lsof(list open files)是一个查看当前系统文件的工具。
在linux环境下,任何事物都以文件的形式存在,用户通过文件不仅可以访问常规数据,还可以访问网络连接和硬件;如传输控制协议 (TCP) 和用户数据报协议 (UDP)套接字等,系统在后台都为该应用程序分配了一个文件描述符,该文件描述符提供了大量关于此应用程序的信息。
1、命令参数
-a:列出打开文件存在的进程;
-c<进程名>:列出指定进程所打开的文件;
-g:列出GID号进程详情;
-d<文件号>:列出占用该文件号的进程;
+d<目录>:列出目录下被打开的文件;
+D<目录>:递归列出目录下被打开的文件;
-n<目录>:列出使用NFS的文件;
-i<条件>:列出符合条件的进程(4、6、协议、:端口、 @ip );
-p<进程号>:列出指定进程号所打开的文件;
-u:列出UID号进程详情;
-h:显示帮助信息;
-v:显示版本信息。
2、可打开文件
①. 普通文件;
②. 目录;
③. 网络文件系统的文件;
④. 字符或设备文件;
⑤. (函数)共享库;
⑥. 管道,命名管道;
⑦. 符号链接;
⑧. 网络文件(例如:NFS file、网络socket,unix域名socket);
⑨. 其它类型的文件等。
3、参数解析
sudo lsof |head -n 40
zhancj@iZbp10j40ovkbwx9an9ppuZ:~$ sudo lsof |head -n 40
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root cwd DIR 252,1 4096 2 /
systemd 1 root rtd DIR 252,1 4096 2 /
systemd 1 root txt REG 252,1 1612152 407893 /lib/systemd/systemd
systemd 1 root mem REG 252,1 1700792 393686 /lib/x86_64-linux-gnu/libm-2.27.so
systemd 1 root mem REG 252,1 121016 393253 /lib/x86_64-linux-gnu/libudev.so.1.6.9
systemd 1 root mem REG 252,1 84032 393673 /lib/x86_64-linux-gnu/libgpg-error.so.0.22.0
systemd 1 root mem REG 252,1 43304 393681 /lib/x86_64-linux-gnu/libjson-c.so.3.0.1
systemd 1 root mem REG 252,1 34872 788498 /usr/lib/x86_64-linux-gnu/libargon2.so.0
systemd 1 root mem REG 252,1 432640 393274 /lib/x86_64-linux-gnu/libdevmapper.so.1.02.1
systemd 1 root mem REG 252,1 18680 393630 /lib/x86_64-linux-gnu/libattr.so.1.1.0
systemd 1 root mem REG 252,1 18712 393643 /lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
systemd 1 root mem REG 252,1 27112 393267 /lib/x86_64-linux-gnu/libuuid.so.1.3.0
systemd 1 root mem REG 252,1 14560 393657 /lib/x86_64-linux-gnu/libdl-2.27.so
systemd 1 root mem REG 252,1 464824 393724 /lib/x86_64-linux-gnu/libpcre.so.3.13.3
systemd 1 root mem REG 252,1 144976 393727 /lib/x86_64-linux-gnu/libpthread-2.27.so
systemd 1 root mem REG 252,1 112672 788554 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1
systemd 1 root mem REG 252,1 153984 393685 /lib/x86_64-linux-gnu/liblzma.so.5.2.2
systemd 1 root mem REG 252,1 206872 393577 /lib/x86_64-linux-gnu/libidn.so.11.6.16
systemd 1 root mem REG 252,1 27088 788552 /usr/lib/x86_64-linux-gnu/libip4tc.so.0.1.0
systemd 1 root mem REG 252,1 1159864 393278 /lib/x86_64-linux-gnu/libgcrypt.so.20.2.1
systemd 1 root mem REG 252,1 22768 393645 /lib/x86_64-linux-gnu/libcap.so.2.25
systemd 1 root mem REG 252,1 310040 393272 /lib/x86_64-linux-gnu/libcryptsetup.so.12.2.0
systemd 1 root mem REG 252,1 31232 393622 /lib/x86_64-linux-gnu/libacl.so.1.1.0
systemd 1 root mem REG 252,1 64144 393268 /lib/x86_64-linux-gnu/libapparmor.so.1.4.2
systemd 1 root mem REG 252,1 92208 393264 /lib/x86_64-linux-gnu/libkmod.so.2.3.2
systemd 1 root mem REG 252,1 124848 393632 /lib/x86_64-linux-gnu/libaudit.so.1.0.0
systemd 1 root mem REG 252,1 55848 393234 /lib/x86_64-linux-gnu/libpam.so.0.83.1
systemd 1 root mem REG 252,1 311720 393306 /lib/x86_64-linux-gnu/libblkid.so.1.1.0
systemd 1 root mem REG 252,1 340232 393663 /lib/x86_64-linux-gnu/libmount.so.1.1.0
systemd 1 root mem REG 252,1 154832 393737 /lib/x86_64-linux-gnu/libselinux.so.1
systemd 1 root mem REG 252,1 288976 393271 /lib/x86_64-linux-gnu/libseccomp.so.2.4.1
systemd 1 root mem REG 252,1 31680 393733 /lib/x86_64-linux-gnu/librt-2.27.so
systemd 1 root mem REG 252,1 2367728 393502 /lib/systemd/libsystemd-shared-237.so
systemd 1 root mem REG 252,1 2030544 393640 /lib/x86_64-linux-gnu/libc-2.27.so
systemd 1 root mem REG 252,1 170960 393616 /lib/x86_64-linux-gnu/ld-2.27.so
systemd 1 root 0u CHR 1,3 0t0 6 /dev/null
systemd 1 root 1u CHR 1,3 0t0 6 /dev/null
systemd 1 root 2u CHR 1,3 0t0 6 /dev/null
systemd 1 root 3w CHR 1,11 0t0 12 /dev/kmsg1、lsof输出各列信息的意义,如下:
COMMAND:进程的名称;
PID:进程标识符;
PPID:父进程标识符(需要指定-R参数);
USER:进程所有者;
PGID:进程所属组;
FD:文件描述符,应用程序通过文件描述符识别该文件。
2、FD文件描述符列表:
①. cwd:表示current work dirctory,即:应用程序的当前工作目录,这是该应用程序启动的目录,除非它本身对这个目录进行更改;
②. txt:该类型的文件是程序代码,如应用程序二进制文件本身或共享库,如上列表中显示的 /sbin/init 程序;
③. lnn:library references (AIX);
④. er:FD information error (see NAME column);
⑤. jld:jail directory (FreeBSD);
⑥. ltx:shared library text (code and data);
⑦. mxx :hex memory-mapped type number xx.
