometimes it is important to check the open status of a file, and there is a command that can help us in this matter – it is lsof.
What files are available under Linux
Before introducing the lsof command, let’s briefly describe the main files in Linux:
- Common file
- directory
- A symbolic link
- Block-oriented device files
- Character-oriented device files
- Pipes and named pipes
- The socket
The above file types are not described in detail.
This section describes the usage of the lsof command
Lsof, short for List Open Files. It takes a lot of arguments, but we’ll cover only some practical uses here (note that some cases require root permission to perform).
View all files that are currently open
In general, entering the lsof command directly produces so many results that it may be difficult to find the information we need. But just to show you what information a record has.
$lsof COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME vi 27940 hyb 7u REG 8,15 16384 137573 /home/hyb/.1.txt.swpCopy the code
Lsof displays the following results from left to right: program name, process ID, user, file descriptor, file type, device, size, iNode number, and file name.
Let’s focus for the moment on the columns that we know. This record indicates that the vi program whose process ID is 27940 has opened a REG regular file in the /home/hyb directory with the file description value 7 in the read/write state.1.txt.swap the current size is 16384 bytes.
List files that have been deleted but are taking up space
In a production environment, we might use the df command that disk space is full, but in fact it is difficult to find again filled the space of the file, this is often due to a large file to be deleted, but it is a process to open, cause I can’t find any signs of it by means of ordinary, the most common is the log file. We can use lsof to find files like this:
$lsof | grep does Xorg 1131 root 125 u REG 0, 5, 4, 61026 / memfd: xshmfence (does) Xorg 1131 root 126 u REG 0, 5 4, 62913 /memfd:xshmfence (deleted) Xorg 1131 root 129u REG 0,5 4 74609 /memfd:xshmfence (deleted)Copy the code
You can see that deleted but still open files are marked deleted when they are eventually found. At this point, the actual situation can be analyzed, exactly which files may be too large but have been deleted, resulting in space is still full.
Restores open but deleted files
Before we can find the deleted but still open file, in fact, the file does not really disappear, if it is accidentally deleted, we still have a means to restore it. Take the /var/log/syslog file as an example, let’s delete it first (root user) :
$  rm /var/log/syslog
Copy the code
Then use lsof to see which process opens the file:
$lsof | grep syslog rs: main REG 8, 10, 78419 528470 993 1119 syslog 5 w/var /log/syslog (deleted)
Copy the code
The file descriptor is open for each process under /proc:
$ ls -l /proc/993/fd
lr-x------ 1 root root 64 3月 5 18:30 0 -> /dev/null
l-wx------ 1 root root 64 3月 5 18:30 1 -> /dev/null
l-wx------ 1 root root 64 3月 5 18:30 2 -> /dev/null
lrwx------ 1 root root 64 3月 5 18:30 3 -> socket:[15032]
lr-x------ 1 root root 64 3月 5 18:30 4 -> /proc/kmsg
l-wx------ 1 root root 64 3月 5 18:30 5 -> /var/log/syslog (deleted) L -wx------ 1 root root 64 March 5 18:306 -> /var/log/auth.log
Copy the code
Here we find the deleted syslog file with file descriptor 5 and redirect it:
$ cat /proc/993/fd/5 > syslog
$ ls -al /var/log/ syslog-rw-r --r-- 1 root root 78493 3月 5 19:22 /var/log/syslog
Copy the code
This restores the syslog file.
See which processes open the current file
Windows often deletes a file and tells you that a program is in use, but doesn’t tell you which program it is. We can search for files in the handle of the Explorer – Performance – Resource Monitor – CPU – association to find the program that opened the file, but the search speed is impressive.
Linux is easier, using the lsof command, for example, to see which programs are currently open hello.c:
$lsof hello.c COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME tail 28731 hyb 3r REG 8,15 228 138441 helloCopy the code
However, we find that hello. C opened with vi is not found because vi opened a temporary copy. Let’s find it another way:
$lsof | grep hello. C tail 28906 hyb 3 r REG 8, 15, 228, 138441 / home/hyb/workspaces/c/hello.html vi 28933 hyb 9 c u REG 8, 15, 12288 137573 /home/hyb/workspaces/c/.hello.c.swpCopy the code
So we find two programs that are associated with the hello.c file.
The purpose of grep is to list only the qualified results from all the results.
