Lsof files opened by the recovery process

How it works: Process each open file generates a file handle FD to identify a file, the process open file if not released, you can recover deleted files by file handle FD
Note: The appropriate recovery process has been to open a file, such as a log file, if the profile process is started to read immediately release the handle of the file is not recoverable in this way, and if the open file is deleted, and the service is restarted, the service is restarted this file handle will be released, Through the lsof way is also unable to recover;
Installation: Yum Install Lsof-y

• To view the process of opening a/var/log/messages file
  Here the process of opening the/var/log/messages file is Rsyslog, the process PID is 925, the main root,4 represents the file fd,w is the write state

  [[email protected] ~]# lsof | grep messagesrsyslogd   925         root    4w      REG              253,0    194666   35851428 /var/log/messagesin:imjour  925  963    root    4w      REG              253,0    194666   35851428 /var/log/messagesrs:main    925  964    root    4w      REG              253,0    194666   35851428 /var/log/messages

• Delete the file

  rm -rf /var/log/messages

• Review the process for opening the/var/log/messages file again (deleted)

  [[email protected] ~]# lsof | grep messagesrsyslogd   925         root    4w      REG              253,0    195350   35851428 /var/log/messages (deleted)in:imjour  925  963    root    4w      REG              253,0    195350   35851428 /var/log/messages (deleted)rs:main    925  964    root    4w      REG              253,0    195350   35851428 /var/log/messages (deleted)

• View process's, file handle

  [[email protected] ~]# ll /proc/925/fd/4 l-wx------ 1 root root 64 May 11 00:37 /proc/925/fd/4 -> /var/log/messages (deleted)

• Restore based on file handle

  cp /proc/925/fd/4 /var/log/messages

Lsof files opened by the recovery process