losf定位文件被那个程序打开和对误删除的文件进行恢复方法
lsof查看文件被那个进程打开
#lsof 列出当前所有打开的文件 [root@centos8 ~]#lsof|head COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 8,2 279 128 / systemd 1 root rtd DIR 8,2 279 128 / systemd 1 root txt REG 8,2 1567768 218104 /usr/lib/systemd/systemd systemd 1 root mem REG 8,2 2714928 67121853 /usr/lib64/libm-2.28.so systemd 1 root mem REG 8,2 628592 67512196 /usr/lib64/libudev.so.1.6.11 systemd 1 root mem REG 8,2 969832 67137579 /usr/lib64/libsepol.so.1 systemd 1 root mem REG 8,2 1805368 67183626 /usr/lib64/libunistring.so.2.1.0 systemd 1 root mem REG 8,2 355456 67206701 /usr/lib64/libpcap.so.1.9.0 systemd 1 root mem REG 8,2 145984 67137598 /usr/lib64/libgpg-error.so.0.24.2 #查看当前哪个进程正在使用此文件 [root@centos8 ~]#lsof /var/log/messages COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 915 root 5w REG 8,2 1419936 134802547 /var/log/messages #查看由登陆用户启动而非系统启动的进程 lsof /dev/pts/1 [root@centos8 ~]#lsof `tty` COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 1163 root 0u CHR 136,0 0t0 3 /dev/pts/0 bash 1163 root 1u CHR 136,0 0t0 3 /dev/pts/0 bash 1163 root 2u CHR 136,0 0t0 3 /dev/pts/0 bash 1163 root 255u CHR 136,0 0t0 3 /dev/pts/0 lsof 1651 root 0u CHR 136,0 0t0 3 /dev/pts/0 lsof 1651 root 1u CHR 136,0 0t0 3 /dev/pts/0 lsof 1651 root 2u CHR 136,0 0t0 3 /dev/pts/0 #指定进程号,可以查看该进程打开的文件 lsof -p 9527 [root@centos8 ~]#lsof -p `pidof bc` COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bc 1929 root cwd DIR 8,2 286 201326721 /root bc 1929 root rtd DIR 8,2 4096 128 / bc 1929 root txt REG 8,2 97256 201784353 /usr/bin/bc bc 1929 root mem REG 8,2 28784 171116 /usr/lib64/libdl-2.28.so bc 1929 root mem REG 8,2 3201344 171114 /usr/lib64/libc-2.28.so bc 1929 root mem REG 8,2 208616 171019 /usr/lib64/libtinfo.so.6.1 bc 1929 root mem REG 8,2 216912 171009 /usr/lib64/libncurses.so.6.1 bc 1929 root mem REG 8,2 338648 232638 /usr/lib64/libreadline.so.7.0 bc 1929 root mem REG 8,2 243520 171107 /usr/lib64/ld-2.28.so bc 1929 root mem REG 8,2 337024 134631849 /usr/lib/locale/en_US.utf8/LC_CTYPE bc 1929 root mem REG 8,2 26398 67337760 /usr/lib64/gconv/gconvmodules.cache bc 1929 root 0u CHR 136,0 0t0 3 /dev/pts/0 bc 1929 root 1u CHR 136,0 0t0 3 /dev/pts/0 bc 1929 root 2u CHR 136,0 0t0 3 /dev/pts/0 #查看指定程序打开的文件 lsof -c httpd [root@centos8 ~]#lsof -c bc COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bc 1929 root cwd DIR 8,2 286 201326721 /root bc 1929 root rtd DIR 8,2 4096 128 / bc 1929 root txt REG 8,2 97256 201784353 /usr/bin/bc bc 1929 root mem REG 8,2 28784 171116 /usr/lib64/libdl-2.28.so bc 1929 root mem REG 8,2 3201344 171114 /usr/lib64/libc-2.28.so bc 1929 root mem REG 8,2 208616 171019 /usr/lib64/libtinfo.so.6.1 bc 1929 root mem REG 8,2 216912 171009 /usr/lib64/libncurses.so.6.1 bc 1929 root mem REG 8,2 338648 232638 /usr/lib64/libreadline.so.7.0 bc 1929 root mem REG 8,2 243520 171107 /usr/lib64/ld-2.28.so bc 1929 root mem REG 8,2 337024 134631849 /usr/lib/locale/en_US.utf8/LC_CTYPE bc 1929 root mem REG 8,2 26398 67337760 /usr/lib64/gconv/gconvmodules.cache bc 1929 root 0u CHR 136,0 0t0 3 /dev/pts/0 bc 1929 root 1u CHR 136,0 0t0 3 /dev/pts/0 bc 1929 root 2u CHR 136,0 0t0 3 /dev/pts/0 #查看指定用户打开的文件 lsof -u root | more #查看指定目录下被打开的文件,参数+D为递归列出目录下被打开的文件,参数+d为列出目录下被打开的文件 lsof +D /var/log/ lsof +d /var/log/ #查看所有网络连接,通过参数-i查看网络连接的情况,包括连接的ip、端口等以及一些服务的连接情况,例如:sshd等。