Check whether a directory file is opened
$ lsof +D ./
Copy the code
See which files are open for the current process
Usage: the lsof -c process name is usually used to locate problems in the program, such as to see which libraries are used by the current process, which files are open, and so on. Suppose we have a hello program that prints characters over and over again:
$lsof -c hello COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME hello 29190 hyb CWD DIR 8,15 4096 134538 /home/hyb/workspaces/c hello 29190 hyb RTD DIR 8,10 4096 2 / hello 29190 hyb TXT REG 8,15 9816 138314 / home/hyb/workspaces/c/hello hello 29190 hyb mem REG 8, 10, 1868984, 939763 - the gnu/Linux/lib/x86_64 - libc - 2.23 so hello, 29190 Hyb mem REG 8,10 162632 926913 /lib/x86_64-linux-gnu/ld-2.23.so hello 29190 hyb 0u CHR 136,20 0t0 23 /dev/pts/20 hello 29190 hyb 1u CHR 136,20 0t0 23 /dev/pts/20 hello 29190 hyb 2u CHR 136,20 0t0 23 /dev/pts/20Copy the code
We can see that at least it uses the /lib/x86_64-linux-gnu/libc-2.23.so and hello files.
The process ID can also be queried. Multiple process ids can be separated by commas (,) :
$lsof -p 29190 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME hello 29190 hyb CWD DIR 8,15 4096 134538 /home/hyb/workspaces/c hello 29190 hyb RTD DIR 8,10 4096 2 / hello 29190 hyb TXT REG 8,15 9816 138314 / home/hyb/workspaces/c/hello hello 29190 hyb mem REG 8, 10, 1868984, 939763 - the gnu/Linux/lib/x86_64 - libc - 2.23 so hello, 29190 Hyb mem REG 8,10 162632 926913 /lib/x86_64-linux-gnu/ld-2.23.so hello 29190 hyb 0u CHR 136,20 0t0 23 /dev/pts/20 hello 29190 hyb 1u CHR 136,20 0t0 23 /dev/pts/20 hello 29190 hyb 2u CHR 136,20 0t0 23 /dev/pts/20Copy the code
The proc filesystem is used to find the process ID of the Hello process:
$ ps -ef|grep hello
hyb 29190 27929 0 21:14 pts/20 00:00:00 ./hello 2
hyb 29296 28848 0 21:18 pts/22 00:00:00 grep --color=auto hello
Copy the code
The process id is 29190.
$ ls -l /proc/29190/fd
lrwx------ 1 hyb hyb 64 3月 2 21:14 0 -> /dev/pts/20
lrwx------ 1 hyb hyb 64 3月 2 21:14 1 -> /dev/pts/20
lrwx------ 1 hyb hyb 64 3月 2 21:14 2 -> /dev/pts/20
Copy the code
This method filters a lot of information because it only lists what the process actually turns on, and here it only turns on 1,2,3, standard input, standard output, and standard error.
Wechat public account [Programming] : focus on but not limited to sharing computer programming basics, Linux, C language, C++, data structures and algorithms, tools, resources and other programming related [original] technical articles.
The original address: www.yanbinghu.com/2019/03/05/…
Check whether a port is occupied
When using a database or enabling web services, you can always encounter a port occupancy problem. How to check whether a port is occupied?
$ lsof -i :6379
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
redis-ser 29389 hyb 6u IPv6 534612 0t0 TCP *:6379 (LISTEN)
redis-ser 29389 hyb 7u IPv4 534613 0t0 TCP *:6379 (LISTEN)
Copy the code
Here you can see that the Redis-ser process occupies port 6379.
View all TCP/UDP connections
$ lsof -i tcp
ava 2534 hyb 6u IPv6 31275 0t0 TCP localhost:9614 (LISTEN)
java 2534 hyb 22u IPv6 96922 0t0 TCP localhost:9614->localhost:39004 (ESTABLISHED)
java 2534 hyb 23u IPv6 249588 0t0 TCP localhost:9614->localhost:45460 (ESTABLISHED)
Copy the code
Of course we can also use the netstat command.
$ netstat -anp|grep 6379
Copy the code
The -i argument here can be dependent on a number of conditions:
- -i 4 #ipv4 address
- -i 6 #ipv6 address
- -i TCP # Indicates the TCP connection
- -i: port 3306 #
- -i @ip # INDICATES the IP address
Therefore, you can use the following method to view the connection established with an IP address:
$ lsof [email protected]
Copy the code
See which files a user has open
Linux is a multi-user operating system, so how do you know what files other ordinary users have open? You can use the -u argument
$lsof -u hybCopy the code
Lists files open except for a process or a user
Use the same method as before, but add ^ before the process ID or user name, for example:
lsof -p ^1 # list open files except for the process whose process id is 1
lsof -u ^root # list open files other than root
Copy the code
conclusion
The above description is based on a condition that can actually be combined, such as listing TCP socket files opened by process id 1:
lsof -p 1 -i tcp
Copy the code
There are many lsof parameters, you can use the man command to view the details, but for us, it is enough to know these practical basic.
Wechat public account [Programming] : focus on but not limited to sharing computer programming basics, Linux, C language, C++, data structures and algorithms, tools, resources and other programming related [original] technical articles.