losf定位文件被那个程序打开和对误删除的文件进行恢复方法

lsof查看文件被那个进程打开

#lsof 列出当前所有打开的文件
[root@centos8 ~]#lsof|head
COMMAND   PID TID TASKCMD     USER   FD     TYPE             DEVICE SIZE/OFF      NODE NAME
systemd      1                   root cwd       DIR                8,2      279       128 /
systemd      1                   root rtd       DIR                8,2      279       128 /
systemd      1                   root txt       REG                8,2  1567768    218104 /usr/lib/systemd/systemd
systemd      1                   root mem       REG                8,2  2714928  67121853 /usr/lib64/libm-2.28.so
systemd      1                   root mem       REG                8,2   628592  67512196 /usr/lib64/libudev.so.1.6.11
systemd      1                   root mem       REG                8,2   969832  67137579 /usr/lib64/libsepol.so.1
systemd      1                   root mem       REG                8,2  1805368  67183626 /usr/lib64/libunistring.so.2.1.0
systemd      1                   root mem       REG                8,2   355456  67206701 /usr/lib64/libpcap.so.1.9.0
systemd      1                   root mem       REG                8,2   145984  67137598 /usr/lib64/libgpg-error.so.0.24.2

#查看当前哪个进程正在使用此文件
[root@centos8 ~]#lsof /var/log/messages
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
rsyslogd 915 root   5w   REG    8,2  1419936 134802547 /var/log/messages

#查看由登陆用户启动而非系统启动的进程
lsof /dev/pts/1
[root@centos8 ~]#lsof `tty`
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
bash    1163 root   0u   CHR  136,0     0t0    3 /dev/pts/0
bash    1163 root   1u   CHR  136,0     0t0    3 /dev/pts/0
bash    1163 root   2u   CHR  136,0     0t0    3 /dev/pts/0
bash    1163 root 255u   CHR  136,0     0t0    3 /dev/pts/0
lsof    1651 root   0u   CHR  136,0     0t0    3 /dev/pts/0
lsof    1651 root   1u   CHR  136,0     0t0    3 /dev/pts/0
lsof    1651 root   2u   CHR  136,0     0t0    3 /dev/pts/0

#指定进程号,可以查看该进程打开的文件
lsof -p 9527

[root@centos8 ~]#lsof -p `pidof bc`
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
bc      1929 root cwd   DIR    8,2      286 201326721 /root
bc      1929 root rtd   DIR    8,2     4096       128 /
bc      1929 root txt   REG    8,2    97256 201784353 /usr/bin/bc
bc      1929 root mem   REG    8,2    28784    171116 /usr/lib64/libdl-2.28.so
bc      1929 root mem   REG    8,2  3201344    171114 /usr/lib64/libc-2.28.so
bc      1929 root mem   REG    8,2   208616    171019 /usr/lib64/libtinfo.so.6.1
bc      1929 root mem   REG    8,2   216912    171009 /usr/lib64/libncurses.so.6.1
bc      1929 root mem   REG    8,2   338648    232638 /usr/lib64/libreadline.so.7.0
bc      1929 root mem   REG    8,2   243520    171107 /usr/lib64/ld-2.28.so
bc      1929 root mem   REG    8,2   337024 134631849 /usr/lib/locale/en_US.utf8/LC_CTYPE
bc      1929 root mem   REG    8,2    26398  67337760 /usr/lib64/gconv/gconvmodules.cache
bc      1929 root   0u   CHR  136,0     0t0         3 /dev/pts/0
bc      1929 root   1u   CHR  136,0     0t0         3 /dev/pts/0
bc      1929 root   2u   CHR  136,0     0t0         3 /dev/pts/0

