Linux恢复删除文件的lsof命令详解
<p><span><strong>lsof命令</strong></span></p>
<p>
lsof命令用于查看你进程开打的文件,打开文件的进程,进程打开的端口(TCP、UDP)。找回/恢复删除的文件。是十分方便的系统监视工具,因为lsof命令需要访问核心内存和各种文件,所以需要root用户执行。</p>
<p>
在linux环境下,任何事物都以文件的形式存在,通过文件不仅仅可以访问常规数据,还可以访问网络连接和硬件。所以如传输控制协议 (TCP) 和用户数据报协议 (UDP) 套接字等,系统在后台都为该应用程序分配了一个文件描述符,无论这个文件的本质如何,该文件描述符为应用程序与基础操作系统之间的交互提供了通用接口。因为应用程序打开文件的描述符列表提供了大量关于这个应用程序本身的信息,因此通过lsof工具能够查看这个列表对系统监测以及排错将是很有帮助的。</p>
<p>
<span><strong>语法</strong></span></p>
<p>
lsof(选项)</p>
<p>
<span><strong>参数</strong></span></p>
<p>
-a:列出打开文件存在的进程;</p>
<p>
-c<进程名>:列出指定进程所打开的文件;</p>
<p>
-g:列出GID号进程详情;</p>
<p>
-d<文件号>:列出占用该文件号的进程;</p>
<p>
+d<目录>:列出目录下被打开的文件;</p>
<p>
+D<目录>:递归列出目录下被打开的文件;</p>
<p>
-n<目录>:列出使用NFS的文件;</p>
<p>
-i<条件>:列出符合条件的进程。(4、6、协议、:端口、 @ip )</p>
<p>
-p<进程号>:列出指定进程号所打开的文件;</p>
<p>
-u:列出UID号进程详情;</p>
<p>
-h:显示帮助信息;</p>
<p>
-v:显示版本信息。</p>
<p>
<span><strong>使用</strong></span></p>
<p>
<strong>查看</strong></p>
<p>
<code>lsof -i</code> :(端口) 查看这个端口有那些进程在访问,比如22端口</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_606350">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">shell> </code><code class="bash functions">lsof</code> <code class="bash plain">-i:22</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">COMMAND PID USER FD TYPE DEVICE SIZE</code><code class="bash plain">/OFF</code> <code class="bash plain">NODE NAME</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash plain">sshd 1939 root 3u IPv4 12317 0t0 TCP *:</code><code class="bash functions">ssh</code> <code class="bash plain">(LISTEN)</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">sshd 1939 root 4u IPv6 12321 0t0 TCP *:</code><code class="bash functions">ssh</code> <code class="bash plain">(LISTEN)</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash plain">sshd 2790 root 3u IPv4 15229 0t0 TCP 192.168.178.128:</code><code class="bash functions">ssh</code><code class="bash plain">->192.168.178.1:64601 (ESTABLISHED)</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">sshd 2824 root 3u IPv4 15528 0t0 TCP 192.168.178.128:</code><code class="bash functions">ssh</code><code class="bash plain">->192.168.178.1:64673 (ESTABLISHED)</code>
</div>
<div class="line number7 index6 alt2">
<code class="bash plain">sshd 2990 root 3u IPv4 15984 0t0 TCP 192.168.178.128:</code><code class="bash functions">ssh</code><code class="bash plain">->192.168.178.1:64686 (ESTABLISHED)</code>
</div>
<div class="line number8 index7 alt1">
<code class="bash plain">sshd 14695 root 3u IPv4 39558 0t0 TCP 192.168.178.128:</code><code class="bash functions">ssh</code><code class="bash plain">->192.168.178.1:49662 (ESTABLISHED)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>lsof输出各列信息的意义如下:</strong></p>
<ol>
<li>
COMMAND:进程的名称</li>
<li>
PID:进程标识符</li>
<li>
USER:进程所有者</li>
<li>
FD:文件描述符,应用程序通过文件描述符识别该文件。如cwd、txt等</li>
<li>
TYPE:文件类型,如DIR、REG等</li>
<li>
DEVICE:指定磁盘的名称</li>
<li>
SIZE:文件的大小</li>
<li>
NODE:索引节点(文件在磁盘上的标识)</li>
<li>
NAME:打开文件的确切名称</li>
</ol>
<p>
<strong>恢复文件</strong></p>
<p>
利用lsof可以恢复一些系统日志,前提是这个进程必须存在。这里就拿最常用的/var/log/messages来举例说明,大家在做测试的时候最好先备份一下。</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_189938">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash comments">#备份</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">shell> </code><code class="bash functions">cp</code> <code class="bash plain">/var/log/message</code> <code class="bash plain">/var/log/message_bac</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash plain">http:</code><code class="bash plain">//embeddedlinux</code><code class="bash plain">.org.cn/</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">shell> </code><code class="bash functions">lsof</code> <code class="bash plain">|</code><code class="bash functions">grep</code> <code class="bash plain">/var/log/message</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash plain">rsyslogd 1737 root 1w REG 8,2 5716123 652638 </code><code class="bash plain">/var/log/messages</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
进程在运行中,接下来我就把/var/log/messages这个文件删掉</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_565261">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">shell> </code><code class="bash functions">rm</code> <code class="bash plain">/var/log/messages</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
