Linux uses lsof command to check file opening status

Preface

We all know that in Linux, "everything is a file", so sometimes it is particularly important to check the opening status of files. Here is a command that can help us well in this matter - it is lsof.

What files are there under Linux

Before introducing the lsof command, let's briefly talk about the main files in Linux:

• Ordinary files
• Table of contents
• Symbolic Links
• Block-oriented device files
• Character-oriented device files
• Pipes and named pipes
• Sockets

The above file types are not introduced in detail.

Introduction to practical usage of lsof command

lsof is the abbreviation of list open files. It has many parameters, but we only introduce some practical uses here (note that some cases require root privileges to execute).

View all currently opened files

Generally speaking, directly entering the lsof command generates too many results, and it may be difficult to find the information we need. However, let me take this opportunity to explain what information a record contains.

$ lsof (select a record to display here)
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
vi 27940 hyb 7u REG 8,15 16384 137573 /home/hyb/.1.txt.swp

The results displayed by lsof represent, from left to right: the name of the program that opens the file, process ID, user, file descriptor, file type, device, size, iNode number, and file name.

Let's focus on the columns we know for now. This record indicates that the vi program with process ID 27940 has opened the regular file (REG regular file).1.txt.swap in the /home/hyb directory with a file description value of 7 and is in read-write state. The current size is 16384 bytes.

List deleted files that are occupying space

In a production environment, we may use the df command to see that the disk space is full, but it is actually difficult to find the file that fills up the space. This is often because a large file has been deleted, but it is opened by a process, resulting in its trace not being found through ordinary means, the most common of which is log files. We can find such files through lsof:

$ lsof |grep deleted
Xorg 1131 root 125u REG 0,5 4 61026 /memfd:xshmfence (deleted)
Xorg 1131 root 126u REG 0,5 4 62913 /memfd:xshmfence (deleted)
Xorg 1131 root 129u REG 0,5 4 74609 /memfd:xshmfence (deleted)

You can see that these deleted but still open files will be marked as deleted when they are finally found. At this time, you can analyze according to the actual situation, which files may be too large but have been deleted, resulting in the space still being full.

Recovering an open but deleted file

Earlier we were able to find files that were deleted but still open. In fact, the files were not really gone. If they were deleted accidentally, we still have ways to recover them. Taking the /var/log/syslog file as an example, we first delete it (root user):

$ rm /var/log/syslog

Then use lsof to see which process has opened the file:

$ lsof |grep syslog
rs:main 993 1119 syslog 5w REG 8,10 78419 528470 /var/log/syslog (deleted)

We can find that the process with process ID 993 has opened the file. We know that each process has a record of file descriptor opening under /proc:

$ ls -l /proc/993/fd
lr-x------ 1 root root 64 March 5 18:30 0 -> /dev/null
l-wx------ 1 root root 64 March 5 18:30 1 -> /dev/null
l-wx------ 1 root root 64 March 5 18:30 2 -> /dev/null
lrwx------ 1 root root 64 March 5 18:30 3 -> socket:[15032]
lr-x------ 1 root root 64 March 5 18:30 4 -> /proc/kmsg
l-wx------ 1 root root 64 March 5 18:30 5 -> /var/log/syslog (deleted)
l-wx------ 1 root root 64 March 5 18:30 6 -> /var/log/auth.log

Here we find the deleted syslog file, the file descriptor is 5, we redirect it out:

$ cat /proc/993/fd/5 > syslog
$ ls -al /var/log/syslog
-rw-r--r-- 1 root root 78493 Mar 5 19:22 /var/log/syslog

In this way we have restored the syslog file.

Check which processes have opened the current file

In Windows, you often encounter the situation where you want to delete a file, and then it tells you that a program is using it, but it does not tell you which program it is. We can search for files in Resource Manager-Performance-Resource Monitor-cpu-associated handle to find the program that opens the file, but the search speed is slow.

Linux is relatively easy, just use the lsof command. For example, to see which programs currently open hello.c:

$ lsof hello.c
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tail 28731 hyb 3r REG 8,15 228 138441 hello.c

But we will find that hello.c opened with vi is not found, this is because vi opens a temporary copy. Let’s search in another way:

$ lsof |grep hello.c
tail 28906 hyb 3r REG 8,15 228 138441 /home/hyb/workspaces/c/hello.c
vi 28933 hyb 9u REG 8,15 12288 137573 /home/hyb/workspaces/c/.hello.c.swp

In this way, we found two programs related to the hello.c file.

The role of grep here is to list only the results that meet the conditions from all the results.