⑧. m86:DOS Merge mapped file;
⑨. mem:memory-mapped file;
⑩. mmap:memory-mapped device;
. pd:parent directory;
. rtd:root directory;
. tr:kernel trace file (OpenBSD);
. v86 VP/ix mapped file;
. 0:表示标准输出;
. 1:表示标准输入;
. 2:表示标准错误。
3、一般在标准输出、标准错误、标准输入后,还跟着文件状态模式:
①.u:表示该文件被打开并处于读取/写入模式;
②.r:表示该文件被打开并处于只读模式;
③.w:表示该文件被打开并处于只写模式;
④.空格:表示该文件的状态模式为unknow,且没有锁定;
⑤.-:表示该文件的状态模式为unknow,且被锁定。
4、同时在文件状态模式后面,还跟着相关的锁:
①. N:for a Solaris NFS lock of unknown type;
②. r:for read lock on part of the file;
③. R:for a read lock on the entire file;
④. w:for a write lock on part of the file;(文件的部分写锁)
⑤. W:for a write lock on the entire file;(整个文件的写锁)
⑥. u:for a read and write lock of any length;
⑦. U:for a lock of unknown type;
⑧. x:for an SCO OpenServer Xenix lock on part of the file;
⑨. X:for an SCO OpenServer Xenix lock on the entire file;
⑩. space:if there is no lock。
5、文件类型
①. DIR:表示目录;
②. CHR:表示字符类型;
③. BLK:块设备类型;
④. UNIX:UNIX 域套接字;
⑤. FIFO:先进先出 (FIFO) 队列;
⑥. IPv4:网际协议 (IP) 套接字;
⑦. DEVICE:指定磁盘的名称;
⑧. SIZE:文件的大小;
⑨. NODE:索引节点(文件在磁盘上的标识);
⑩. NAME:打开文件的确切名称。
4、用法实例
lsof 常被用来查找应用程序打开的文件名称和数目,系统管理员可能想尝试找出某个特定应用程序将日志数据记录到何处,或者正在跟踪某个问题。接下来,我们来看看是如何操作的:
1、进程篇
(1)、查看由登陆用户启动而非系统启动的进程:
sudo lsof /dev/pts/1
zhancj@iZbp10j40ovkbwx9an9ppuZ:~$ sudo lsof /dev/pts/1
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sudo 1629 root 0u CHR 136,1 0t0 4 /dev/pts/1
sudo 1629 root 1u CHR 136,1 0t0 4 /dev/pts/1
sudo 1629 root 2u CHR 136,1 0t0 4 /dev/pts/1
lsof 1630 root 0u CHR 136,1 0t0 4 /dev/pts/1
lsof 1630 root 1u CHR 136,1 0t0 4 /dev/pts/1
lsof 1630 root 2u CHR 136,1 0t0 4 /dev/pts/1
bash 17362 zhancj 0u CHR 136,1 0t0 4 /dev/pts/1
bash 17362 zhancj 1u CHR 136,1 0t0 4 /dev/pts/1
bash 17362 zhancj 2u CHR 136,1 0t0 4 /dev/pts/1
bash 17362 zhancj 255u CHR 136,1 0t0 4 /dev/pts/1
a. /dev/pts是远程登陆(telnet,ssh等)后创建的控制台设备文件所在的目录;
b. 第一个用户登陆,console的设备文件为/dev/pts/0,第二个为/dev/pts/1,以此类推;
c. 通过查看/dev/pts下的进程,我们将可以了解到由登陆用户启动而非系统启动的进程有哪些。
(2)、查看文件,设备被哪些进程占用:
命令:lsof /dev/tty1
zhancj@iZbp10j40ovkbwx9an9ppuZ:~$ sudo lsof /dev/tty1
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
agetty 732 root 0u CHR 4,1 0t0 20 /dev/tty1
agetty 732 root 1u CHR 4,1 0t0 20 /dev/tty1
agetty 732 root 2u CHR 4,1 0t0 20 /dev/tty1a. /dev/tty就是当前进程的控制终端的设备特殊文件;
b. 通过查看/dev/tty下文件可以知道文件、设备的进程占用情况。
(3)、指定进程号,可以查看该进程打开的文件:
sudo lsof -p 11
zhancj@iZbp10j40ovkbwx9an9ppuZ:~$ ps -aux |head -n 10
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.1 228344 8932 ? Ss 2020 2624:41 /sbin/init noibrs splash
root 2 0.0 0.0 0 0 ? S 2020 0:16 [kthreadd]
root 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]
root 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]
root 7 0.0 0.0 0 0 ? S 2020 105:34 [ksoftirqd/0]
root 8 0.0 0.0 0 0 ? I 2020 1118:03 [rcu_sched]
root 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]
root 10 0.0 0.0 0 0 ? S 2020 4:09 [migration/0]
root 11 0.0 0.0 0 0 ? S 2020 2:58 [watchdog/0]
zhancj@iZbp10j40ovkbwx9an9ppuZ:~$ sudo lsof -p 11
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
watchdog/ 11 root cwd DIR 252,1 4096 2 /
watchdog/ 11 root rtd DIR 252,1 4096 2 /
watchdog/ 11 root txt unknown /proc/11/exea. 通过加入参数-p,我们可以指定一个PID,然后查看该进程下打开的文件。
b. 本例我们查看的是nginx下打开的相关文件。
2、文件篇
(1)、查看指定程序打开的文件
sudo lsof -c docker|head -n 30
zhancj@iZbp10j40ovkbwx9an9ppuZ:~$ sudo lsof -c docker|head -n 30
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dockerd 1070 root cwd DIR 252,1 4096 2 /
dockerd 1070 root rtd DIR 252,1 4096 2 /
dockerd 1070 root txt REG 252,1 104999776 800079 /usr/bin/dockerd
dockerd 1070 root mem REG 252,1 101168 393731 /lib/x86_64-linux-gnu/libresolv-2.27.so
dockerd 1070 root mem REG 252,1 26936 393705 /lib/x86_64-linux-gnu/libnss_dns-2.27.so
dockerd 1070 root mem REG 252,1 253944 393251 /lib/x86_64-linux-gnu/libnss_systemd.so.2
dockerd 1070 root mem REG 252,1 47568 393707 /lib/x86_64-linux-gnu/libnss_files-2.27.so
dockerd 1070 root mem-W REG 252,33 32768 3680184 /docker/buildkit/cache.db
dockerd 1070 root mem-W REG 252,33 16384 3680182 /docker/buildkit/metadata.db
dockerd 1070 root mem-W REG 252,33 131072 3678953 /docker/volumes/metadata.db
dockerd 1070 root mem REG 252,1 97176 393701 /lib/x86_64-linux-gnu/libnsl-2.27.so
dockerd 1070 root mem REG 252,1 47576 393711 /lib/x86_64-linux-gnu/libnss_nis-2.27.so
dockerd 1070 root mem REG 252,1 39744 393703 /lib/x86_64-linux-gnu/libnss_compat-2.27.so
dockerd 1070 root mem REG 252,1 464824 393724 /lib/x86_64-linux-gnu/libpcre.so.3.13.3
dockerd 1070 root mem REG 252,1 84032 393673 /lib/x86_64-linux-gnu/libgpg-error.so.0.22.0
dockerd 1070 root mem REG 252,1 1700792 393686 /lib/x86_64-linux-gnu/libm-2.27.so
dockerd 1070 root mem REG 252,1 121016 393253 /lib/x86_64-linux-gnu/libudev.so.1.6.9
dockerd 1070 root mem REG 252,1 154832 393737 /lib/x86_64-linux-gnu/libselinux.so.1
dockerd 1070 root mem REG 252,1 1159864 393278 /lib/x86_64-linux-gnu/libgcrypt.so.20.2.1
dockerd 1070 root mem REG 252,1 112672 788554 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1
dockerd 1070 root mem REG 252,1 153984 393685 /lib/x86_64-linux-gnu/liblzma.so.5.2.2
dockerd 1070 root mem REG 252,1 31680 393733 /lib/x86_64-linux-gnu/librt-2.27.so
dockerd 1070 root mem REG 252,1 2030544 393640 /lib/x86_64-linux-gnu/libc-2.27.so
dockerd 1070 root mem REG 252,1 432640 393274 /lib/x86_64-linux-gnu/libdevmapper.so.1.02.1
dockerd 1070 root mem REG 252,1 14560 393657 /lib/x86_64-linux-gnu/libdl-2.27.so
dockerd 1070 root mem REG 252,1 288976 393271 /lib/x86_64-linux-gnu/libseccomp.so.2.4.1
dockerd 1070 root mem REG 252,1 144976 393727 /lib/x86_64-linux-gnu/libpthread-2.27.so