#查看指定程序打开的文件
lsof -c httpd

[root@centos8 ~]#lsof -c bc
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
bc      1929 root cwd   DIR    8,2      286 201326721 /root
bc      1929 root rtd   DIR    8,2     4096       128 /
bc      1929 root txt   REG    8,2    97256 201784353 /usr/bin/bc
bc      1929 root mem   REG    8,2    28784    171116 /usr/lib64/libdl-2.28.so
bc      1929 root mem   REG    8,2  3201344    171114 /usr/lib64/libc-2.28.so
bc      1929 root mem   REG    8,2   208616    171019 /usr/lib64/libtinfo.so.6.1
bc      1929 root mem   REG    8,2   216912    171009 /usr/lib64/libncurses.so.6.1
bc      1929 root mem   REG    8,2   338648    232638 /usr/lib64/libreadline.so.7.0
bc      1929 root mem   REG    8,2   243520    171107 /usr/lib64/ld-2.28.so
bc      1929 root mem   REG    8,2   337024 134631849 /usr/lib/locale/en_US.utf8/LC_CTYPE
bc      1929 root mem   REG    8,2    26398  67337760 /usr/lib64/gconv/gconvmodules.cache
bc      1929 root   0u   CHR  136,0     0t0         3 /dev/pts/0
bc      1929 root   1u   CHR  136,0     0t0         3 /dev/pts/0
bc      1929 root   2u   CHR  136,0     0t0         3 /dev/pts/0

#查看指定用户打开的文件
lsof -u root | more

#查看指定目录下被打开的文件,参数+D为递归列出目录下被打开的文件,参数+d为列出目录下被打开的文件
lsof +D /var/log/
lsof +d /var/log/

#查看所有网络连接,通过参数-i查看网络连接的情况,包括连接的ip、端口等以及一些服务的连接情况,例如:sshd等。也可以通过指定ip查看该ip的网络连接情况
lsof -i –n      
lsof -i@127.0.0.1

#查看端口连接情况,通过参数-i:端口可以查看端口的占用情况,-i参数还有查看协议,ip的连接情况等
lsof -i :80 -n

#查看指定进程打开的网络连接,参数-i、-a、-p等,-i查看网络连接情况,-a查看存在的进程,-p指定进程
lsof -i –n -a -p 9527

#查看指定状态的网络连接,-n:no host names, -P:no port names,-i TCP指定协议,-s指定协议状态通过多个参数可以清晰的查看网络连接情况、协议连接情况等
lsof -n -P -i TCP -s TCP:ESTABLISHED

lsof恢复误删除文件

可以恢复的前提是这个文件被程序打开,如nginx的配置文件nginx.conf,被误删除,此时nginx还是启动状态,进程还是占用着nginx,conf的配置文件,并且nginx的进程没有被重启或者删除

lsof查看正在被打开的文件列表
[root@localhost ~]# lsof
nginx     67773         root  mem       REG       8,2     16360       3661 /usr/lib64/libXau.so.6.0.0
nginx     67773         root  mem       REG       8,2     52312       3649 /usr/lib64/libjbig.so.2.1
nginx     67773         root  mem       REG       8,2    170216       3711 /usr/lib64/libxcb.so.1.1.0
nginx     67773         root  mem       REG       8,2     73008       1852 /usr/lib64/libbz2.so.1.0.6
nginx     67773         root  mem       REG       8,2     33480       1889 /usr/lib64/libuuid.so.1.3.0
nginx     67773         root  mem       REG       8,2    248216       1916 /usr/lib64/libexpat.so.1.6.7
nginx     67773         root  mem       REG       8,2    450824       3826 /usr/lib64/libwebp.so.7.0.2
nginx     67773         root  mem       REG       8,2    501640       3653 /usr/lib64/libtiff.so.5.3.0
nginx     67773         root  mem       REG       8,2   1339872       3713 /usr/lib64/libX11.so.6.3.0
nginx     67773         root  mem       REG       8,2     78736       3732 /usr/lib64/libXpm.so.4.11.0
nginx     67773         root  mem       REG       8,2    433680       2084 /usr/lib64/libjpeg.so.62.2.0
nginx     67773         root  mem       REG       8,2    782968       2032 /usr/lib64/libfreetype.so.6.16.1
nginx     67773         root  mem       REG       8,2    289648     424247 /usr/lib64/libfontconfig.so.1.12.0
nginx     67773         root    1u      CHR       1,3       0t0       2059 /dev/null