Check if a directory file is opened

$ lsof +D ./

Check which files are opened by the current process

Usage: lsof -c process name

It is usually used to locate program problems, such as to see which libraries the current process uses, which files are opened, and so on. Suppose there is a hello program that prints characters in a loop:

$ lsof -c hello
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
hello 29190 hyb cwd DIR 8,15 4096 134538 /home/hyb/workspaces/c
hello 29190 hyb rtd DIR 8,10 4096 2 /
hello 29190 hyb txt REG 8,15 9816 138314 /home/hyb/workspaces/c/hello
hello 29190 hyb mem REG 8,10 1868984 939763 /lib/x86_64-linux-gnu/libc-2.23.so
hello 29190 hyb mem REG 8,10 162632 926913 /lib/x86_64-linux-gnu/ld-2.23.so
hello 29190 hyb 0u CHR 136,20 0t0 23 /dev/pts/20
hello 29190 hyb 1u CHR 136,20 0t0 23 /dev/pts/20
hello 29190 hyb 2u CHR 136,20 0t0 23 /dev/pts/20

We can see from this that at least it uses /lib/x86_64-linux-gnu/libc-2.23.so and the hello file.

You can also view it by process ID, and you can use multiple process IDs separated by commas:

$ lsof -p 29190
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
hello 29190 hyb cwd DIR 8,15 4096 134538 /home/hyb/workspaces/c
hello 29190 hyb rtd DIR 8,10 4096 2 /
hello 29190 hyb txt REG 8,15 9816 138314 /home/hyb/workspaces/c/hello
hello 29190 hyb mem REG 8,10 1868984 939763 /lib/x86_64-linux-gnu/libc-2.23.so
hello 29190 hyb mem REG 8,10 162632 926913 /lib/x86_64-linux-gnu/ld-2.23.so
hello 29190 hyb 0u CHR 136,20 0t0 23 /dev/pts/20
hello 29190 hyb 1u CHR 136,20 0t0 23 /dev/pts/20
hello 29190 hyb 2u CHR 136,20 0t0 23 /dev/pts/20

Of course, there is another way, which is to use the proc file system to first find the process id of the hello process:

$ ps -ef | grep hello
hyb 29190 27929 0 21:14 pts/20 00:00:00 ./hello 2
hyb 29296 28848 0 21:18 pts/22 00:00:00 grep --color=auto hello

You can see that the process id is 29190, and check the process file description record directory:

$ ls -l /proc/29190/fd
lrwx------ 1 hyb hyb 64 March 2 21:14 0 -> /dev/pts/20
lrwx------ 1 hyb hyb 64 March 2 21:14 1 -> /dev/pts/20
lrwx------ 1 hyb hyb 64 March 2 21:14 2 -> /dev/pts/20

This method can filter a lot of information because it only lists what the process actually opened. Here it only opens 0, 1, and 2, namely standard input, standard output, and standard error.

Check whether a port is occupied

When using a database or enabling a web service, you will always encounter the problem of port occupation. So how do you check whether a port is occupied?

$ lsof -i :6379
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
redis-ser 29389 hyb 6u IPv6 534612 0t0 TCP *:6379 (LISTEN)
redis-ser 29389 hyb 7u IPv4 534613 0t0 TCP *:6379 (LISTEN)

Here you can see that the redis-ser process occupies port 6379.

View all TCP/UDP connections

$ lsof -i tcp
ava 2534 hyb 6u IPv6 31275 0t0 TCP localhost:9614 (LISTEN)
java 2534 hyb 22u IPv6 96922 0t0 TCP localhost:9614->localhost:39004 (ESTABLISHED)
java 2534 hyb 23u IPv6 249588 0t0 TCP localhost:9614->localhost:45460 (ESTABLISHED)

Of course we can also use the netstat command.

$ netstat -anp | grep 6379

The -i parameter here can be followed by multiple conditions:

• -i 4 #ipv4 address
• -i 6 #ipv6 address
• -i tcp #tcp connection
• -i :3306 #Port
• -i @ip #ip address

Therefore, if you need to view the connection established with a certain IP address, you can use the following method:

$ lsof [email protected]

See which files a user has opened

Linux is a multi-user operating system. How do you know which files are opened by other ordinary users? You can use the -u parameter

$ lsof -u hyb
(Too much content, omitted)

List all files opened except for a certain process or a certain user

In fact, it is similar to the previous usage, except that ^ is added in front of the process ID or the user name, for example:

lsof -p ^1 #List all files opened except for the process with process id 1 lsof -u ^root #List all files opened except for the root user

Summarize

The above introduction is based on one condition. In fact, multiple conditions can be combined. For example, to list the TCP socket files opened by the process with process ID 1:

lsof -p 1 -i tcp

There are many lsof parameters, and you can use the man command to view the specific ones, but for us, knowing these practical basics is enough.

Well, the above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. If you have any questions, you can leave a message to communicate. Thank you for your support of 123WORDPRESS.COM.

Author of this article: Watch this article link: https://www.yanbinghu.com/2019/03/05/61180.html
Copyright Statement: This article is an original article, the copyright belongs to Shouwang, and it adopts the CC BY-NC-SA 3.0 license agreement. Please contact me if you want to reprint!