dockerd 1070 root mem REG 252,1 536648 393386 /lib/x86_64-linux-gnu/libsystemd.so.0.21.0
dockerd 1070 root mem REG 252,1 170960 393616 /lib/x86_64-linux-gnu/ld-2.27.so
通过参数-c可以列出指定进程所打开的文件情况,以上是我们打开sshd下被打开文件的情况。
(2)、查看指定用户打开的文件
sudo lsof -u zhancj|head -n 30
zhancj@iZbp10j40ovkbwx9an9ppuZ:~$ sudo lsof -u zhancj|head -n 30
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
head 15439 zhancj cwd DIR 252,1 4096 1310795 /home/zhancj
head 15439 zhancj rtd DIR 252,1 4096 2 /
head 15439 zhancj txt REG 252,1 43224 786535 /usr/bin/head
head 15439 zhancj mem REG 252,1 3004464 791528 /usr/lib/locale/locale-archive
head 15439 zhancj mem REG 252,1 2030544 393640 /lib/x86_64-linux-gnu/libc-2.27.so
head 15439 zhancj mem REG 252,1 170960 393616 /lib/x86_64-linux-gnu/ld-2.27.so
head 15439 zhancj mem REG 252,1 578 933606 /usr/share/locale-langpack/en/LC_MESSAGES/coreutils.mo
head 15439 zhancj 0r FIFO 0,12 0t0 3690928205 pipe
head 15439 zhancj 1u CHR 136,1 0t0 4 /dev/pts/1
head 15439 zhancj 2u CHR 136,1 0t0 4 /dev/pts/1
sshd 17361 zhancj cwd DIR 252,1 4096 2 /
sshd 17361 zhancj rtd DIR 252,1 4096 2 /
sshd 17361 zhancj txt REG 252,1 786856 787947 /usr/sbin/sshd
sshd 17361 zhancj mem REG 252,1 253944 393251 /lib/x86_64-linux-gnu/libnss_systemd.so.2
sshd 17361 zhancj mem REG 252,1 14464 393557 /lib/x86_64-linux-gnu/security/pam_env.so
sshd 17361 zhancj mem REG 252,1 22872 393567 /lib/x86_64-linux-gnu/security/pam_limits.so
sshd 17361 zhancj mem REG 252,1 10312 393571 /lib/x86_64-linux-gnu/security/pam_mail.so
sshd 17361 zhancj mem REG 252,1 10336 393574 /lib/x86_64-linux-gnu/security/pam_motd.so
sshd 17361 zhancj mem REG 252,1 14576 393422 /lib/x86_64-linux-gnu/libpam_misc.so.0.82.0
sshd 17361 zhancj mem REG 252,1 258040 393498 /lib/x86_64-linux-gnu/security/pam_systemd.so
sshd 17361 zhancj mem REG 252,1 10376 393594 /lib/x86_64-linux-gnu/security/pam_umask.so
sshd 17361 zhancj mem REG 252,1 10280 393565 /lib/x86_64-linux-gnu/security/pam_keyinit.so
sshd 17361 zhancj mem REG 252,1 10336 393570 /lib/x86_64-linux-gnu/security/pam_loginuid.so
sshd 17361 zhancj mem REG 252,1 18736 393583 /lib/x86_64-linux-gnu/security/pam_selinux.so
sshd 17361 zhancj mem REG 252,1 10264 393576 /lib/x86_64-linux-gnu/security/pam_nologin.so
sshd 17361 zhancj mem REG 252,1 22768 393645 /lib/x86_64-linux-gnu/libcap.so.2.25
sshd 17361 zhancj mem REG 252,1 10080 393761 /lib/x86_64-linux-gnu/security/pam_cap.so
sshd 17361 zhancj mem REG 252,1 6104 393578 /lib/x86_64-linux-gnu/security/pam_permit.so
sshd 17361 zhancj mem REG 252,1 5776 393555 /lib/x86_64-linux-gnu/security/pam_deny.so
通过参数-u查看root用户下存在的文件情况,由于root下显示内容较多,可以利用head来限制。
(3)、查看指定目录下被打开的文件
命令:lsof +D /home/ 或lsof +d /home/
sudo lsof +D /docker/|head -n 30
zhancj@iZbp10j40ovkbwx9an9ppuZ:~$ sudo lsof +D /docker/|head -n 30
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ota 337 root mem REG 252,33 18089156 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/bin/python3.7 (path dev=252,1, inode=787111)
ota 337 root mem REG 252,33 18231632 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/lib/python3.7/lib-dynload/_csv.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=939076)
ota 337 root mem REG 252,33 17958850 /docker/overlay2/d0d9f2469cfa4a936aa2ba773481fbece89c6b2b59b7b532518564eb6499e5f7/diff/lib/x86_64-linux-gnu/libtinfo.so.5.9 (path dev=252,1, inode=393695)
ota 337 root mem REG 252,33 17958805 /docker/overlay2/d0d9f2469cfa4a936aa2ba773481fbece89c6b2b59b7b532518564eb6499e5f7/diff/lib/x86_64-linux-gnu/libncursesw.so.5.9 (path dev=252,1, inode=393749)
ota 337 root mem REG 252,33 18231635 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/lib/python3.7/lib-dynload/_curses.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=939079)
ota 337 root mem REG 252,33 18355863 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/local/lib/python3.7/dist-packages/tornado/speedups.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=1975652)
ota 337 root mem REG 252,33 18231622 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/lib/python3.7/lib-dynload/_asyncio.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=939066)
ota 337 root mem REG 252,33 18231630 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=939074)
ota 337 root mem REG 252,33 18354173 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/local/lib/python3.7/dist-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=1974970)
ota 337 root mem REG 252,33 17958833 /docker/overlay2/d0d9f2469cfa4a936aa2ba773481fbece89c6b2b59b7b532518564eb6499e5f7/diff/lib/x86_64-linux-gnu/libresolv-2.27.so (path dev=252,1, inode=393731)
ota 337 root mem REG 252,33 17958810 /docker/overlay2/d0d9f2469cfa4a936aa2ba773481fbece89c6b2b59b7b532518564eb6499e5f7/diff/lib/x86_64-linux-gnu/libnss_dns-2.27.so (path dev=252,1, inode=393705)
ota 337 root mem REG 252,33 17958812 /docker/overlay2/d0d9f2469cfa4a936aa2ba773481fbece89c6b2b59b7b532518564eb6499e5f7/diff/lib/x86_64-linux-gnu/libnss_files-2.27.so (path dev=252,1, inode=393707)
ota 337 root mem REG 252,33 17958806 /docker/overlay2/d0d9f2469cfa4a936aa2ba773481fbece89c6b2b59b7b532518564eb6499e5f7/diff/lib/x86_64-linux-gnu/libnsl-2.27.so (path dev=252,1, inode=393701)
ota 337 root mem REG 252,33 17958816 /docker/overlay2/d0d9f2469cfa4a936aa2ba773481fbece89c6b2b59b7b532518564eb6499e5f7/diff/lib/x86_64-linux-gnu/libnss_nis-2.27.so (path dev=252,1, inode=393711)
ota 337 root mem REG 252,33 17958808 /docker/overlay2/d0d9f2469cfa4a936aa2ba773481fbece89c6b2b59b7b532518564eb6499e5f7/diff/lib/x86_64-linux-gnu/libnss_compat-2.27.so (path dev=252,1, inode=393703)
