Authors: Luke Rawlins
You may occasionally come across an issue where running
will produce output that disagree’s with the output of the
If you aren’t familiar with these two commands do see my post about filesystem and directory size.
The reason for the difference in reported size is that
does not differentiate between files that are open in memory but have been deleted, or altered on the disk, whereas
will only see the files that are on the disk. You should recognize that these tools serve different functions and that you will need to rely on both of them to get a truly accurate portrayal of disk usage on your system.
Lets say you run
to get an idea of how much space you have on each of the filesystems on your server or PC only to see that
is 98% full, 9.8G out of 10G just to keep it simple. Like a good admin you run
du -h --max-depth=1 /var
to find out which directories are the largest and may have files that need to be zipped up, moved, or deleted. The problem becomes apparent when
returns that just 3G are in use on that filesystem. What do you do now?
Have you heard the old saying around the Unix world, “Everything is a file”?
Well it’s true, everything in Unix, and by association Linux, is a file. This includes deleted files that now live as chunks of memory that are in use by a process.
You can view all open files on a system with the
command, including deleted files that live in memory and are in use by a process (possibly an old configuration file).
sudo lsof | grep root
will show you a full output of all the files currently in use by the
user. (Probably a lot of files).
sudo lsof | less
will show you all of the open files on your system. It will look something like this. (I’m only grabbing the first 3 lines for brevity).
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 202,1 4096 2 / systemd 1 root rtd DIR 202,1 4096 2 / systemd 1 root txt REG 202,1 1577232 396000 /lib/systemd/systemd
Here you can see the command, the process id (PID), which user has the file open, the file descriptor (FD), the size in bytes, and the location. In our scenario we want to find out if there are any large files open that may have been deleted. We can find those files like this:
sudo lsof | grep -i deleted
Keep an eye on the 8th column which if you recall is the
column. Once you identify your large files check which user has the file open (4th column), usually this will be a service account like
. Or pay attention to the command column to identify the process or service that is using the old file.
After you identify the offending process all you need to do is restart the service using
Don’t panic, take a breath, and assess what you are seeing, think about how your tools work and what they are showing you. Above all don’t just start deleting things to free up space!
are having a disagreement here is that
see’s these deleted files along with their replacements and calculates the total disk usage,
on the other hand only see’s the new file.
Now that you know how to find the zombie files you shouldn’t have too much trouble bringing these two system tools back into agreement.
If you’d like to get in touch, contact with me via email.