删掉之后,我再来看看这个进程的变化</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_766920">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">shell> </code><code class="bash functions">lsof</code> <code class="bash plain">|</code><code class="bash functions">grep</code> <code class="bash plain">/var/log/messages</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">rsyslogd 1737 root 1w REG 8,2 5716123 652638 </code><code class="bash plain">/var/log/messages</code> <code class="bash plain">(deleted)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
大家看到有变化了吧, 对比两个之后发现多了(deleted)。要找到这个文件在哪还要看看这个</p>
<p>
PID:1737 FD:1 那我们有直接进入/proc/1737/FD/1用ll查看一下</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_782892">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">shell> </code><code class="bash functions">cd</code> <code class="bash plain">/proc/1737/fd/</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">shell> ll</code>
</div>
<div class="line number3 index2 alt2">
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">total 0</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash plain">lrwx------ 1 root root 64 Dec 23 13:00 0 -> socket:</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">l-wx------ 1 root root 64 Dec 23 13:00 1 -> </code><code class="bash plain">/var/log/messages</code> <code class="bash plain">(deleted)</code>
</div>
<div class="line number7 index6 alt2">
<code class="bash plain">l-wx------ 1 root root 64 Dec 23 13:00 2 -> </code><code class="bash plain">/var/log/secure</code>
</div>
<div class="line number8 index7 alt1">
<code class="bash plain">lr-x------ 1 root root 64 Dec 23 13:00 3 -> </code><code class="bash plain">/proc/kmsg</code>
</div>
<div class="line number9 index8 alt2">
<code class="bash plain">l-wx------ 1 root root 64 Dec 23 13:00 4 -> </code><code class="bash plain">/var/log/maillog</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
看到了1对应/var/log/messages (deleted),看看文件是不是我们要的文件:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_879507">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">shell> </code><code class="bash functions">head</code> <code class="bash plain">-5 1</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">Nov 14 03:11:11 localhost kernel: imklog 5.8.10, log </code><code class="bash functions">source</code> <code class="bash plain">= </code><code class="bash plain">/proc/kmsg</code> <code class="bash plain">started.</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash plain">Nov 14 03:11:11 localhost rsyslogd: start</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">Nov 14 03:11:11 localhost kernel: Initializing cgroup subsys cpuset</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash plain">Nov 14 03:11:11 localhost kernel: Initializing cgroup subsys cpu</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">Nov 14 03:11:11 localhost kernel: Linux version 2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev.CentOS.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) ) </code><code class="bash comments">#1 SMP Fri Nov 22 03:15:09 UTC 2013</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
对比备份文件:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_623204">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">shell> </code><code class="bash functions">head</code> <code class="bash plain">-5 </code><code class="bash plain">/var/log/message_bac</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">Nov 14 03:11:11 localhost kernel: imklog 5.8.10, log </code><code class="bash functions">source</code> <code class="bash plain">= </code><code class="bash plain">/proc/kmsg</code> <code class="bash plain">started.</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash plain">Nov 14 03:11:11 localhost rsyslogd: start</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">Nov 14 03:11:11 localhost kernel: Initializing cgroup subsys cpuset</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash plain">Nov 14 03:11:11 localhost kernel: Initializing cgroup subsys cpu</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">Nov 14 03:11:11 localhost kernel: Linux version 2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) ) </code><code class="bash comments">#1 SMP Fri Nov 22 03:15:09 UTC 2013</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
对比发现数据是一样的,恢复</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_349837">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">shell> </code><code class="bash functions">cat</code> <code class="bash plain">1 > </code><code class="bash plain">/var/log/messages</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
再次提醒,恢复前提是这个进程必须存在。</p>
<p>
<span><strong>总结</strong></span></p>
<p>
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作能带来一定的帮助,如果有疑问大家可以留言交流。</p>
頁:
[1]