ota 337 root mem REG 252,33 18231661 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/lib/python3.7/lib-dynload/termios.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=939102)
ota 337 root mem REG 252,33 18088429 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/lib/x86_64-linux-gnu/libuuid.so.1.3.0 (path dev=252,1, inode=393267)
ota 337 root mem REG 252,33 17959538 /docker/overlay2/d0d9f2469cfa4a936aa2ba773481fbece89c6b2b59b7b532518564eb6499e5f7/diff/usr/lib/x86_64-linux-gnu/libffi.so.6.0.4 (path dev=252,1, inode=788512)
ota 337 root mem REG 252,33 18231633 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/lib/python3.7/lib-dynload/_ctypes.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=939077)
ota 337 root mem REG 252,33 18231640 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=939083)
ota 337 root mem REG 252,33 18353408 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/local/lib/python3.7/dist-packages/credis/geventpool.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=1976536)
ota 337 root mem REG 252,33 18354051 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/local/lib/python3.7/dist-packages/hiredis/hiredis.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=1976522)
ota 337 root mem REG 252,33 18353407 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/local/lib/python3.7/dist-packages/credis/base.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=1976535)
ota 337 root mem REG 252,33 18350855 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/lib/x86_64-linux-gnu/libmpdec.so.2.4.2 (path dev=252,1, inode=788562)
ota 337 root mem REG 252,33 18231638 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=939082)
ota 337 root mem REG 252,33 18352738 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/local/lib/python3.7/dist-packages/ujson.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=1975282)
ota 337 root mem REG 252,33 18353710 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/local/lib/python3.7/dist-packages/gevent/__imap.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=1975379)
ota 337 root mem REG 252,33 18352721 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/local/lib/python3.7/dist-packages/setproctitle.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=1975948)
ota 337 root mem REG 252,33 18353812 /docker/overlay2/cc8192af0c0103ea450a685cd4a29d5f90efa0d025a379286b83d3968b56b105/diff/usr/local/lib/python3.7/dist-packages/gevent/_queue.cpython-37m-x86_64-linux-gnu.so (path dev=252,1, inode=1975310)参数+D为递归列出/home/下被打开的文件,参数+d为列出/home/下被打开的文件。
3、网络篇
(1)、查看所有网络连接
命令:lsof -i 和 lsof -i@127.0.0.1
sudo lsof -i
zhancj@iZbp10j40ovkbwx9an9ppuZ:~$ sudo lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-n 292 systemd-network 19u IPv4 14172 0t0 UDP iZbp10j40ovkbwx9an9ppuZ:bootpc
systemd-r 505 systemd-resolve 12u IPv4 16480 0t0 UDP localhost:domain
systemd-r 505 systemd-resolve 13u IPv4 16481 0t0 TCP localhost:domain (LISTEN)
chronyd 685 _chrony 1u IPv4 17696 0t0 UDP localhost:323
chronyd 685 _chrony 2u IPv6 17697 0t0 UDP localhost:323
sshd 918 root 3u IPv4 18212 0t0 TCP *:ssh (LISTEN)
sshd 918 root 4u IPv6 18214 0t0 TCP *:ssh (LISTEN)
kube-prox 12597 root 8u IPv6 1082375478 0t0 TCP *:10256 (LISTEN)
kube-prox 12597 root 9u IPv4 1616885805 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:3782->iZbp10j40ovkbwx9an9ppuZ:6443 (ESTABLISHED)
kube-prox 12597 root 10u IPv4 1091632052 0t0 TCP *:32810 (LISTEN)
kube-prox 12597 root 11u IPv4 1091632053 0t0 TCP *:20735 (LISTEN)
kube-prox 12597 root 12u IPv4 1091632054 0t0 UDP *:48509
kube-prox 12597 root 13u IPv4 1091632057 0t0 TCP *:47412 (LISTEN)
kube-prox 12597 root 14u IPv4 1091632058 0t0 UDP *:20735
kube-prox 12597 root 15u IPv4 1091634296 0t0 TCP *:48509 (LISTEN)
kube-prox 12597 root 16u IPv4 1082375482 0t0 TCP localhost:10249 (LISTEN)
kube-prox 12597 root 17u IPv4 1091634297 0t0 TCP *:11247 (LISTEN)
kube-prox 12597 root 18u IPv4 1091634298 0t0 TCP *:16469 (LISTEN)
kube-prox 12597 root 19u IPv4 1091634299 0t0 UDP *:32810
kube-prox 12597 root 20u IPv4 1091632061 0t0 TCP *:34988 (LISTEN)
kube-prox 12597 root 21u IPv4 1091635357 0t0 TCP *:8500 (LISTEN)
kube-prox 12597 root 22u IPv4 1091635358 0t0 UDP *:8600
kube-prox 12597 root 23u IPv4 1091635361 0t0 TCP *:8600 (LISTEN)
kube-prox 12597 root 24u IPv4 1091878883 0t0 TCP *:1443 (LISTEN)
kube-prox 12597 root 25u IPv4 1091878884 0t0 TCP *:1553 (LISTEN)
kube-prox 12597 root 26u IPv4 1091878885 0t0 TCP *:1663 (LISTEN)
kube-prox 12597 root 27u IPv4 2939233422 0t0 TCP *:18801 (LISTEN)
kube-prox 12597 root 28u IPv4 3343213325 0t0 TCP *:18800 (LISTEN)
kube-prox 12597 root 29u IPv4 4143320238 0t0 TCP *:1783 (LISTEN)
kube-prox 12597 root 30u IPv4 4143320239 0t0 TCP *:1773 (LISTEN)
flanneld 15326 root 6u IPv4 1616884823 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:59140->10.96.0.1:https (ESTABLISHED)
sshd 17320 root 3u IPv4 3690524245 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:ssh->0.104.154.27.broad.xm.fj.dynamic.163data.com.cn:14847 (ESTABLISHED)
sshd 17361 zhancj 3u IPv4 3690524245 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:ssh->0.104.154.27.broad.xm.fj.dynamic.163data.com.cn:14847 (ESTABLISHED)
docker-pr 17708 root 4u IPv6 1091716386 0t0 TCP *:18524 (LISTEN)
docker-pr 18713 root 4u IPv6 1091721144 0t0 TCP *:13384 (LISTEN)
AliYunDun 27448 root 12u IPv4 3403243398 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:26872->100.100.30.25:http (ESTABLISHED)
kube-cont 28145 root 5u IPv6 1616882839 0t0 TCP *:10252 (LISTEN)
kube-cont 28145 root 6u IPv4 1616882845 0t0 TCP localhost:10257 (LISTEN)
