brief introduction

lsof(list open files) Is a list of the current system open file tools . stay linux In the environment , Everything exists in the form of documents , Files provide more than just regular data access , You can also access network connections and hardware . So transmission control protocol (TCP) And user datagram protocol (UDP) Socket, etc , The system assigns a file descriptor to the application in the background , Whatever the nature of the document , This file descriptor provides a common interface between the application and the underlying operating system . Because the descriptor list of the application open file provides a lot of information about the application itself , So by lsof It will be helpful for system monitoring and troubleshooting if the tool can view this list .

Meaning of output information

Enter... At the terminal lsof The file opened by the system will be displayed , because lsof Need to access core memory and various files , So we must use root Only by running it as a user can it give full play to its functions .

Direct input lsof Part of the output is :

COMMAND     PID        USER   FD      TYPE             DEVICE SIZE/OFF       NODE NAME
init          1        root  cwd       DIR                8,1     4096          2 /init          1        root  rtd       DIR                8,1     4096          2 /init          1        root  txt       REG                8,1   150584     654127 /sbin/init
udevd       415        root    0u      CHR                1,3      0t0       6254 /dev/null
udevd       415        root    1u      CHR                1,3      0t0       6254 /dev/null
udevd       415        root    2u      CHR                1,3      0t0       6254 /dev/null
udevd       690        root  mem       REG                8,1    51736     302589 /lib/x86_64-linux-gnu/
syslogd    1246      syslog    2w      REG                8,1    10187     245418 /var/log/auth.log
syslogd    1246      syslog    3w      REG                8,1    10118     245342 /var/log/syslog
dd         1271        root    0r      REG                0,3        0 4026532038 /proc/kmsg
dd         1271        root    1w     FIFO               0,15      0t0        409 /run/klogd/kmsg
dd         1271        root    2u      CHR                1,3      0t0       6254 /dev/null

Each line shows an open file , If no condition is specified, all files opened by all processes will be displayed by default .

lsof The meaning of the output column information is as follows :

COMMAND: The name of the process PID: Process identifier

USER: Process owner

FD: File descriptor , The application identifies the file by the file descriptor . Such as cwd、txt etc. TYPE: file type , Such as DIR、REG etc.

DEVICE: Specify the name of the disk

SIZE: File size

NODE: The index node ( The identity of the file on disk )

NAME: Open the exact name of the file

FD File descriptor in column cwd The value represents the current working directory of the application , This is the directory where the application starts , Unless it changes the directory itself ,txt Type files are program code , Such as application binaries themselves or shared libraries , As shown in the above list /sbin/init Program .

Second, the numeric value represents the file descriptor of the application , This is an integer returned when the file is opened . The last line above /dev/initctl, Its file descriptor is 10.u Indicates that the file has been opened and is being read / Write mode , Not read-only Or just write (w) Pattern . There's also capital letters Of W Indicates that the application has a write lock on the entire file . This file descriptor is used to ensure that only one application instance can be opened at a time . When you initially open each application , All have three file descriptors , from 0 To 2, They represent standard input 、 Output and error flow . So most applications open files for FD from 3 Start .

And FD Compared with ,Type Columns are more intuitive . Files and directories are called REG and DIR. and CHR and BLK, Represent character and block devices respectively ; perhaps UNIX、FIFO and IPv4, respectively UNIX Domain socket 、 fifo (FIFO) Queues and Internet protocols (IP) Socket .

Common parameters

lsof The syntax is :

lsof [options] filename

lsof abc.txt  Show open file abc.txt The process of
lsof -c abc  Show abc The process now opens the file
lsof -c -p 1234  List the process number as 1234 The file opened by the process
lsof -g gid  Show belonging gid The progress of
lsof +d /usr/local/  Displays the files opened by the process in the directory
lsof +D /usr/local/  ditto , But will search the directory under the directory , Longer time
lsof -d 4  Display and use fd by 4 The process of
lsof -i  To show the progress that meets the conditions
lsof -i[46] [protocol][@hostname|hostaddr][:service|port]
  46 --> IPv4 or IPv6
  protocol --> TCP or UDP
  hostname --> Internet host name
  hostaddr --> IPv4 Address
  service --> /etc/service Medium  service name ( There can be more than one )
  port -->  Port number  ( There can be more than one )

lsof Using examples

Find out who's using the file system

When uninstalling the file system , If there are any open files in the file system , Operations usually fail . Then through the lsof You can find out which processes are using the file system you are currently uninstalling , as follows :

bash 4208 root cwd DIR 3,1 4096 2 /GTES11/vim 4230 root cwd DIR 3,1 4096 2 /GTES11/

In this example , user root In its process /GTES11 Do something in the directory . One bash Yes, the instance is running , And its current directory is /GTES11, The other shows vim Editing /GTES11 The files under the . To successfully uninstall /GTES11, It should be after notifying the user to make sure things are OK , Stop these processes . This example shows that the current working directory of an application is very important , Because it still keeps the file resources , And it can prevent the file system from being unloaded . That's why most daemons ( Background processes ) Change their directory to root 、 Or service specific directory ( Such as sendmail In the example /var/spool/mqueue) Why , To prevent the daemons from blocking the uninstall of unrelated file systems .

