What to do when df and du report different usage.

You may occasionally come across an issue where running df will produce output that disagree's with the output of the du command.

If you aren't familiar with these two commands do see my post about filesystem and directory size.

The reason for the difference in reported size is that df does not differentiate between files that are open in memory but have been deleted, or altered on the disk, whereas du will only see the files that are on the disk. You should recognize that these tools serve different functions and that you will need to rely on both of them to get a truly accurate portrayal of disk usage on your system.

Lets say you run df -h to get an idea of how much space you have on each of the filesystems on your server or PC only to see that /var is 98% full, 9.8G out of 10G just to keep it simple. Like a good admin you run du -h --max-depth=1 /var to find out which directories are the largest and may have files that need to be zipped up, moved, or deleted. The problem becomes apparent when du returns that just 3G are in use on that filesystem. What do you do now?

Check for deleted files in memory.

Have you heard the old saying around the Unix world, "Everything is a file"?

Well it's true, everything in Unix, and by association Linux, is a file. This includes deleted files that now live as chunks of memory that are in use by a process.

You can view all open files on a system with the lsof command, including deleted files that live in memory and are in use by a process (possibly an old configuration file). sudo lsof | grep root will show you a full output of all the files currently in use by the root user. (Probably a lot of files).

Running sudo lsof | less will show you all of the open files on your system. It will look something like this. (I'm only grabbing the first 3 lines for brevity).

COMMAND     PID   TID             USER   FD      TYPE             DEVICE SIZE/OFF       NODE NAME
systemd       1                   root  cwd       DIR              202,1     4096          2 /
systemd       1                   root  rtd       DIR              202,1     4096          2 /
systemd       1                   root  txt       REG              202,1  1577232     396000 /lib/systemd/systemd

Here you can see the command, the process id (PID), which user has the file open, the file descriptor (FD), the size in bytes, and the location. In our scenario we want to find out if there are any large files open that may have been deleted. We can find those files like this:

sudo lsof | grep -i deleted

Keep an eye on the 8th column which if you recall is the SIZE column. Once you identify your large files check which user has the file open (4th column), usually this will be a service account like www-data, apache, mysql. Or pay attention to the command column to identify the process or service that is using the old file.

After you identify the offending process all you need to do is restart the service using systemctl, service, or kill -HUP

In conclusion

Don't panic, take a breath, and assess what you are seeing, think about how your tools work and what they are showing you. Above all don't just start deleting things to free up space!

The reason df and du are having a disagreement here is that df see's these deleted files along with their replacements and calculates the total disk usage, du on the other hand only see's the new file.

Now that you know how to find the zombie files you shouldn't have too much trouble bringing these two system tools back into agreement.