Linux get open files

Linux — How to track all files accessed by a process?

Is there a way to track all file I/O for a given process? All I really need is the locations of files being read from/written to from a given process (and ideally if it was a read or write operation although that’s not as important). I can run the process and track it rather than needing to attach to an existing process which I would assume is significantly simpler. Is there any kind of wrapper utility I can run a process though that will monitor file access?

4 Answers 4

lsof :

Try doing this as a starter :

this command will list all currently open files, fd, sockets for the process with the passed process ID.

For your special needs, see what I can offer as a solution to monitor a php script :

php foo.php & _pid=$! lsof -r1 -p $_pid kill %1 # if you want to kill php script 

strace :

I recommend the use of strace . Unlike lsof , it stays running for as long as the process is running. It will print out which syscalls are being called when they are called. -e trace=file filters only for syscalls that access the filesystem:

sudo strace -f -t -e trace=file php foo.php 

or for an already running process :

sudo strace -f -t -e trace=file -p

Thanks that’s a good starting point! It works for processes already running at the moment it’s run. I’m trying to do this for a PHP script for its entire execution, tracking the files from the start of the process until it exists. Looking at the help, There’s a -r repeat option but this seems to periodically scan the files that are open by the process rather than have been opened. Essentially I want to do this: lsof -p $$ && exec php foo.php This doesn’t seem to list files that are opened by foo.php

thanks, that’s certainly providing more relevant information and showing all the php extensions being loaded, the script contains unfortunately, file.txt is not listed in the output. I can verify the file is being opened by amending the script to print the contents of file.txt but I still don’t see file.txt in the output of lsof.

To properly trace an AppImage, I needed to run strace as root but the command using my own user. This got the job done: sudo strace -fte trace=%file -u $(id -un)

Mixing your two solutions together becomes perfect: php foo.php & sudo strace -f -t -e trace=file -p $! especially for short running tasks.

Besides strace there is another option which does not substantially slow down the monitored process. Using the Liunx kernel’s fanotify (not to be confused with the more popular inotify) it is possible to monitor whole mount-points for IO-activity. With unshared mountnamespaces the mounts of a given process can be isolated fromt the rest of the system (a key technology behind docker).

An implementation of this concept can be found in shournal, which I am the author of.

$ shournal -e sh -c 'cat foo > bar' $ shournal --query --history 1 . 1 written file(s): /home/user/bar 1 read file(s): /home/user/foo 

External links are always highly appreciated as sources, but imagine this one was to become invalid — your solution would be unsalvageable for future SO users. Please consider posting code here and explaining your solution so we all can learn.

@harmonica141: That’s always the problem: what to write and what to omit. A complete, minimal example would be not much shorter than the example at the bottom at man7.org/linux/man-pages/man7/fanotify.7.html . In fact, it could be almost the same with a leading unshare( CLONE_NEWNS); . Do you think it would be helpful to include the full source here?

strace is an amazing tool but its output is a bit verbose.
If you want you can use a tool I’ve written which processes strace output and provide a CSV report of all files accessed (TCP sockets too) with the following data:
1. Filename
2. Read/Written bytes
3. Number of read/write operations
4. Number of time the file was opened

It can be run on new processes or processes already running (using /proc/fd data).
I found it useful for debugging scenarios and performance analysis.
You can find it here: iotrace

Filename, Read bytes, Written bytes, Opened, Read op, Write op /dev/pts/1,1,526512,0,1,8904 socket_127.0.0.1:47948->127.0.0.1:22,1781764,396,0,8905,11 myfile.txt,65,0,9,10,0 pipe:[3339],0,0,0,1,0 

Afterward, you can process the CSV data in Excel or other tools for sorting or other analysis required.
The downside is you need to download & compile and it isn’t always 100% accurate.

Источник

Is it possible to get a list of all open files (and the programs being used to view them)?

I want to write a script that obtains a list of all open programs and files, and then generates a shell script to re-open these files. For example, if I were editing the file example.txt using gedit, and editing the file myscript.js using geany, I would want to generate a script that could re-open both of these files using their respective programs. Is there any way to obtain a list of running programs and files from the command line?

I’ve used lsof before, but I’m not sure that it’s comprehensive. (I’ve used it to see what was preventing me from ejecting a volume, but it sometimes cannot find which file was open.)

lsof does do that. (Give it a go!) Also, I think that ps aux is more process oriented, and hence does not list all open files. I don’t have gedit on my computer (I use KDE), but when I open a file in kate, the filename is not listed in ps aux .

I think ps aux only lists files that are open if they were arguments of the command used to start the process. If I start kate, then open files from within it, the output of ps aux | grep [k]ate is sparhawk 4606 15.5 0.3 467332 58188 ? Sl 13:28 0:01 /usr/bin/kate -b . I’ll try lsof and print the output.

4 Answers 4

Generally, it is not possible to do in the way you’re approaching this, because the files opened in a text editor are not «open» in the sense programmers use the term (i.e. «having an active file handle somewhere within the program which can be used for I/O operations»). What most programs do is open the file, read the data in a memory buffer, then close the file. Saving a file is the same — open, write, close. Between open and save operations the file is not «open», it’s just the copy of the data in the program’s buffer in memory.

So it is generally not possible to figure out which files are currently loaded into the program’s memory — however, the program itself does know that, so from inside the program it is trivial to implement an option to remember the list of open files on shutdown and re-open those files on startup. Many text editors, for example Kate and Sublime Text 2 do provide such option.

Some desktop environments, such as KDE (and also the old Gnome, I’m not sure about Gnome 3/Unity) also provide an option to save the list of running programs on shutdown and re-launch those programs on startup. Which combined with using a good editor kinda achieves what you’re trying to do.