也可以通过指定ip查看该ip的网络连接情况 lsof -i –n lsof -i@127.0.0.1 #查看端口连接情况,通过参数-i:端口可以查看端口的占用情况,-i参数还有查看协议,ip的连接情况等 lsof -i :80 -n #查看指定进程打开的网络连接,参数-i、-a、-p等,-i查看网络连接情况,-a查看存在的进程,-p指定进程 lsof -i –n -a -p 9527 #查看指定状态的网络连接,-n:no host names, -P:no port names,-i TCP指定协议,-s指定协议状态通过多个参数可以清晰的查看网络连接情况、协议连接情况等 lsof -n -P -i TCP -s TCP:ESTABLISHED
可以恢复的前提是这个文件被程序打开,如nginx的配置文件nginx.conf,被误删除,此时nginx还是启动状态,进程还是占用着nginx,conf的配置文件,并且nginx的进程没有被重启或者删除
lsof查看正在被打开的文件列表 [root@localhost ~]# lsof nginx 67773 root mem REG 8,2 16360 3661 /usr/lib64/libXau.so.6.0.0 nginx 67773 root mem REG 8,2 52312 3649 /usr/lib64/libjbig.so.2.1 nginx 67773 root mem REG 8,2 170216 3711 /usr/lib64/libxcb.so.1.1.0 nginx 67773 root mem REG 8,2 73008 1852 /usr/lib64/libbz2.so.1.0.6 nginx 67773 root mem REG 8,2 33480 1889 /usr/lib64/libuuid.so.1.3.0 nginx 67773 root mem REG 8,2 248216 1916 /usr/lib64/libexpat.so.1.6.7 nginx 67773 root mem REG 8,2 450824 3826 /usr/lib64/libwebp.so.7.0.2 nginx 67773 root mem REG 8,2 501640 3653 /usr/lib64/libtiff.so.5.3.0 nginx 67773 root mem REG 8,2 1339872 3713 /usr/lib64/libX11.so.6.3.0 nginx 67773 root mem REG 8,2 78736 3732 /usr/lib64/libXpm.so.4.11.0 nginx 67773 root mem REG 8,2 433680 2084 /usr/lib64/libjpeg.so.62.2.0 nginx 67773 root mem REG 8,2 782968 2032 /usr/lib64/libfreetype.so.6.16.1 nginx 67773 root mem REG 8,2 289648 424247 /usr/lib64/libfontconfig.so.1.12.0 nginx 67773 root 1u CHR 1,3 0t0 2059 /dev/null #tail命令打开文件 [root@localhost ~]# tail -F /var/log/messages Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3609] device (eth1): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed') Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3613] device (eth1): state change: prepare -> config (reason 'none', sys-iface-state: 'managed') Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3618] device (eth2): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed') Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3621] device (eth2): state change: prepare -> config (reason 'none', sys-iface-state: 'managed') Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3626] device (eth1): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed') Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3629] dhcp4 (eth1): activation: beginning transaction (timeout in 45 seconds) Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3639] device (eth2): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed') Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3641] dhcp4 (eth2): activation: beginning transaction (timeout in 45 seconds) Apr 12 11:11:00 localhost systemd[1]: Started Session 20 of user root. Apr 12 11:11:00 localhost systemd-logind[895]: New session 20 of user root. #lsof检查 [root@localhost ~]# lsof|grep tail tail 69425 root cwd DIR 8,2 4096 67158145 /root tail 69425 root rtd DIR 8,2 4096 128 / tail 69425 root txt REG 8,2 76120 101088713 /usr/bin/tail tail 69425 root mem REG 8,2 2586930 1582 /usr/lib/locale/en_US.utf8/LC_COLLATE tail 69425 root mem REG 8,2 3168120 1612 /usr/lib64/libc-2.28.so tail 69425 root mem REG 8,2 278432 1605 /usr/lib64/ld-2.28.so tail 69425 root mem REG 8,2 337024 1583 /usr/lib/locale/en_US.utf8/LC_CTYPE tail 69425 root mem REG 8,2 54 1586 /usr/lib/locale/en_US.utf8/LC_NUMERIC tail 69425 root mem REG 8,2 3316 33564954 /usr/lib/locale/en_US.utf8/LC_TIME tail 69425 root mem REG 8,2 286 33564952 /usr/lib/locale/en_US.utf8/LC_MONETARY tail 69425 root mem REG 8,2 26998 100665449 /usr/lib64/gconv/gconv-modules.cache tail 69425 root mem REG 8,2 57 33564964 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES tail 69425 root mem REG 8,2 34 100664986 /usr/lib/locale/en_US.utf8/LC_PAPER tail 69425 root mem REG 8,2 77 1585 /usr/lib/locale/en_US.utf8/LC_NAME tail 69425 root mem REG 8,2 167 33564949 /usr/lib/locale/en_US.utf8/LC_ADDRESS tail 69425 root mem REG 8,2 59 33564953 /usr/lib/locale/en_US.utf8/LC_TELEPHONE tail 69425 root mem REG 8,2 23 33564951 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT tail 69425 root mem REG 8,2 368 33564950 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION tail 69425 root 0u CHR 136,1 0t0 4 /dev/pts/1 tail 69425 root 1u CHR 136,1 0t0 4 /dev/pts/1 tail 69425 root 2u CHR 136,1 0t0 4 /dev/pts/1 tail 69425 root 3r REG 8,2 9366338 2384 /var/log/messages #tail命令打开的文件 tail 69425 root 4r a_inode 0,14 0 11339 inotify #删除文件,但是文件被程序打开,使用lsof恢复 #tail命令打开/var/log/messages文件 root@localhost ~]# tail -F /var/log/messages Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3609] device (eth1): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed') Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3613] device (eth1): state change: prepare -> config (reason 'none', sys-iface-state: 'managed') Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3618] device (eth2): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed') Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3621] device (eth2): state change: prepare -> config (reason 'none', sys-iface-state: 'managed') Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3626] device (eth1): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed') Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3629] dhcp4 (eth1): activation: beginning transaction (timeout in 45 seconds) Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3639] device (eth2): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed') Apr 12 11:10:51 localhost NetworkManager[812]: <info> [1681269051.3641] dhcp4 (eth2): activation: beginning transaction (timeout in 45 seconds) Apr 12 11:11:00 localhost systemd[1]: Started Session 20 of user root. #删除文件 [root@localhost ~]# ls -l /var/log/messages -rw-------. 1 root root 9366338 Apr 12 11:11 /var/log/messages [root@localhost ~]# rm -f /var/log/messages [root@localhost ~]# ls -l /var/log/messages ls: cannot access '/var/log/messages': No such file or directory #lsof命令找到文件,找到被删除的文件是被什么进程打开,通过进程id找到被删除的文件进行恢复 [root@localhost ~]# lsof |grep /var/log/messages rsyslogd 1197(此为打开此文件的进程pid) root 7w REG 8,2 9366338 2384 /var/log/messages (deleted) rsyslogd 1197 1205 in:imjour root 7w REG 8,2 9366338 2384 /var/log/messages (deleted) rsyslogd 1197 1209 rs:main root 7w REG 8,2 9366338 2384 /var/log/messages (deleted) #检查,查看刚刚被删除的文件 [root@localhost ~]# ls -l /proc/1197/fd total 0 lr-x------. 