January, 18, 2010

How to Get Rid of Deleted Open Files

Logfiles deleted while the process is still running?
Find the deleted file's representation under /proc
Free up the Space
What more could be done...
Final Remarks

1. Logfiles deleted while the process is still running?

That's annoying: On your Linux-Server the /var filesystem is nearly full. You remove a very large logfile that you don't need with the rm command:

tux:~# df -Ph /var
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/root-var  7.1G  7.0G  100M  99% /var
tux:~# ls -l /var/log/myapp/userlog
tux:~# rm /var/log/myapp/userlog
tux:~# df -Ph /var
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/root-var  7.1G  7.0G  100M  99% /var

But what's that? The filesystem is still full. With lsof you see, that the logfile is still opened in write mode:

tux:~# lsof | grep var/log/myapp/userlog
myapp    25139      root   4w     REG      3,12       0    2101404 /var/log/myapp/userlog (deleted)

To actually free up the space you would have to stop the logging process. But since this might be a mission critical application this is not always an option. Is there any way to get rid of the file without stopping the logging process?

2. Find the deleted file's representation under /proc

Actually we cannot remove the file as long as the file is still in use by a process. But what we can do is: Getting the size down to 0. Thanks to Linux' enhanced /proc filesystem.

And that's how you do it:

First find the process that still uses the file (we already did that - see above):

tux:~# lsof | grep var/log/myapp/userlog
myapp    25139      root   4w     REG      3,12       0    2101404 /var/log/myapp/userlog (deleted)

lsof tells us that a process with PID=25139 has opened the file (with number 4) in write mode. See the bolded part of the lsof output.

Knowing the PID of the process and the file number we can visit its representation under /proc:

tux:~# cd /proc/25139/fd
tux:/proc/25139/fd#  ls -l 4
lr-x------ 1 root root 64 2010-01-07 17:10 4 -> /var/log/myapp/userlog (deleted)

We can do almost everything with this file (called 4 here) what we can do with a real file: we can less it, copy it, and we can change its contents!

3. Free up the Space

As already said, we cannot remove the file, but what we can do is getting the size down to zero. And that's done as with every other file, e.g. if you use bash (or ksh) - what is most likely under Linux:

tux:~# > /proc/25139/fd/4
tux:~# df -Ph /var
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/root-var  7.1G  4.9G  1.2G  69% /var

As we see there is again free space under /var, and the process is still running:

tux:~# lsof | grep var/log/myapp/userlog
myapp    25139      root   4w     REG      3,12       0        0  /var/log/myapp/userlog (deleted)

4. What more could be done...

As said before you can work on this file as you work on real files. That means, you could even save this file and compress it before getting its size down to 0:

tux:~# cp /proc/25139/fd/4 /tmp/userlog
tux:~# gzip -9 /tmp/userlog
tux:~# mv /tmp/userlog.gz /var/log/myapp/userlog.1.gz
tux:~# > /proc/25139/fd/4

5. Final Remarks

This procedure helps you if you are in a pinch - but basically you should never remove such an open file, because you still have an issue here: The process still writes to this file - and the only way to see what it logs is to use the procedure to save the file as shown above.

So remember to bring the size down to 0 in the first place instead:

tux:~# > /var/log/myapp/userlog