Restore deleted files

When Linux Computers are affected by *** when , A common situation is that the log file is deleted , To cover up *** The trail of the dead . Management errors can also cause unexpected deletion of important files , For example, when cleaning up old logs , Accidentally deleted the active transaction log of the database . Sometimes through lsof To recover these files .
When a process opens a file , As long as the process keeps the file open , Even if you delete it , It still exists on disk . It means , The process does not know that the file has been deleted , It can still read and write to the file descriptor provided to it when the file is opened . In addition to the process , This file is not visible , Because its corresponding directory index node has been dropped .
stay /proc Under the table of contents , It contains various files that reflect the kernel and process tree ./proc The directory mounts an area that is mapped in memory , So these files and directories do not exist on disk , So when we read and write these files , You're actually getting relevant information from memory . Most and lsof Relevant information is stored in the process PID In the named Directory , namely /proc/1234 It contains PID by 1234 Information about the progress of . There are various files in each process Directory , They make it easy for an application to understand the memory space of a process 、 List of file descriptors 、 Symbolic links to files on disk and other system information .lsof The program uses this information and other information about the internal state of the kernel to produce its output . therefore lsof Information such as the file descriptor of the process and the associated file name can be displayed . That is to say, we can find the relevant information of the file by accessing the file descriptor of the process .
When a file in the system is accidentally deleted , As long as there are processes in the system accessing the file , Then we can go through lsof from /proc Restore the contents of the file under the directory . If due to misoperation will /var/log/messages The file has been deleted , Then I will /var/log/messages The method of file recovery is as follows :
use first lsof To see if a process is currently open /var/logmessages file , as follows :

# lsof |grep /var/log/messagessyslogd 1283 root 2w REG 3,3 5381017 1773647 /var/log/messages (deleted)

As you can see from the information above PID 1283(syslogd) The file descriptor of the open file is 2. At the same time, you can see /var/log/messages The tag has been removed . So we can /proc/1283/fd/2 (fd Each file named with a number under represents the file descriptor corresponding to the process ) View the corresponding information in , as follows :

# head -n 10 /proc/1283/fd/2Aug 4 13:50:15 holmes86 syslogd 1.4.1: restart.Aug 4 13:50:15 holmes86 kernel: klogd 1.4.1, log source = /proc/kmsg started.Aug 4 13:50:15 holmes86 kernel: Linux version ([email protected]) (gcc version 4.2.0) #1 SMP Wed Jul 18 11:18:32 EDT 2007 Aug 4 13:50:15 holmes86 kernel: BIOS-provided physical RAM map: Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 0000000000000000 - 000000000009f000 (usable) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000000009f000 - 00000000000a0000 (reserved) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 0000000000100000 - 000000001f7d3800 (usable) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000001f7d3800 - 0000000020000000 (reserved) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 00000000e0000000 - 00000000f0007000 (reserved) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 00000000f0008000 - 00000000f000c000 (reserved)

As can be seen from the above information , see /proc/8663/fd/15 You can get the data you want to recover . If you can view the corresponding data through the file descriptor , Then you can use it I/O Redirect to copy it to a file , Such as :

cat /proc/1283/fd/2 > /var/log/messages

For many applications , Especially log files and databases , This method of recovering deleted files is very useful .

Practical orders

lsof `which httpd` // That process is using apache The executable of lsof /etc/passwd // That process is taking up /etc/passwdlsof /dev/hda6 // That process is taking up hda6lsof /dev/cdrom // That process is using the CD-ROM lsof -c sendmail // see sendmail Process file usage lsof -c courier -u ^zahn // It shows that those files are courier The leading process opens up , But it doesn't belong to the user zahnlsof -p 30297 // Show those files are pid by 30297 The process of opening lsof -D /tmp  Show all in /tmp Open in the folder instance And file process . however symbol The file is not in the column
lsof -u1000 // see uid yes 100 File usage of the user's process lsof -utony // To view the user tony File usage of the process lsof -u^tony // View is not a user tony File usage of the process (^ It means taking the opposite )lsof -i // Show all open ports lsof -i:80 // Show all open 80 Port process lsof -i -U // Displays all open ports and UNIX domain file lsof -i [email protected][url] // Show which processes are open to Of UDP Of 123(ntp) Links to ports lsof -i [email protected]:ftp -r // Keep looking at the present ftp Connection (-r,lsof It will be carried out forever , Until an interrupt is received ,+r,lsof Will always carry out , Until no files are displayed , The default is 15s Refresh )lsof -i [email protected]:ftp -n //lsof -n  Will not IP Convert to hostname, The default is not to add -n Parameters