kube-cont 28145 root 7u IPv4 1616884014 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:3992->iZbp10j40ovkbwx9an9ppuZ:6443 (ESTABLISHED)
kube-cont 28145 root 8u IPv4 1616887418 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:4408->iZbp10j40ovkbwx9an9ppuZ:6443 (ESTABLISHED)
kube-sche 28366 root 5u IPv6 1616885783 0t0 TCP *:10251 (LISTEN)
kube-sche 28366 root 6u IPv4 1616885789 0t0 TCP localhost:10259 (LISTEN)
kube-sche 28366 root 7u IPv4 1616883114 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:3820->iZbp10j40ovkbwx9an9ppuZ:6443 (ESTABLISHED)
kube-sche 28366 root 8u IPv4 1616883558 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:4106->iZbp10j40ovkbwx9an9ppuZ:6443 (ESTABLISHED)
kube-apis 28526 root 5u IPv6 1616885796 0t0 TCP *:6443 (LISTEN)
kube-apis 28526 root 6u IPv4 1616900716 0t0 TCP localhost:12354->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 7u IPv4 1616899954 0t0 TCP localhost:12356->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 8u IPv4 1616901811 0t0 TCP localhost:12358->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 9u IPv4 1616901812 0t0 TCP localhost:12362->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 10u IPv4 1616899955 0t0 TCP localhost:12360->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 11u IPv4 1616900717 0t0 TCP localhost:12364->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 12u IPv4 1616902383 0t0 TCP localhost:12366->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 13u IPv4 1616902384 0t0 TCP localhost:12368->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 14u IPv4 1616901813 0t0 TCP localhost:12370->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 15u IPv4 1616902385 0t0 TCP localhost:12374->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 16u IPv4 1616899956 0t0 TCP localhost:12376->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 17u IPv4 1616901814 0t0 TCP localhost:12378->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 18u IPv4 1616902386 0t0 TCP localhost:12380->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 19u IPv4 1616900718 0t0 TCP localhost:12382->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 20u IPv4 1616901815 0t0 TCP localhost:12384->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 21u IPv4 1616899957 0t0 TCP localhost:12386->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 22u IPv4 1616901816 0t0 TCP localhost:12388->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 23u IPv4 1616899958 0t0 TCP localhost:12390->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 24u IPv4 1616900719 0t0 TCP localhost:12392->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 25u IPv4 1616900720 0t0 TCP localhost:12394->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 26u IPv4 1616901817 0t0 TCP localhost:12396->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 27u IPv4 1616900721 0t0 TCP localhost:12398->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 28u IPv4 1616901818 0t0 TCP localhost:12400->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 29u IPv4 1616900722 0t0 TCP localhost:12402->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 30u IPv4 1616899959 0t0 TCP localhost:12404->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 31u IPv4 1616899960 0t0 TCP localhost:12406->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 32u IPv4 1616901819 0t0 TCP localhost:12408->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 33u IPv4 1616900723 0t0 TCP localhost:12410->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 34u IPv4 1616899961 0t0 TCP localhost:12412->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 35u IPv4 1616901820 0t0 TCP localhost:12414->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 36u IPv4 1616900724 0t0 TCP localhost:12416->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 37u IPv4 1616900725 0t0 TCP localhost:12418->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 38u IPv4 1616901821 0t0 TCP localhost:12420->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 39u IPv4 1616899962 0t0 TCP localhost:12422->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 40u IPv4 1616900726 0t0 TCP localhost:12424->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 41u IPv4 1616901822 0t0 TCP localhost:12426->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 42u IPv4 1616900727 0t0 TCP localhost:12430->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 43u IPv4 1616899963 0t0 TCP localhost:12428->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 44u IPv4 1616900728 0t0 TCP localhost:12434->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 45u IPv4 1616900729 0t0 TCP localhost:12436->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 46u IPv4 1616900730 0t0 TCP localhost:12438->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 47u IPv4 1616899964 0t0 TCP localhost:12440->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 48u IPv4 1616899965 0t0 TCP localhost:12442->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 49u IPv4 1616899966 0t0 TCP localhost:12444->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 50u IPv4 1616900731 0t0 TCP localhost:12446->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 51u IPv4 1616901823 0t0 TCP localhost:12448->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 52u IPv4 1616900732 0t0 TCP localhost:12450->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 53u IPv4 1616901824 0t0 TCP localhost:12452->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 54u IPv4 1616900733 0t0 TCP localhost:12454->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 