lsof(list open files) Is a list of the current system open file tools . stay linux In the environment , Everything exists in the form of documents , Files provide more than just regular data access , You can also access network connections and hardware . So transmission control protocol (TCP) And user datagram protocol (UDP) Socket, etc , The system assigns a file descriptor to the application in the background , Whatever the nature of the document , This file descriptor provides a common interface between the application and the underlying operating system . Because the descriptor list of the application open file provides a lot of information about the application itself , So by lsof It will be helpful for system monitoring and troubleshooting if the tool can view this list .
Enter... At the terminal lsof The file opened by the system will be displayed , because lsof Need to access core memory and various files , So we must use root Only by running it as a user can it give full play to its functions .
Direct input lsof Part of the output is :
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 8,1 4096 2 /init 1 root rtd DIR 8,1 4096 2 /init 1 root txt REG 8,1 150584 654127 /sbin/init udevd 415 root 0u CHR 1,3 0t0 6254 /dev/null udevd 415 root 1u CHR 1,3 0t0 6254 /dev/null udevd 415 root 2u CHR 1,3 0t0 6254 /dev/null udevd 690 root mem REG 8,1 51736 302589 /lib/x86_64-linux-gnu/libnss_files-2.13.so syslogd 1246 syslog 2w REG 8,1 10187 245418 /var/log/auth.log syslogd 1246 syslog 3w REG 8,1 10118 245342 /var/log/syslog dd 1271 root 0r REG 0,3 0 4026532038 /proc/kmsg dd 1271 root 1w FIFO 0,15 0t0 409 /run/klogd/kmsg dd 1271 root 2u CHR 1,3 0t0 6254 /dev/null
Each line shows an open file , If no condition is specified, all files opened by all processes will be displayed by default .
lsof The meaning of the output column information is as follows ：
COMMAND： The name of the process PID： Process identifier
USER： Process owner
FD： File descriptor , The application identifies the file by the file descriptor . Such as cwd、txt etc. TYPE： file type , Such as DIR、REG etc.
DEVICE： Specify the name of the disk
SIZE： File size
NODE： The index node （ The identity of the file on disk ）
NAME： Open the exact name of the file
FD File descriptor in column cwd The value represents the current working directory of the application , This is the directory where the application starts , Unless it changes the directory itself ,txt Type files are program code , Such as application binaries themselves or shared libraries , As shown in the above list /sbin/init Program .
Second, the numeric value represents the file descriptor of the application , This is an integer returned when the file is opened . The last line above /dev/initctl, Its file descriptor is 10.u Indicates that the file has been opened and is being read / Write mode , Not read-only Or just write (w) Pattern . There's also capital letters Of W Indicates that the application has a write lock on the entire file . This file descriptor is used to ensure that only one application instance can be opened at a time . When you initially open each application , All have three file descriptors , from 0 To 2, They represent standard input 、 Output and error flow . So most applications open files for FD from 3 Start .
And FD Compared with ,Type Columns are more intuitive . Files and directories are called REG and DIR. and CHR and BLK, Represent character and block devices respectively ; perhaps UNIX、FIFO and IPv4, respectively UNIX Domain socket 、 fifo (FIFO) Queues and Internet protocols (IP) Socket .
lsof The syntax is ：
lsof ［options］ filename
lsof abc.txt Show open file abc.txt The process of lsof -c abc Show abc The process now opens the file lsof -c -p 1234 List the process number as 1234 The file opened by the process lsof -g gid Show belonging gid The progress of lsof +d /usr/local/ Displays the files opened by the process in the directory lsof +D /usr/local/ ditto , But will search the directory under the directory , Longer time lsof -d 4 Display and use fd by 4 The process of lsof -i To show the progress that meets the conditions lsof -i [protocol][@hostname|hostaddr][:service|port] 46 --> IPv4 or IPv6 protocol --> TCP or UDP hostname --> Internet host name hostaddr --> IPv4 Address service --> /etc/service Medium service name ( There can be more than one ) port --> Port number ( There can be more than one )
Find out who's using the file system
When uninstalling the file system , If there are any open files in the file system , Operations usually fail . Then through the lsof You can find out which processes are using the file system you are currently uninstalling , as follows ：
lsof /GTES11/COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME bash 4208 root cwd DIR 3,1 4096 2 /GTES11/vim 4230 root cwd DIR 3,1 4096 2 /GTES11/
In this example , user root In its process /GTES11 Do something in the directory . One bash Yes, the instance is running , And its current directory is /GTES11, The other shows vim Editing /GTES11 The files under the . To successfully uninstall /GTES11, It should be after notifying the user to make sure things are OK , Stop these processes . This example shows that the current working directory of an application is very important , Because it still keeps the file resources , And it can prevent the file system from being unloaded . That's why most daemons （ Background processes ） Change their directory to root 、 Or service specific directory （ Such as sendmail In the example /var/spool/mqueue） Why , To prevent the daemons from blocking the uninstall of unrelated file systems .