Источник

Use of “lsof” Command to Find Open Files

“lsof” stands for List Open Files. It is a Linux utility for listing down all the open files of a system. This command can be combined with different parameters to modify its output as desired. You can see the details of all of its parameters and flags by seeing the help manual of the “lsof” command.

In today’s article, you will be able to learn the correct usage of the “lsof” command for finding all the open files in Linux Mint 20.

Use of “lsof” Command to Find the Open Files in Linux Mint 20

To learn the correct usage of the “lsof” command and use it to find the open files in Linux Mint 20, you can take a look at all the examples that have been shared below.

Example 1: List All the Open Files in Linux Mint 20
To list down all the open files in Linux Mint 20, you will have to execute the following command in the terminal:

This command will display a list of all the currently opened files on your Linux Mint 20 system, as shown in the image below:

Example 2: List All the Open Files Belonging to a Particular Directory in Linux Mint 20
You can also list down all the open files belonging to a particular directory in Linux Mint 20 by specifying the name of that directory with the “lsof” command in the following manner:

Here, you have to replace the directorypath with the actual path of the directory whose open files you want to list down. For example, we have replaced it with “/var/log/”.

This command will display a list of all the open files that belong to the “/var/log/” directory, as shown in the image below:

Example 3: List All the Open Files Belonging to a Particular User in Linux Mint 20
If you want to list down all the open files belonging to a particular user in Linux Mint 20, then you can do so by executing the “lsof” command in the following manner:

Here, you have to replace the username with the name of the user whose open files you want to list down. For example, we have replaced it with “kbuzdar”.

This command will display a list of all the open files that belong to the specified user, as shown in the image below:

Example 4: List All the Open Files Belonging to a Particular Internet Protocol in Linux Mint 20
You can also try to list down all the open files belonging to a particular Internet protocol in Linux Mint 20 by executing the “lsof” command in the following manner:

You can also replace “6” with “4” if you want to list down all the open files belonging to IPv4.

This command will display a list of all the open files belonging to the IPv6 protocol, as shown in the image below:

Example 5: List All the Open Files Belonging to a Particular File System in Linux Mint 20
If you want to list down all the open files belonging to a particular file system in Linux Mint 20, then you can do so by tweaking the “lsof” command in the following manner:

Here, you can replace “/proc” with any other file system of your choice as well.

This command will display a list of all the open files belonging to the “/proc” file system, as shown in the image below:

Conclusion

By going through all the examples that have been shown to you in this article, you will be able to learn the correct usage of the “lsof” command for finding all the open files in Linux Mint 20.

About the author

Karim Buzdar

Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various web sites. He blogs at LinuxWays.

Источник

How to list the open file descriptors (and the files they refer to) in my current bash session

I am running in an interactive bash session. I have created some file descriptors, using exec, and I would like to list what is the current status of my bash session. Is there a way to list the currently open file descriptors?

bash is not part of the kernel, so it can not know what other processes are doing, even those that it started.

@JuliePelletier: but child processes do not change the file descriptors of the parent process, do they?

5 Answers 5

Yes, this will list all open file descriptors:

$ ls -l /proc/$$/fd total 0 lrwx------ 1 isaac isaac 64 Dec 28 00:56 0 -> /dev/pts/6 lrwx------ 1 isaac isaac 64 Dec 28 00:56 1 -> /dev/pts/6 lrwx------ 1 isaac isaac 64 Dec 28 00:56 2 -> /dev/pts/6 lrwx------ 1 isaac isaac 64 Dec 28 00:56 255 -> /dev/pts/6 l-wx------ 1 isaac isaac 64 Dec 28 00:56 4 -> /home/isaac/testfile.txt 

Of course, as usual: 0 is stdin, 1 is stdout and 2 is stderr.
The 4th is an open file (to write) in this case.

@JZ. $$ will give the process ID of the currently running shell. Try echo $$ and ps and compare their outputs. Similar question here.

Assuming you want to list the file descriptors that are attached to any terminal, you can use lsof / fuser or similar like:

$ lsof -p $$ 2>/dev/null | awk '$NF ~ /\/pts\//' bash 32406 foobar 0u CHR 136,31 0t0 34 /dev/pts/31 bash 32406 foobar 1u CHR 136,31 0t0 34 /dev/pts/31 bash 32406 foobar 2u CHR 136,31 0t0 34 /dev/pts/31 bash 32406 foobar 3u CHR 136,31 0t0 34 /dev/pts/31 bash 32406 foobar 255u CHR 136,31 0t0 34 /dev/pts/31 

These tools basically parse /proc , so you can just access /proc/$$/fd/ too e.g.:

Use the lsof utility to print all file descriptors for the current shell process (process identified by -p $$ ) and ( -a ) where the file descriptor is numeric ( -d 0-256 ):

$ lsof -p $$ -a -d 0-256 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 16883 ant 0u CHR 136,15 0t0 18 /dev/pts/15 bash 16883 ant 1u CHR 136,15 0t0 18 /dev/pts/15 bash 16883 ant 2u CHR 136,15 0t0 18 /dev/pts/15 bash 16883 ant 255u CHR 136,15 0t0 18 /dev/pts/15 

Pipe into Awk to print only the file descriptor and its corresponding filename:

$ lsof -p $$ -a -d 0-256 | awk '< printf("%4s:\t%s\n", $4, $NF) >' FD: NAME 0u: /dev/pts/15 1u: /dev/pts/15 2u: /dev/pts/15 255u: /dev/pts/15 

Note: when lsof prints the file descriptors, it appends the following code to indicate the file access mode:

Источник