55u IPv4 1616901825 0t0 TCP localhost:12456->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 56u IPv4 1616901826 0t0 TCP localhost:12458->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 57u IPv4 1616901827 0t0 TCP localhost:12460->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 58u IPv4 1616901828 0t0 TCP localhost:12462->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 59u IPv4 1616901829 0t0 TCP localhost:12464->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 60u IPv4 1616901830 0t0 TCP localhost:12466->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 61u IPv4 1616899967 0t0 TCP localhost:12468->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 62u IPv4 1616900734 0t0 TCP localhost:12470->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 63u IPv4 1616901831 0t0 TCP localhost:12472->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 64u IPv4 1616900735 0t0 TCP localhost:12474->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 65u IPv4 1616899968 0t0 TCP localhost:12476->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 66u IPv4 1616900736 0t0 TCP localhost:12478->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 67u IPv4 1616899969 0t0 TCP localhost:12480->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 68u IPv4 1616900737 0t0 TCP localhost:12482->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 69u IPv4 1616899970 0t0 TCP localhost:12484->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 70u IPv4 1616899971 0t0 TCP localhost:12486->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 71u IPv4 1616901832 0t0 TCP localhost:12488->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 72u IPv4 1616899972 0t0 TCP localhost:12490->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 73u IPv4 1616900738 0t0 TCP localhost:12492->localhost:2379 (ESTABLISHED)
kube-apis 28526 root 74u IPv6 1616886056 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:6443->iZbp10j40ovkbwx9an9ppuZ:17254 (ESTABLISHED)
kube-apis 28526 root 75u IPv6 1616886091 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:6443->iZbp10j40ovkbwx9an9ppuZ:4106 (ESTABLISHED)
kube-apis 28526 root 76u IPv6 1616887419 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:6443->iZbp10j40ovkbwx9an9ppuZ:4408 (ESTABLISHED)
kube-apis 28526 root 77u IPv4 3271118885 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:6808->10.110.92.7:https (ESTABLISHED)
kube-apis 28526 root 78u IPv6 3271089862 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:6443->iZbp10j40ovkbwx9an9ppuZ:39362 (ESTABLISHED)
kube-apis 28526 root 79u IPv6 1616886061 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:6443->iZbp10j40ovkbwx9an9ppuZ:3782 (ESTABLISHED)
kube-apis 28526 root 81u IPv6 3270984806 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:6443->10.244.0.229:50494 (ESTABLISHED)
kube-apis 28526 root 83u IPv4 3271113617 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:6760->10.110.92.7:https (ESTABLISHED)
kube-apis 28526 root 89u IPv6 1616886071 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:6443->10.244.0.3:48590 (ESTABLISHED)
kube-apis 28526 root 90u IPv6 1616886072 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:6443->10.244.0.2:55512 (ESTABLISHED)
kube-apis 28526 root 95u IPv6 1616886077 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:6443->iZbp10j40ovkbwx9an9ppuZ:3820 (ESTABLISHED)
kube-apis 28526 root 96u IPv6 1616886078 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:6443->iZbp10j40ovkbwx9an9ppuZ:3992 (ESTABLISHED)
kube-apis 28526 root 101u IPv4 1616884228 0t0 TCP localhost:6990->localhost:6443 (ESTABLISHED)
kube-apis 28526 root 124u IPv6 1616885313 0t0 TCP localhost:6443->localhost:6990 (ESTABLISHED)
kubelet 29265 root 7u IPv4 3271080138 0t0 TCP localhost:26805 (LISTEN)
kubelet 29265 root 19u IPv4 3271087902 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:39362->iZbp10j40ovkbwx9an9ppuZ:6443 (ESTABLISHED)
kubelet 29265 root 32u IPv4 3271087970 0t0 TCP localhost:10248 (LISTEN)
kubelet 29265 root 33u IPv6 3271099679 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:10250->10.244.0.229:47962 (ESTABLISHED)
kubelet 29265 root 34u IPv6 3271090064 0t0 TCP *:10250 (LISTEN)
etcd 31551 root 3u IPv4 1616902339 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:2380 (LISTEN)
etcd 31551 root 5u IPv4 1616902343 0t0 TCP localhost:2379 (LISTEN)
etcd 31551 root 6u IPv4 1616902344 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:2379 (LISTEN)
etcd 31551 root 11u IPv4 1616900739 0t0 TCP localhost:2381 (LISTEN)
etcd 31551 root 12u IPv4 1616901907 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:57222->iZbp10j40ovkbwx9an9ppuZ:2379 (ESTABLISHED)
etcd 31551 root 13u IPv4 1616900040 0t0 TCP localhost:12506->localhost:2379 (ESTABLISHED)
etcd 31551 root 14u IPv4 1616900769 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:2379->iZbp10j40ovkbwx9an9ppuZ:57222 (ESTABLISHED)
etcd 31551 root 15u IPv4 1616900041 0t0 TCP localhost:2379->localhost:12354 (ESTABLISHED)
etcd 31551 root 16u IPv4 1616900042 0t0 TCP localhost:2379->localhost:12356 (ESTABLISHED)
etcd 31551 root 17u IPv4 1616900043 0t0 TCP localhost:2379->localhost:12358 (ESTABLISHED)
etcd 31551 root 18u IPv4 1616900044 0t0 TCP localhost:2379->localhost:12362 (ESTABLISHED)
etcd 31551 root 19u IPv4 1616900045 0t0 TCP localhost:2379->localhost:12360 (ESTABLISHED)
etcd 31551 root 20u IPv4 1616900046 0t0 TCP localhost:2379->localhost:12364 (ESTABLISHED)
etcd 31551 root 21u IPv4 1616900047 0t0 TCP localhost:2379->localhost:12366 (ESTABLISHED)