#tail命令打开文件
[root@localhost ~]# tail -F /var/log/messages
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3609] device (eth1): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3613] device (eth1): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3618] device (eth2): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3621] device (eth2): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3626] device (eth1): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed')
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3629] dhcp4 (eth1): activation: beginning transaction (timeout in 45 seconds)
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3639] device (eth2): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed')
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3641] dhcp4 (eth2): activation: beginning transaction (timeout in 45 seconds)
Apr 12 11:11:00 localhost systemd[1]: Started Session 20 of user root.
Apr 12 11:11:00 localhost systemd-logind[895]: New session 20 of user root.

#lsof检查
[root@localhost ~]# lsof|grep tail
tail      69425                   root  cwd       DIR                8,2      4096   67158145 /root
tail      69425                   root  rtd       DIR                8,2      4096        128 /
tail      69425                   root  txt       REG                8,2     76120  101088713 /usr/bin/tail
tail      69425                   root  mem       REG                8,2   2586930       1582 /usr/lib/locale/en_US.utf8/LC_COLLATE
tail      69425                   root  mem       REG                8,2   3168120       1612 /usr/lib64/libc-2.28.so
tail      69425                   root  mem       REG                8,2    278432       1605 /usr/lib64/ld-2.28.so
tail      69425                   root  mem       REG                8,2    337024       1583 /usr/lib/locale/en_US.utf8/LC_CTYPE
tail      69425                   root  mem       REG                8,2        54       1586 /usr/lib/locale/en_US.utf8/LC_NUMERIC
tail      69425                   root  mem       REG                8,2      3316   33564954 /usr/lib/locale/en_US.utf8/LC_TIME
tail      69425                   root  mem       REG                8,2       286   33564952 /usr/lib/locale/en_US.utf8/LC_MONETARY
tail      69425                   root  mem       REG                8,2     26998  100665449 /usr/lib64/gconv/gconv-modules.cache
tail      69425                   root  mem       REG                8,2        57   33564964 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
tail      69425                   root  mem       REG                8,2        34  100664986 /usr/lib/locale/en_US.utf8/LC_PAPER
tail      69425                   root  mem       REG                8,2        77       1585 /usr/lib/locale/en_US.utf8/LC_NAME
tail      69425                   root  mem       REG                8,2       167   33564949 /usr/lib/locale/en_US.utf8/LC_ADDRESS
tail      69425                   root  mem       REG                8,2        59   33564953 /usr/lib/locale/en_US.utf8/LC_TELEPHONE
tail      69425                   root  mem       REG                8,2        23   33564951 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
tail      69425                   root  mem       REG                8,2       368   33564950 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
tail      69425                   root    0u      CHR              136,1       0t0          4 /dev/pts/1
tail      69425                   root    1u      CHR              136,1       0t0          4 /dev/pts/1
tail      69425                   root    2u      CHR              136,1       0t0          4 /dev/pts/1
tail      69425                   root    3r      REG                8,2   9366338       2384 /var/log/messages  #tail命令打开的文件
tail      69425                   root    4r  a_inode               0,14         0      11339 inotify


#删除文件,但是文件被程序打开,使用lsof恢复
#tail命令打开/var/log/messages文件
root@localhost ~]# tail -F /var/log/messages
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3609] device (eth1): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3613] device (eth1): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3618] device (eth2): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3621] device (eth2): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3626] device (eth1): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed')
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3629] dhcp4 (eth1): activation: beginning transaction (timeout in 45 seconds)
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3639] device (eth2): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed')
Apr 12 11:10:51 localhost NetworkManager[812]: <info>  [1681269051.3641] dhcp4 (eth2): activation: beginning transaction (timeout in 45 seconds)
Apr 12 11:11:00 localhost systemd[1]: Started Session 20 of user root.
#删除文件
[root@localhost ~]# ls -l /var/log/messages
-rw-------. 1 root root 9366338 Apr 12 11:11 /var/log/messages
[root@localhost ~]# rm -f /var/log/messages
[root@localhost ~]# ls -l /var/log/messages
ls: cannot access '/var/log/messages': No such file or directory


