Who is using my file?
1d 8h ago by lemmy.ml/u/DaGammla in linuxmemes from lemmy.ml
Well actshly, rm removes the inode, not the file. If it's still in use it'll stay on the disk until the last fd is closed.
- with most file systems that are usual on linux
Yep, it's a smart system.
For the user, the file is immediately no longer in the tree, so for them it's considered done.
The OS should handle all the hassle, not the user.
I think "consider it done" puts it well.
"I'll get to it, eventually" would ruin the meme but be more fitting, in my opinion.
Had multiple occasions where people fought against filling disks and just couldn't see why. Well, that 10 gig log file you deleted two weeks ago? It's 20 gig now, and still being written to.
lsof shows stuff like that.
Nothing new can open it immediately.
So it's effectively deleted with old references slowly phasing out.
Zombie files are an issue though. A while back I had a huge zombie file on a tmpfs which was filling all my ram. So I built a tool to track it down and traced it to a konsole instance with a killed tab that previously had billions of lines of stdout history.
https://github.com/redjard/zombie-file-list
zombie-file-list
Lists Linux files that are still opened in a process but were deleted. These "zombie files" use up space and inodes but are hard to find.
I wrote this because my /tmp tmpfs was taking up 32GB of ram despite the files inside summing to only 3MB.
Usage:
zombie-file-list <path to filesystem>Note:
- This command is designed to be run on filesystem roots, not paths in general.
- Sizes are apparent sizes, e.g. on ext4 the actual sizes are rounded up to the next 4KiB
I wrote this because my /tmp tmpfs was taking up 32GB of ram despite the files inside summing to only 3MB.
Note that tmpfs doesn't force its contents to remain in memory --- the kernel can move stuff there to swap space if it needs to do so.
Ramfs is the filesystem that keeps things locked in memory:
https://www.kernel.org/doc/Documentation/filesystems/ramfs-rootfs-initramfs.txt
With ramfs, there is no backing store. Files written into ramfs allocate
dentries and page cache as usual, but there's nowhere to write them to.
This means the pages are never marked clean, so they can't be freed by the
VM when it's looking to recycle memory.
ramfs and tmpfs:
----------------
One downside of ramfs is you can keep writing data into it until you fill
up all memory, and the VM can't free it because the VM thinks that files
should get written to backing store (rather than swap space), but ramfs hasn't
got any backing store. Because of this, only root (or a trusted user) should
be allowed write access to a ramfs mount.
A ramfs derivative called tmpfs was created to add size limits, and the ability
to write the data to swap space. Normal users can be allowed write access to
tmpfs mounts. See Documentation/filesystems/tmpfs.txt for more information.Maybe. It's been a while so I don't know 100% this was put to the test, but I wanna say the system has a weird kernel which leads to it not swapping out tmpfs properly.
But ordinarily you should be right, this would simply ruin the stats visually until something forced it to swap out, since konsole shouldn't be accessing it.
Could you have restarted to allow the OS to clean it up?
I could have, but the system wasn't set up to restart without downtime, and the server was also remote and not easily accessible.
It did acutally die due to a poweroutage some months later and took 2 days to get restarted.
So yeah sometimes restarting is way more undesirable than loosing access to 32GB of ram. I would have just eaten that cost otherwise until a more opportune chance to restart.
Besides, restarting to fix a problem is equivalent to giving up on understanding the issue, learning new stuff, and maybe finding a way better solution or preventing the type of error entirely.
I get not finding the motivation when your software is working against you and learning is ultimately fruitless like on windows, or not having the time in the moment to figure it out properly, but a perfectly good bug on a linux system when you have time is prime real-estate to grow your skills and find fulfillment.
Ah that makes sense. I had considered it might be a server but you mentioned a Konsole tab so my mind decided it must have been local machine.
Crazy it took 2 days to restart the server!
There was a dedicated person on call, but it happened to be when they were away.
The Konsole was left running from a local access, with a while true loop of a service status command. When that service was stopped later, the while loop started rerunning the script every second, filling the buffer with error messages.
The tab was then killed remotely, but the Konsole window left running. Process ram usage went down but the file remained on tmpfs, which is not counted as ram usage so wasn't noticed.
Then it took some time to notice the ram usage mismatch so noone thought of that konsole incident.
You can also still access the file as long as there's a process that still has it open. I have, in the past, "undeleted" a file or two doing that.
$ echo foo > bar
$ tail -f bar
foo
In another terminal:
$ pidof tail
1525534
$ ls -l /proc/1525534/fd|grep bar
lr-x------ 1 tal tal 64 Jun 16 06:42 3 -> /home/tal/bar
$ rm bar
$ ls -l /proc/1525534/fd|grep bar
lr-x------ 1 tal tal 64 Jun 16 06:42 3 -> /home/tal/bar (deleted)
$ cat /proc/1525534/fd/3
foo
$ cat /proc/1525534/fd/3 > bar-recovered
$ cat bar-recovered
foo
$
That is, the /proc entry for tail's file descriptor 3 there looks kinda like a symlink, but the kernel doesn't actually make it behave in quite the same way as a normal symlink.