etcd 31551 root 22u IPv4 1616900048 0t0 TCP localhost:2379->localhost:12370 (ESTABLISHED)
etcd 31551 root 23u IPv4 1616900053 0t0 TCP localhost:2379->localhost:12380 (ESTABLISHED)
etcd 31551 root 24u IPv4 1616900049 0t0 TCP localhost:2379->localhost:12368 (ESTABLISHED)
etcd 31551 root 25u IPv4 1616900050 0t0 TCP localhost:2379->localhost:12374 (ESTABLISHED)
etcd 31551 root 26u IPv4 1616900051 0t0 TCP localhost:2379->localhost:12376 (ESTABLISHED)
etcd 31551 root 27u IPv4 1616900052 0t0 TCP localhost:2379->localhost:12378 (ESTABLISHED)
etcd 31551 root 28u IPv4 1616900054 0t0 TCP localhost:2379->localhost:12382 (ESTABLISHED)
etcd 31551 root 29u IPv4 1616900058 0t0 TCP localhost:2379->localhost:12390 (ESTABLISHED)
etcd 31551 root 30u IPv4 1616900055 0t0 TCP localhost:2379->localhost:12384 (ESTABLISHED)
etcd 31551 root 31u IPv4 1616900056 0t0 TCP localhost:2379->localhost:12386 (ESTABLISHED)
etcd 31551 root 32u IPv4 1616900057 0t0 TCP localhost:2379->localhost:12388 (ESTABLISHED)
etcd 31551 root 33u IPv4 1616900059 0t0 TCP localhost:2379->localhost:12392 (ESTABLISHED)
etcd 31551 root 34u IPv4 1616900060 0t0 TCP localhost:2379->localhost:12394 (ESTABLISHED)
etcd 31551 root 35u IPv4 1616900061 0t0 TCP localhost:2379->localhost:12396 (ESTABLISHED)
etcd 31551 root 36u IPv4 1616900062 0t0 TCP localhost:2379->localhost:12398 (ESTABLISHED)
etcd 31551 root 37u IPv4 1616900063 0t0 TCP localhost:2379->localhost:12400 (ESTABLISHED)
etcd 31551 root 38u IPv4 1616900064 0t0 TCP localhost:2379->localhost:12402 (ESTABLISHED)
etcd 31551 root 39u IPv4 1616900065 0t0 TCP localhost:2379->localhost:12404 (ESTABLISHED)
etcd 31551 root 40u IPv4 1616900066 0t0 TCP localhost:2379->localhost:12406 (ESTABLISHED)
etcd 31551 root 41u IPv4 1616900067 0t0 TCP localhost:2379->localhost:12408 (ESTABLISHED)
etcd 31551 root 42u IPv4 1616900068 0t0 TCP localhost:2379->localhost:12410 (ESTABLISHED)
etcd 31551 root 43u IPv4 1616900069 0t0 TCP localhost:2379->localhost:12412 (ESTABLISHED)
etcd 31551 root 44u IPv4 1616900070 0t0 TCP localhost:2379->localhost:12414 (ESTABLISHED)
etcd 31551 root 45u IPv4 1616900071 0t0 TCP localhost:2379->localhost:12416 (ESTABLISHED)
etcd 31551 root 46u IPv4 1616900072 0t0 TCP localhost:2379->localhost:12418 (ESTABLISHED)
etcd 31551 root 47u IPv4 1616900073 0t0 TCP localhost:2379->localhost:12422 (ESTABLISHED)
etcd 31551 root 48u IPv4 1616900074 0t0 TCP localhost:2379->localhost:12420 (ESTABLISHED)
etcd 31551 root 49u IPv4 1616900075 0t0 TCP localhost:2379->localhost:12424 (ESTABLISHED)
etcd 31551 root 50u IPv4 1616900076 0t0 TCP localhost:2379->localhost:12426 (ESTABLISHED)
etcd 31551 root 51u IPv4 1616900077 0t0 TCP localhost:2379->localhost:12430 (ESTABLISHED)
etcd 31551 root 52u IPv4 1616900078 0t0 TCP localhost:2379->localhost:12428 (ESTABLISHED)
etcd 31551 root 53u IPv4 1616900079 0t0 TCP localhost:2379->localhost:12434 (ESTABLISHED)
etcd 31551 root 54u IPv4 1616900080 0t0 TCP localhost:2379->localhost:12436 (ESTABLISHED)
etcd 31551 root 55u IPv4 1616900081 0t0 TCP localhost:2379->localhost:12438 (ESTABLISHED)
etcd 31551 root 56u IPv4 1616900082 0t0 TCP localhost:2379->localhost:12440 (ESTABLISHED)
etcd 31551 root 57u IPv4 1616900083 0t0 TCP localhost:2379->localhost:12442 (ESTABLISHED)
etcd 31551 root 58u IPv4 1616900084 0t0 TCP localhost:2379->localhost:12444 (ESTABLISHED)
etcd 31551 root 59u IPv4 1616900085 0t0 TCP localhost:2379->localhost:12446 (ESTABLISHED)
etcd 31551 root 60u IPv4 1616900086 0t0 TCP localhost:2379->localhost:12448 (ESTABLISHED)
etcd 31551 root 61u IPv4 1616900087 0t0 TCP localhost:2379->localhost:12450 (ESTABLISHED)
etcd 31551 root 62u IPv4 1616900088 0t0 TCP localhost:2379->localhost:12452 (ESTABLISHED)
etcd 31551 root 63u IPv4 1616900089 0t0 TCP localhost:2379->localhost:12454 (ESTABLISHED)
etcd 31551 root 64u IPv4 1616900090 0t0 TCP localhost:2379->localhost:12456 (ESTABLISHED)
etcd 31551 root 77u IPv4 1616901909 0t0 TCP localhost:2379->localhost:12458 (ESTABLISHED)
etcd 31551 root 80u IPv4 1616901910 0t0 TCP localhost:2379->localhost:12460 (ESTABLISHED)
etcd 31551 root 81u IPv4 1616901911 0t0 TCP localhost:2379->localhost:12462 (ESTABLISHED)
etcd 31551 root 82u IPv4 1616901912 0t0 TCP localhost:2379->localhost:12464 (ESTABLISHED)
etcd 31551 root 83u IPv4 1616901913 0t0 TCP localhost:2379->localhost:12466 (ESTABLISHED)
etcd 31551 root 84u IPv4 1616901914 0t0 TCP localhost:2379->localhost:12468 (ESTABLISHED)
etcd 31551 root 85u IPv4 1616901915 0t0 TCP localhost:2379->localhost:12470 (ESTABLISHED)
etcd 31551 root 86u IPv4 1616901916 0t0 TCP localhost:2379->localhost:12472 (ESTABLISHED)
etcd 31551 root 87u IPv4 1616901917 0t0 TCP localhost:2379->localhost:12474 (ESTABLISHED)
etcd 31551 root 88u IPv4 1616901918 0t0 TCP localhost:2379->localhost:12476 (ESTABLISHED)
etcd 31551 root 89u IPv4 1616901919 0t0 TCP localhost:2379->localhost:12478 (ESTABLISHED)
etcd 31551 root 90u IPv4 1616901920 0t0 TCP localhost:2379->localhost:12480 (ESTABLISHED)
etcd 31551 root 91u IPv4 1616901921 0t0 TCP localhost:2379->localhost:12482 (ESTABLISHED)
etcd 31551 root 92u IPv4 1616901922 0t0 TCP localhost:2379->localhost:12484 (ESTABLISHED)
etcd 31551 root 93u IPv4 1616901923 0t0 TCP localhost:2379->localhost:12486 (ESTABLISHED)
etcd 31551 root 94u IPv4 1616901924 0t0 TCP localhost:2379->localhost:12488 (ESTABLISHED)
etcd 31551 root 95u IPv4 1616901925 0t0 TCP localhost:2379->localhost:12490 (ESTABLISHED)
etcd 31551 root 96u IPv4 1616901926 0t0 TCP localhost:2379->localhost:12492 (ESTABLISHED)
etcd 31551 root 97u IPv4 1616901927 0t0 TCP localhost:2379->localhost:12506 (ESTABLISHED)通过参数-i查看网络连接的情况,包括连接的ip、端口等;以及一些服务的连接情况,例如:sshd等。也可以通过指定ip查看该ip的网络连接情况。