#lsof命令找到文件,找到被删除的文件是被什么进程打开,通过进程id找到被删除的文件进行恢复
[root@localhost ~]# lsof |grep /var/log/messages
rsyslogd   1197(此为打开此文件的进程pid) root    7w      REG                8,2   9366338       2384 /var/log/messages (deleted)
rsyslogd   1197 1205 in:imjour    root    7w      REG                8,2   9366338       2384 /var/log/messages (deleted)
rsyslogd   1197 1209 rs:main      root    7w      REG                8,2   9366338       2384 /var/log/messages (deleted)

#检查,查看刚刚被删除的文件
[root@localhost ~]# ls -l /proc/1197/fd
total 0
lr-x------. 1 root root 64 Apr 12 11:10 0 -> /dev/null
l-wx------. 1 root root 64 Apr 12 11:10 1 -> /dev/null
lr-x------. 1 root root 64 Apr 12 11:10 10 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-000000000001b887-0005f90f910443ab.journal
lr-x------. 1 root root 64 Apr 12 11:10 11 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-00000000000190c2-0005f904ed8f7354.journal
lr-x------. 1 root root 64 Apr 12 11:10 12 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-0000000000016923-0005f8fa1bbb809f.journal
lr-x------. 1 root root 64 Apr 12 11:10 13 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-0000000000014183-0005f8ef5e78442a.journal
lr-x------. 1 root root 64 Apr 12 11:10 14 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-00000000000119e4-0005f8e49e85f6c4.journal
lr-x------. 1 root root 64 Apr 12 11:10 15 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-000000000000f244-0005f8d9ccb1e5a2.journal
lr-x------. 1 root root 64 Apr 12 11:10 16 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-000000000000caa8-0005f8cf0cbf5d80.journal
lr-x------. 1 root root 64 Apr 12 11:10 17 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-000000000000a308-0005f8c4383d18c8.journal
l-wx------. 1 root root 64 Apr 12 11:10 18 -> /var/log/secure
lr-x------. 1 root root 64 Apr 12 11:10 19 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-0000000000007b70-0005f8b97af94398.journal
l-wx------. 1 root root 64 Apr 12 11:10 2 -> /dev/null
lr-x------. 1 root root 64 Apr 12 11:10 20 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-00000000000053d0-0005f8aea9253014.journal
lr-x------. 1 root root 64 Apr 12 11:10 21 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-0000000000002b5f-0005f88e0083a209.journal
lr-x------. 1 root root 64 Apr 12 11:10 22 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-0000000000000001-0005f86a6b381ed8.journal
lr-x------. 1 root root 64 Apr 12 11:10 3 -> /dev/urandom
lrwx------. 1 root root 64 Apr 12 11:10 4 -> 'socket:[26917]'
l-wx------. 1 root root 64 Apr 12 11:10 5 -> /var/log/cron
lr-x------. 1 root root 64 Apr 12 11:10 6 -> anon_inode:inotify
l-wx------. 1 root root 64 Apr 12 11:10 7(打开的目录) -> '/var/log/messages (deleted)'   #刚刚被删除的目录可以看到打开的目录为7
lr-x------. 1 root root 64 Apr 12 11:10 9 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system.journal

#详细
[root@localhost ~]# ls -l /proc/1197/fd/7 
l-wx------. 1 root root 64 Apr 12 11:10 /proc/1197/fd/7 -> '/var/log/messages (deleted)'
#可以看到有文件内容
[root@localhost ~]# cat /proc/1197/fd/7|wc -l
62932
#恢复文件
[root@localhost ~]# cat /proc/1197/fd/7 >/var/log/messages
#检查文件被成功的恢复
[root@localhost ~]# ls -l /var/log/messages
-rw-r--r--. 1 root root 9379982 Apr 12 11:19 /var/log/messages
#前提是打开的文件的程序没有关掉,关掉的话就没办法恢复了

 

posted @ 2023-09-15 18:33  YYQ-  阅读(50)  评论(0编辑  收藏  举报