Restore deleted files
When Linux Computers are affected by *** when , A common situation is that the log file is deleted , To cover up *** The trail of the dead . Management errors can also cause unexpected deletion of important files , For example, when cleaning up old logs , Accidentally deleted the active transaction log of the database . Sometimes through lsof To recover these files .
When a process opens a file , As long as the process keeps the file open , Even if you delete it , It still exists on disk . It means , The process does not know that the file has been deleted , It can still read and write to the file descriptor provided to it when the file is opened . In addition to the process , This file is not visible , Because its corresponding directory index node has been dropped .
stay /proc Under the table of contents , It contains various files that reflect the kernel and process tree ./proc The directory mounts an area that is mapped in memory , So these files and directories do not exist on disk , So when we read and write these files , You're actually getting relevant information from memory . Most and lsof Relevant information is stored in the process PID In the named Directory , namely /proc/1234 It contains PID by 1234 Information about the progress of . There are various files in each process Directory , They make it easy for an application to understand the memory space of a process 、 List of file descriptors 、 Symbolic links to files on disk and other system information .lsof The program uses this information and other information about the internal state of the kernel to produce its output . therefore lsof Information such as the file descriptor of the process and the associated file name can be displayed . That is to say, we can find the relevant information of the file by accessing the file descriptor of the process .
When a file in the system is accidentally deleted , As long as there are processes in the system accessing the file , Then we can go through lsof from /proc Restore the contents of the file under the directory . If due to misoperation will /var/log/messages The file has been deleted , Then I will /var/log/messages The method of file recovery is as follows ：
use first lsof To see if a process is currently open /var/logmessages file , as follows ：
# lsof |grep /var/log/messagessyslogd 1283 root 2w REG 3,3 5381017 1773647 /var/log/messages (deleted)
As you can see from the information above PID 1283（syslogd） The file descriptor of the open file is 2. At the same time, you can see /var/log/messages The tag has been removed . So we can /proc/1283/fd/2 （fd Each file named with a number under represents the file descriptor corresponding to the process ） View the corresponding information in , as follows ：
# head -n 10 /proc/1283/fd/2Aug 4 13:50:15 holmes86 syslogd 1.4.1: restart.Aug 4 13:50:15 holmes86 kernel: klogd 1.4.1, log source = /proc/kmsg started.Aug 4 13:50:15 holmes86 kernel: Linux version 22.214.171.124-8 ([email protected]) (gcc version 4.2.0) #1 SMP Wed Jul 18 11:18:32 EDT 2007 Aug 4 13:50:15 holmes86 kernel: BIOS-provided physical RAM map: Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 0000000000000000 - 000000000009f000 (usable) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000000009f000 - 00000000000a0000 (reserved) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 0000000000100000 - 000000001f7d3800 (usable) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000001f7d3800 - 0000000020000000 (reserved) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 00000000e0000000 - 00000000f0007000 (reserved) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 00000000f0008000 - 00000000f000c000 (reserved)
As can be seen from the above information , see /proc/8663/fd/15 You can get the data you want to recover . If you can view the corresponding data through the file descriptor , Then you can use it I/O Redirect to copy it to a file , Such as :
cat /proc/1283/fd/2 > /var/log/messages
For many applications , Especially log files and databases , This method of recovering deleted files is very useful .
lsof `which httpd` // That process is using apache The executable of lsof /etc/passwd // That process is taking up /etc/passwdlsof /dev/hda6 // That process is taking up hda6lsof /dev/cdrom // That process is using the CD-ROM lsof -c sendmail // see sendmail Process file usage lsof -c courier -u ^zahn // It shows that those files are courier The leading process opens up , But it doesn't belong to the user zahnlsof -p 30297 // Show those files are pid by 30297 The process of opening lsof -D /tmp Show all in /tmp Open in the folder instance And file process . however symbol The file is not in the column lsof -u1000 // see uid yes 100 File usage of the user's process lsof -utony // To view the user tony File usage of the process lsof -u^tony // View is not a user tony File usage of the process (^ It means taking the opposite )lsof -i // Show all open ports lsof -i:80 // Show all open 80 Port process lsof -i -U // Displays all open ports and UNIX domain file lsof -i [email protected][url]www.akadia.com:123 // Show which processes are open to www.akadia.com Of UDP Of 123(ntp) Links to ports lsof -i [email protected]:ftp -r // Keep looking at the present ftp Connection (-r,lsof It will be carried out forever , Until an interrupt is received ,+r,lsof Will always carry out , Until no files are displayed , The default is 15s Refresh )lsof -i [email protected]:ftp -n //lsof -n Will not IP Convert to hostname, The default is not to add -n Parameters