(2)、查看端口连接情况
命令:lsof -i :1443
sudo lsof -i tcp:1443
zhancj@iZbp10j40ovkbwx9an9ppuZ:~$ sudo lsof -i tcp:1443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
kube-prox 12597 root 24u IPv4 1091878883 0t0 TCP *:1443 (LISTEN)
zhancj@iZbp10j40ovkbwx9an9ppuZ:~$ sudo lsof -i:1443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
kube-prox 12597 root 24u IPv4 1091878883 0t0 TCP *:1443 (LISTEN)
通过参数-i:端口可以查看端口的占用情况,-i参数还有查看协议,ip的连接情况等。
4、综合篇
(1)、查看指定进程打开的网络连接
命令:lsof -i -a -p xxxx
查看k8s打开的网络链接sudo lsof -i -a -p 12597
zhancj@iZbp10j40ovkbwx9an9ppuZ:~$ sudo netstat -anp|head -n 2 && sudo netstat -anp|grep 1443|head -n 1
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 76 0 0.0.0.0:1443 0.0.0.0:* LISTEN 12597/kube-proxy
zhancj@iZbp10j40ovkbwx9an9ppuZ:~$ sudo lsof -i -a -p 12597
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
kube-prox 12597 root 8u IPv6 1082375478 0t0 TCP *:10256 (LISTEN)
kube-prox 12597 root 9u IPv4 1616885805 0t0 TCP iZbp10j40ovkbwx9an9ppuZ:3782->iZbp10j40ovkbwx9an9ppuZ:6443 (ESTABLISHED)
kube-prox 12597 root 10u IPv4 1091632052 0t0 TCP *:32810 (LISTEN)
kube-prox 12597 root 11u IPv4 1091632053 0t0 TCP *:20735 (LISTEN)
kube-prox 12597 root 12u IPv4 1091632054 0t0 UDP *:48509
kube-prox 12597 root 13u IPv4 1091632057 0t0 TCP *:47412 (LISTEN)
kube-prox 12597 root 14u IPv4 1091632058 0t0 UDP *:20735
kube-prox 12597 root 15u IPv4 1091634296 0t0 TCP *:48509 (LISTEN)
kube-prox 12597 root 16u IPv4 1082375482 0t0 TCP localhost:10249 (LISTEN)
kube-prox 12597 root 17u IPv4 1091634297 0t0 TCP *:11247 (LISTEN)
kube-prox 12597 root 18u IPv4 1091634298 0t0 TCP *:16469 (LISTEN)
kube-prox 12597 root 19u IPv4 1091634299 0t0 UDP *:32810
kube-prox 12597 root 20u IPv4 1091632061 0t0 TCP *:34988 (LISTEN)
kube-prox 12597 root 21u IPv4 1091635357 0t0 TCP *:8500 (LISTEN)
kube-prox 12597 root 22u IPv4 1091635358 0t0 UDP *:8600
kube-prox 12597 root 23u IPv4 1091635361 0t0 TCP *:8600 (LISTEN)
kube-prox 12597 root 24u IPv4 1091878883 0t0 TCP *:1443 (LISTEN)
kube-prox 12597 root 25u IPv4 1091878884 0t0 TCP *:1553 (LISTEN)
kube-prox 12597 root 26u IPv4 1091878885 0t0 TCP *:1663 (LISTEN)
kube-prox 12597 root 27u IPv4 2939233422 0t0 TCP *:18801 (LISTEN)
kube-prox 12597 root 28u IPv4 3343213325 0t0 TCP *:18800 (LISTEN)
kube-prox 12597 root 29u IPv4 4143320238 0t0 TCP *:1783 (LISTEN)
kube-prox 12597 root 30u IPv4 4143320239 0t0 TCP *:1773 (LISTEN)使用了参数-i、-a、-p等,-i查看网络连接情况,-a查看存在的进程,-p指定进程。
(2)、查看指定状态的网络连接
命令:lsof -n -P -i TCP -s TCP:ESTABLISHED
sudo lsof -n -P -i TCP -s TCP:ESTABLISHED
zhancj@iZbp10j40ovkbwx9an9ppuZ:~$ sudo lsof -n -P -i TCP -s TCP:ESTABLISHED|head -n 20
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
kube-prox 12597 root 9u IPv4 1616885805 0t0 TCP 172.16.207.15:3782->172.16.207.15:6443 (ESTABLISHED)
flanneld 15326 root 6u IPv4 1616884823 0t0 TCP 172.16.207.15:59140->10.96.0.1:443 (ESTABLISHED)
sshd 17320 root 3u IPv4 3690524245 0t0 TCP 172.16.207.15:22->27.154.104.0:14847 (ESTABLISHED)
sshd 17361 zhancj 3u IPv4 3690524245 0t0 TCP 172.16.207.15:22->27.154.104.0:14847 (ESTABLISHED)
AliYunDun 27448 root 12u IPv4 3403243398 0t0 TCP 172.16.207.15:26872->100.100.30.25:80 (ESTABLISHED)
kube-cont 28145 root 7u IPv4 1616884014 0t0 TCP 172.16.207.15:3992->172.16.207.15:6443 (ESTABLISHED)
kube-cont 28145 root 8u IPv4 1616887418 0t0 TCP 172.16.207.15:4408->172.16.207.15:6443 (ESTABLISHED)
kube-sche 28366 root 7u IPv4 1616883114 0t0 TCP 172.16.207.15:3820->172.16.207.15:6443 (ESTABLISHED)
kube-sche 28366 root 8u IPv4 1616883558 0t0 TCP 172.16.207.15:4106->172.16.207.15:6443 (ESTABLISHED)
kube-apis 28526 root 6u IPv4 1616900716 0t0 TCP 127.0.0.1:12354->127.0.0.1:2379 (ESTABLISHED)
kube-apis 28526 root 7u IPv4 1616899954 0t0 TCP 127.0.0.1:12356->127.0.0.1:2379 (ESTABLISHED)
kube-apis 28526 root 8u IPv4 1616901811 0t0 TCP 127.0.0.1:12358->127.0.0.1:2379 (ESTABLISHED)
kube-apis 28526 root 9u IPv4 1616901812 0t0 TCP 127.0.0.1:12362->127.0.0.1:2379 (ESTABLISHED)
kube-apis 28526 root 10u IPv4 1616899955 0t0 TCP 127.0.0.1:12360->127.0.0.1:2379 (ESTABLISHED)
kube-apis 28526 root 11u IPv4 1616900717 0t0 TCP 127.0.0.1:12364->127.0.0.1:2379 (ESTABLISHED)
kube-apis 28526 root 12u IPv4 1616902383 0t0 TCP 127.0.0.1:12366->127.0.0.1:2379 (ESTABLISHED)
kube-apis 28526 root 13u IPv4 1616902384 0t0 TCP 127.0.0.1:12368->127.0.0.1:2379 (ESTABLISHED)
kube-apis 28526 root 14u IPv4 1616901813 0t0 TCP 127.0.0.1:12370->127.0.0.1:2379 (ESTABLISHED)
kube-apis 28526 root 15u IPv4 1616902385 0t0 TCP 127.0.0.1:12374->127.0.0.1:2379 (ESTABLISHED)
参数解释: -n:no host names, -P:no port names,-i TCP指定协议,-s指定协议状态;通过多个参数我们可以清晰的查看网络连接情况、协议连接情况等。
5、恢复被删除的日志
Linux的系统日志默认保存在/var/log下
当Linux系统被入侵后,很多入侵者经常会删除系统中的各种日志,包括Web的access和error日志、last日志、messages日志、secure日志等,阻碍应急响应和取证调查,比如rm -rf /var/log。
遇到这种情况,不要关闭或者重启服务器系统,也不要关闭或重启相关服务或者进程,如:恢复apache的访问日志/var/log/httpd/access_log时,不能关闭或者重启服务器系统,也不能重启httpd服务。
假设我们要恢复被删除的messages日志和secure日志:
1.首先通过losf命令找到使用messages文件的进程的PID和messages文件的FD(文件描述符);
从上面命令输出可以看到,这个打开/var/log/messages文件的进程的PID是815,文件/var/log/messages的FD(文件描述符)是4,状态为deleted,标记被删除,但其实该文件并没有从磁盘中删除。
2.如果删除的文件还存在操作的进程,数据将可能被找回,可以在/proc/815/fd/4找到被删除的/var/log/messages文件;
3.恢复被删除的/var/log/secure文件;
在Linux系统中删除了一个文件,只要进程还在对文件进行操作,就可能还存在一个inode的引用:/proc/进程号/fd/文件描述符,只要知道当前打开文件的进程pid和文件描述符fd,即可利用lsof命令还原出被删除的文件。
6、总 结
Linux大量使用了文件,作为系统管理员,lsof 允许用户对核心内存进行查看,以找出系统当前如何使用这些文件。lsof的简单用法可以告诉用户哪些进程打开了哪些文件,以及哪些文件由哪些进程打开。
在收集关于应用程序工作情况的信息时,或在进行某些可能损坏数据的操作前,要确保文件未被使用,这一点特别重要。lsof 更高级的用法可以帮助用户查找删除的文件,并获得关于网络连接的信息。lsof 是一个功能强大的工具,它几乎可以用于任何地方。
本文大部分引用自:https://baijiahao.baidu.com/s?id=1599953889210092246&wfr=spider&for=pc