That being said, getting back to the original point about unlinking not being able to remove the directory entry...it won't sit there blocking you from putting a new directory entry there with the same name, the way Windows file semantics mandate.
EDIT: Also, what rm removes is the directory entry rather than the inode. The inode sticks around as long as the file data is there. You can have multiple directory entries for an inode, or none at all, but file data will have an inode associated with it.
$ touch a
$ sudo ln -T a b
$ stat -c %i a
216538023
$ stat -c %i b
216538023
Same inode, different directory entries.
https://en.wikipedia.org/wiki/Inode
inode persistence and unlinked files
An inode may have no links. An inode without links represents a file with no remaining directory entries or paths leading to it in the filesystem. A file that has been deleted or lacks directory entries pointing to it is termed an 'unlinked' file.
Such files are removed from the filesystem, freeing the occupied disk space for reuse. An inode without links remains in the filesystem until the resources (disk space and blocks) freed by the unlinked file are deallocated or the file system is modified.
Although an unlinked file becomes invisible in the filesystem, its deletion is deferred until all processes with access to the file have finished using it, including executable files which are implicitly held open by the processes executing them.
Do modern file systems actually remove it from disk? It's been a while since I did any forensics and didn't do much of it, but I remember being able to batch restore files from inodes as long as that part of the disk hadn't been overwritten. That's why you're supposed to overwrite disks with random data if you want to data gone.
Nah, they just throw away the block markings, absolutely.
Overwriting a SSD is difficult as well, better encrypt the drive and trash the key when you decommission.
What about microwaving it?
You mean like in your kitchen? Too much metal, you'll damage your magnetron.
You could use thermite and melt it to a pulp. Dangerous as well, though.
Really, just encrypt. Your CPU has AES extensions, performance impact is negligible. Simple, clean, and a protection against involuntary decommission as well.
If the file is on an SSD and trim is enabled, the blocks will be erased eventually.
Interesting TIL
I wanted to remove an Adobe file because it wouldn't let me uninstall Adobe through the program management. It said it was being used. By explorer apparently. Checked online, all I had to do was rename the file, then delete it. Worked. But it's so dumb.
Btw this also method to prevent file/dir be automatic created: for dir make file with same name, for file other way.
Usually rename only replace other file, not dir. And if path exist but file, cannot open as dir, but also not create.
This was how you could prevent Cortana and some other stuff from being automatically reinstalled when Windows forced if. Uninstall the app via appx, or just delete the folder instead if it's not in use, and then replace it with a file with the same name so it can't remake the folder.
Cortana being reinstalled after I "deleted" it was the impetus for me to swap to Linux in the first place.
That and I was a CS student and our assignments had to run on Solaris which is closer to Linux than Windows.
Northern Scandinavia??
No Canada, and even then it was a bit of a relic.
It was slowly being replaced by vagrant in some courses and I think after I left I'm pretty sure they replaced whatever hardware it was on with something running Linux.
I remember it was mildly annoying because the Java compiler on it was a bit old and different in some way, though I can't really remember how.
Alright. 😄 We also had a couple Solaris servers at my uni. They had the names "itchy" and "scratchy".
Ours didn't have fun names., or at least not ones that were exposed to students. I honestly didn't know too much about about them but I suspect at the time Sparc systems were one of the larger machines compute wise you could get outside of mainframes. So very suitable for a university multiuser setup.
You used Solaris when cortana was already a thing? That's great! :D
My university ditched Solaris like 20 years ago. Still have fond memories of cde lol
Cortana was released nearly 12 years ago and I'm not sure the Solaris box lasted much longer. It was the only box that connectable remotely at the time and you put your assignments on it to be marked by TAs. The computer labs were all Linux and Windows though.
I suspect it was around because it mostly just worked and probably some greybeard had scripted it all up to connect to the various student systems and automatically provision accounts and things.
I'm sure it's all Linux now.
Who is using my file?
lsof path/to/file
You almost always want to pair lsof with -n, as by default, it (slowly) lists a bunch of things that require name resolution.
$ time lsof >/dev/null
real 2m12.352s
user 0m0.499s
sys 0m1.217s
$ time lsof -n >/dev/null
real 0m1.600s
user 0m0.523s
sys 0m1.029s
$meanwhile, me getting annoyed that a network mount whose endpoint is not available anymore just completely refuses to unmount, no matter what I do
You can lazy umount, which blocks new accesses and actually unmounts when it can
Yep. The lock comes from files being opened on the mounted path. Remove those and you should be fine.
At some point macOS introduced a bug that ejecting a usb drive that is open in the file viewer used to eject it doesn’t work
Windows being portrayed as a polite UwU in þis meme has always seemed off, to me. I imagine it as more surly and petulant.
I imagine it as more surly and petulant.
No, that's macOS
I imagine it more as a condescending IT guy who isn't actually very good at his job and has secretly set up each machine to spy on the users (but again isn't very good at what he does so it isn't much of a secret).
Where did I read that the þ character doesn't really help against AI at this point? That it is pretty futile? Can't remember.
It doesn't have to be an 'against AI' thing, to be fair! It's also just fun to use.
the windows command system is so dumb and unintuitive. what takes like a command and 2 arguments on Windows takes 3 times the effort and an unnecessarily long command syntax