====== Find Open Files On A Linux System ======
Sometimes within any OS, it's difficult to know when you have a file opened which needs to be managed in some way. There is nothing more annoying than trying to delete, cut or modify a file and get the error that the file is already open. Another possibility is trying to unmount a device and you get the error that the device is busy, which is usually due to an open file on the device.
So, let's look at how to find open files because you really do not want to have to close all your open applications to get the right one.
Let's assume I am trying to unmount sda2 and I get a 'device is busy' error. It is best not to perform a forced unmount because files could get corrupted. To get a list of open files on sda2, we use the “lsof”' command as shown:
user@alpha:~# lsof /dev/sda2
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
soffice.b 4774 root 29u REG 8.2 9181 537797 /media/sda2/home/user/Untitled 1.odt
user@alpha:~#
You can see there are nine columns for information about the open file:
* COMMAND – procrss which has the file open
* PID (Process ID) – the PID of the process which has the file opened
* USER – the user which has the file open
* FD (File Descriptor) – indicator used to access files
* TYPE – type of node for file
* REG – regular file
* DIR – directory
* CHR – Character special file
* FIFO – First In First Out
* IP4 – IP4 socket
* IP6 – IP6 network file
* AX25 – AX.25 socket
* INET – Internet domain socket
* LLA – HP-UX link level access file
* RTE – AF-Route socket
* SOCK – unknown domain socket
* UNIX – UNIX domain socket
* X.25 – HP-UX x.25 domain socket
* BLK – Block special file
* DEL – deleted Linux map file
* DOOR – VDOOR file
* KQUEUE – BSD kernel event queue file
* LINK – Symbolic Link (soft link) file
* MPB – Multiplexed block file
* MPC – Multiplexed character file
* NOFD – /proc/fd/ directory
* PAS – /proc/as/ file
* PAXV - /proc/auxv/ file
* PCRE - /proc/cred/ file
* PCTL - /proc control file
* PCUR – current /proc control file
* PCWD - /proc current working directory
* PDIR - /proc directory
* PETY - /proc executable type
* PFD - /proc file descriptor
* PFDR - /proc file descriptor directory
* PFIL - /proc executable file
* PFPR - /proc FP register set
* PGD - /proc/pagedata file
* PGID - /proc group notifier file
* PIPE - pipes
* PLC - /proc/lwpctl file
* PLDR - /proc/lpw directory
* PLDT - /proc/ldt file
* PLPI – proc/lpsinfo file
* PLST - /proc/lsstatus file
* PLU - /proc/lusage file
* PLWG - /proc/gwindows file
* PLWI - /proc/lwpsinfo file
* PLWS - /proc/lwpstatus file
* PLWU - /proc/lwpusage file
* PLWX - /proc/xregs file
* PMAP - /proc map file
* PMEM - /proc memory image file
* PNTF - /proc process notifier file
* POBJ - /proc/object file
* PODR - /proc/object directory
* POLP - /proc light weight process file
* POPF - /proc PID file
* POPG - /proc page data file
* PORT – SYSV named pipe
* PREG - /proc register file
* PRMP - /proc/rmap file
* PRTD - /proc root directory
* PSGA - /proc/sigact file
* PSIN - /proc/psinfo file
* PSTA - /proc status file
* PSXSEM – POSIX semaphore file
* PSXSHM – POSIX shared memory file
* PUSG - /proc/usage file
* PW - /proc/watch file
* PXMP - /proc/xmap file
* SMT – shared memory transport file
* STSO – stream socket
* UNM – unnamed type file
* XNAM – OpenServer Xenix special file of unknown type
* XSEM – OpenServer Xenix semaphore file
* XSD – OpenServer Xenix shared data file
* DEVICE – shows “major,minor” number of device
* major number of 1 represents IDE
* major number of 8 represents SCSI
* SIZE/OFF - file size or offset
* NODE – file's iNode number
* NAME – location of opened file/folder
The command was run specifically for the 'sda2' partition. If the 'lsof' command were executed with no location specified, it would check the local filesystem and all mounted filesystems.
If you are wanting a list of all files opened by a certain process, you can use the '-c NAME' parameter to specify the name of the process, or just a few letters. For example, if I wanted to see all files opened by Libre Office (the command 'soffice.b') on all drives I could use the following command:
lsof -c soffice.b
I could also specify a specific device, such as sda2 as follows:
lsof -c soffice.b /dev/sda2/
If your system is having issues resolving the username, you can use the parameter '-l' to make it show the User ID (UID) instead of the username.
For network numbers to host name conversion, you can use the parameter '-n' to prevent the conversion. This can make the 'lsof' command run a little faster when dealing with network issues.
For port number to port name conversion, you can use the '-P' parameter to prevent the conversion.
Once you have found the program which has the open file, you should be able to close it easily. Once you know its name, 'top' can be used from the Terminal to kill the process. It is also possible to issue the following command to send a 'sigterm' signal to the process:
kill -SIGTERM `lsof -t /dev/sda2/`
In the example, the output of the 'lsof' command is producing a 'terse' output which is only the Process ID (PID). The PID is then used by the 'kill' command to send a kill signal to the process and cause a termination which can allow for the application to save open files.
The termination is a 'nice' termination to help prevent loss of data.
NOTE: SIGTERM (15) can be ignored by some applications, but a SIGKILL (9) cannot be ignored.
Instead of the name as a parameter, the numbers can be used.
Assume you want to kill all processes created by a user. You would do the following:
kill -9 `lsof -t -u `
The '-u ' allows you to specify which user processes you are searching for in the open files. The '-9' is a SIGKILL parameter.
NOTE: The special symbol (`) is sometimes called a slash quote. It is used to enclose commands which
need to be executed first. The output is sent to the outer command.