1 root root 64 Apr 12 11:10 0 -> /dev/null l-wx------. 1 root root 64 Apr 12 11:10 1 -> /dev/null lr-x------. 1 root root 64 Apr 12 11:10 10 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-000000000001b887-0005f90f910443ab.journal lr-x------. 1 root root 64 Apr 12 11:10 11 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-00000000000190c2-0005f904ed8f7354.journal lr-x------. 1 root root 64 Apr 12 11:10 12 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-0000000000016923-0005f8fa1bbb809f.journal lr-x------. 1 root root 64 Apr 12 11:10 13 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-0000000000014183-0005f8ef5e78442a.journal lr-x------. 1 root root 64 Apr 12 11:10 14 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-00000000000119e4-0005f8e49e85f6c4.journal lr-x------. 1 root root 64 Apr 12 11:10 15 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-000000000000f244-0005f8d9ccb1e5a2.journal lr-x------. 1 root root 64 Apr 12 11:10 16 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-000000000000caa8-0005f8cf0cbf5d80.journal lr-x------. 1 root root 64 Apr 12 11:10 17 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-000000000000a308-0005f8c4383d18c8.journal l-wx------. 1 root root 64 Apr 12 11:10 18 -> /var/log/secure lr-x------. 1 root root 64 Apr 12 11:10 19 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-0000000000007b70-0005f8b97af94398.journal l-wx------. 1 root root 64 Apr 12 11:10 2 -> /dev/null lr-x------. 1 root root 64 Apr 12 11:10 20 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-00000000000053d0-0005f8aea9253014.journal lr-x------. 1 root root 64 Apr 12 11:10 21 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-0000000000002b5f-0005f88e0083a209.journal lr-x------. 1 root root 64 Apr 12 11:10 22 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system@9705cca605084349ad52536415e95ced-0000000000000001-0005f86a6b381ed8.journal lr-x------. 1 root root 64 Apr 12 11:10 3 -> /dev/urandom lrwx------. 1 root root 64 Apr 12 11:10 4 -> 'socket:[26917]' l-wx------. 1 root root 64 Apr 12 11:10 5 -> /var/log/cron lr-x------. 1 root root 64 Apr 12 11:10 6 -> anon_inode:inotify l-wx------. 1 root root 64 Apr 12 11:10 7(打开的目录) -> '/var/log/messages (deleted)' #刚刚被删除的目录可以看到打开的目录为7 lr-x------. 1 root root 64 Apr 12 11:10 9 -> /run/log/journal/089f18fbfd6446e380f7c025aaa7b9e5/system.journal #详细 [root@localhost ~]# ls -l /proc/1197/fd/7 l-wx------. 1 root root 64 Apr 12 11:10 /proc/1197/fd/7 -> '/var/log/messages (deleted)' #可以看到有文件内容 [root@localhost ~]# cat /proc/1197/fd/7|wc -l 62932 #恢复文件 [root@localhost ~]# cat /proc/1197/fd/7 >/var/log/messages #检查文件被成功的恢复 [root@localhost ~]# ls -l /var/log/messages -rw-r--r--. 1 root root 9379982 Apr 12 11:19 /var/log/messages #前提是打开的文件的程序没有关掉,关掉的话就没办法恢复了