Michael W. Lucas
One morning when there just didn't seem to be enough caffeine in the world, I decided to avoid dealing with people and just clean up all the little jobs on my to-do list. One task was to put a CD-ROM into a particular machine and copy files from it to the hard drive. Seems simple enough, doesn't it? Except:
# umount /cdrom/ umount: unmount of /cdrom failed: Device busy #
This error shows up when a CD-ROM is mounted and in use, and you try to unmount it. But I'm sitting right in front of the system, and the CD-ROM light isn't on, and the motor isn't humming. The CD-ROM might be mounted, but it certainly isn't actually in use.
At this point, I have a few options. I could reboot the machine,
annoying all the users. While annoying users can be fun, it can also
generate a lot of work. I could run around asking everyone if they
are using the CD-ROM, but that would mean I'd have to stir myself out
of the comfy chair and actually speak to people I'd rather not talk
to. I could forcibly unmount it, but I have no idea how badly that
would affect the person who mounted it. Or, I could try to figure out
why the system thinks the CD-ROM is busy, and just approach the one
person responsible. Since that involves the least contact with human
beings, I chose that route. You can learn who is using what files
According to the man page
fstat(1) "identifies active files." This
might not seem like much, but in UNIX everything is a file. While
more recent operating systems (such as Plan 9) implement this idea to
its logical extreme, even pipes and network connections are largely
treated as files. If you can examine files that are in use, you can
see just about everything that happens on the system.
a snapshot of the system at a particular moment. As programs
continuously open and close files, pipes, and network connections, the
output of fstat changes from second to second.
If you go to a command prompt and type "
fstat," you'll see a list of
all the active files on the system. This list can be very long, as
each process probably has several files open. My laptop, running an
assortment of desktop programs, has about 400 open files. A friend's
small Web server runs about 9,000 open files, while some heavily used
Web servers have about 30,000 files open. To make things more
interesting, programs are continually opening and closing files, so
this number changes constantly.
fstat(1) makes a snapshot of the open
files, so if you run it several times in quick succession you will get
Here's a snippet of
fstat output from my laptop:
.... mwlucas ssh 2820 3* internet stream tcp c2ef2814 mwlucas rxvt 2819 root / 2 drwxr-xr-x 512 r mwlucas rxvt 2819 wd /usr 846337 drwxr-xr-x 2560 r mwlucas rxvt 2819 text /usr 802549 -rws--x--x 89092 r mwlucas rxvt 2819 2 /dev 60 crw------- ttyv0 rw mwlucas rxvt 2819 3* local stream c2ebdbd0 <-> c2ebd870 mwlucas rxvt 2819 4 /dev 104 crw-rw-rw- ptyp0 rw mwlucas mozilla-bin 2725 root / 2 drwxr-xr-x 512 r mwlucas mozilla-bin 2725 wd /usr 808118 drwxr-xr-x 1536 r ....
So, this looks like a lot of information. What does it mean?
The first column is the username that has the file open. The second is the name of the program that has the file open. While program names aren't that useful, the third column gives the PID of the process.
The fourth column is where things get interesting. This could contain
a number, a number marked with an asterisk, or a keyword. A plain
number is the process-internal file descriptor. When a process opens
a file, it assigns that file a number so it can keep track of it.
fstat(1) lines that have a number in the fourth field represent plain
text or data files that the program is reading or writing to.
If the fourth field is a number with an asterisk (such as the first entry in our sample output above), the line represents an open socket. These can be UNIX domain sockets, network sockets, or pipes. If the line represents a socket, the rest of the line has a varying format depending on which sort of socket it is. We aren't going to worry about sockets right now. fstat isn't that useful for investigating open network connections on FreeBSD, but on OpenBSD fstat gives the IP address and port number of an open connection. Other operating systems vary; check your preferred UNIX and see what yours does.
If the fourth field is the word "text," that does not mean that the file is a text file. Instead, it means that this is "executable text" or a program. (Only computer scientists would ever think that text means computer text.) This indicates that the process has an executable program open.
Pages: 1, 2