Linux restores the lsof command to delete files
- 2020-05-15 03:24:06
- OfStack
lsof command
The lsof command is used to view the file that your process started, open the file's process, and the port that the process opened (TCP, UDP). Retrieve/restore deleted files. The lsof command requires access to core memory and various files, so it needs to be executed by root users.
In the linux environment, everything is in the form of a file, which allows access not only to regular data, but also to network connections and hardware. So, for example, transmission control protocol (TCP) and user datagram protocol (UDP) sockets, the system assigns a file descriptor to the application in the background. Whatever the nature of the file, the file descriptor provides a common interface between the application and the underlying operating system. Because the list of descriptors for an application's open file provides a lot of information about the application itself, it would be helpful for system monitoring and troubleshooting to be able to view this list through the lsof tool.
grammar
lsof (option)
parameter
-a: lists the processes in which the open file exists;
-c
<
The process of
>
: lists the files opened by the specified process;
-g: details of GID process;
-d
<
The file no.
>
: lists the processes that occupy the file number;
+d
<
directory
>
: lists the files opened in the directory;
+D
<
directory
>
: recursively lists the files opened in the directory;
-n
<
directory
>
: lists files using NFS;
-i
<
conditions
>
: lists the eligible processes. (4, 6, protocol, : port, @ip)
-p
<
Process of no.
>
: lists the files opened by the specified process number;
-u: details of UID process;
-h: display help information;
-v: display version information.
use
To view
lsof -i
Check which processes are accessing the port, such as port 22
shell> lsof -i:22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1939 root 3u IPv4 12317 0t0 TCP *:ssh (LISTEN)
sshd 1939 root 4u IPv6 12321 0t0 TCP *:ssh (LISTEN)
sshd 2790 root 3u IPv4 15229 0t0 TCP 192.168.178.128:ssh->192.168.178.1:64601 (ESTABLISHED)
sshd 2824 root 3u IPv4 15528 0t0 TCP 192.168.178.128:ssh->192.168.178.1:64673 (ESTABLISHED)
sshd 2990 root 3u IPv4 15984 0t0 TCP 192.168.178.128:ssh->192.168.178.1:64686 (ESTABLISHED)
sshd 14695 root 3u IPv4 39558 0t0 TCP 192.168.178.128:ssh->192.168.178.1:49662 (ESTABLISHED)
The meaning of lsof output column information is as follows:
COMMAND: name of the process PID: process identifier USER: process owner FD: file descriptor by which the application identifies the file. Such as cwd, txt, etc TYPE: file type, such as DIR, REG, etc DEVICE: specifies the name of the disk SIZE: file size NODE: node of index (file identification on disk) NAME: opens the exact name of the fileRestore files
Some system logs can be recovered using lsof if the process exists. Here is the most commonly used /var/log/messages example, when you do a test, you'd better backup 1.
# The backup
shell> cp /var/log/message /var/log/message_bac
http://embeddedlinux.org.cn/
shell> lsof |grep /var/log/message
rsyslogd 1737 root 1w REG 8,2 5716123 652638 /var/log/messages
The process is running, so I'm going to delete /var/log/messages
shell> rm /var/log/messages
So once I get rid of that, let me see what happens to this process
shell> lsof |grep /var/log/messages
rsyslogd 1737 root 1w REG 8,2 5716123 652638 /var/log/messages (deleted)
You see the change, you see more when you compare the two (deleted). Where do I find this file and look at this
PID:1737 FD:1 then we have to go directly to /proc/1737/FD/1 and check 1 with ll
shell> cd /proc/1737/fd/
shell> ll
total 0
lrwx------ 1 root root 64 Dec 23 13:00 0 -> socket:[11442]
l-wx------ 1 root root 64 Dec 23 13:00 1 -> /var/log/messages (deleted)
l-wx------ 1 root root 64 Dec 23 13:00 2 -> /var/log/secure
lr-x------ 1 root root 64 Dec 23 13:00 3 -> /proc/kmsg
l-wx------ 1 root root 64 Dec 23 13:00 4 -> /var/log/maillog
We see that 1 corresponds to /var/log/messages (deleted), let's see if the file is the file we want:
shell> head -5 1
Nov 14 03:11:11 localhost kernel: imklog 5.8.10, log source = /proc/kmsg started.
Nov 14 03:11:11 localhost rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1241" x-info="http://www.rsyslog.com"] start
Nov 14 03:11:11 localhost kernel: Initializing cgroup subsys cpuset
Nov 14 03:11:11 localhost kernel: Initializing cgroup subsys cpu
Nov 14 03:11:11 localhost kernel: Linux version 2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev.CentOS.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) ) #1 SMP Fri Nov 22 03:15:09 UTC 2013
Compare backup files:
shell> head -5 /var/log/message_bac
Nov 14 03:11:11 localhost kernel: imklog 5.8.10, log source = /proc/kmsg started.
Nov 14 03:11:11 localhost rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1241" x-info="http://www.rsyslog.com"] start
Nov 14 03:11:11 localhost kernel: Initializing cgroup subsys cpuset
Nov 14 03:11:11 localhost kernel: Initializing cgroup subsys cpu
Nov 14 03:11:11 localhost kernel: Linux version 2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) ) #1 SMP Fri Nov 22 03:15:09 UTC 2013
Comparison found that the data is 1, restore
shell> cat 1 > /var/log/messages
Again, recovery requires that the process exist.
conclusion
The above is the whole content of this article, I hope the content of this article to your study or work can bring 1 definite help, if you have questions you can leave a message to communicate.