Of Stack

Linux restores the lsof command to delete files

  • 2020-05-15 03:24:06
  • OfStack

lsof command

The lsof command is used to view the file that your process started, open the file's process, and the port that the process opened (TCP, UDP). Retrieve/restore deleted files. The lsof command requires access to core memory and various files, so it needs to be executed by root users.

In the linux environment, everything is in the form of a file, which allows access not only to regular data, but also to network connections and hardware. So, for example, transmission control protocol (TCP) and user datagram protocol (UDP) sockets, the system assigns a file descriptor to the application in the background. Whatever the nature of the file, the file descriptor provides a common interface between the application and the underlying operating system. Because the list of descriptors for an application's open file provides a lot of information about the application itself, it would be helpful for system monitoring and troubleshooting to be able to view this list through the lsof tool.

grammar

lsof (option)

parameter

-a: lists the processes in which the open file exists;

-c < The process of > : lists the files opened by the specified process;

-g: details of GID process;

-d < The file no. > : lists the processes that occupy the file number;

+d < directory > : lists the files opened in the directory;

+D < directory > : recursively lists the files opened in the directory;

-n < directory > : lists files using NFS;

-i < conditions > : lists the eligible processes. (4, 6, protocol, : port, @ip)

-p < Process of no. > : lists the files opened by the specified process number;

-u: details of UID process;

-h: display help information;

-v: display version information.

use

To view

lsof -i Check which processes are accessing the port, such as port 22 


shell> lsof -i:22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd  1939 root 3u IPv4 12317  0t0 TCP *:ssh (LISTEN)
sshd  1939 root 4u IPv6 12321  0t0 TCP *:ssh (LISTEN)
sshd  2790 root 3u IPv4 15229  0t0 TCP 192.168.178.128:ssh->192.168.178.1:64601 (ESTABLISHED)
sshd  2824 root 3u IPv4 15528  0t0 TCP 192.168.178.128:ssh->192.168.178.1:64673 (ESTABLISHED)
sshd  2990 root 3u IPv4 15984  0t0 TCP 192.168.178.128:ssh->192.168.178.1:64686 (ESTABLISHED)
sshd 14695 root 3u IPv4 39558  0t0 TCP 192.168.178.128:ssh->192.168.178.1:49662 (ESTABLISHED)

The meaning of lsof output column information is as follows:

COMMAND: name of the process PID: process identifier USER: process owner FD: file descriptor by which the application identifies the file. Such as cwd, txt, etc TYPE: file type, such as DIR, REG, etc DEVICE: specifies the name of the disk SIZE: file size NODE: node of index (file identification on disk) NAME: opens the exact name of the file

Restore files

Some system logs can be recovered using lsof if the process exists. Here is the most commonly used /var/log/messages example, when you do a test, you'd better backup 1. 


# The backup 
shell> cp /var/log/message /var/log/message_bac
http://embeddedlinux.org.cn/
shell> lsof |grep /var/log/message
rsyslogd 1737  root 1w  REG    8,2 5716123  652638 /var/log/messages

The process is running, so I'm going to delete /var/log/messages 


shell> rm /var/log/messages

So once I get rid of that, let me see what happens to this process 


shell> lsof |grep /var/log/messages
rsyslogd 1737  root 1w  REG    8,2 5716123  652638 /var/log/messages (deleted)

You see the change, you see more when you compare the two (deleted). Where do I find this file and look at this

PID:1737 FD:1 then we have to go directly to /proc/1737/FD/1 and check 1 with ll 


shell> cd /proc/1737/fd/
shell> ll

total 0
lrwx------ 1 root root 64 Dec 23 13:00 0 -> socket:[11442]
l-wx------ 1 root root 64 Dec 23 13:00 1 -> /var/log/messages (deleted)
l-wx------ 1 root root 64 Dec 23 13:00 2 -> /var/log/secure
lr-x------ 1 root root 64 Dec 23 13:00 3 -> /proc/kmsg
l-wx------ 1 root root 64 Dec 23 13:00 4 -> /var/log/maillog

We see that 1 corresponds to /var/log/messages (deleted), let's see if the file is the file we want: 


shell> head -5 1
Nov 14 03:11:11 localhost kernel: imklog 5.8.10, log source = /proc/kmsg started.
Nov 14 03:11:11 localhost rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1241" x-info="http://www.rsyslog.com"] start
Nov 14 03:11:11 localhost kernel: Initializing cgroup subsys cpuset
Nov 14 03:11:11 localhost kernel: Initializing cgroup subsys cpu
Nov 14 03:11:11 localhost kernel: Linux version 2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev.CentOS.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) ) #1 SMP Fri Nov 22 03:15:09 UTC 2013

Compare backup files: 


shell> head -5 /var/log/message_bac
Nov 14 03:11:11 localhost kernel: imklog 5.8.10, log source = /proc/kmsg started.
Nov 14 03:11:11 localhost rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1241" x-info="http://www.rsyslog.com"] start
Nov 14 03:11:11 localhost kernel: Initializing cgroup subsys cpuset
Nov 14 03:11:11 localhost kernel: Initializing cgroup subsys cpu
Nov 14 03:11:11 localhost kernel: Linux version 2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) ) #1 SMP Fri Nov 22 03:15:09 UTC 2013

Comparison found that the data is 1, restore 


shell> cat 1 > /var/log/messages

Again, recovery requires that the process exist.

conclusion

The above is the whole content of this article, I hope the content of this article to your study or work can bring 1 definite help, if you have questions you can leave a message to communicate.

Related articles: