When I try to remount a partition as read-only, I get an error /foo is busy. I can list all files open from /foo with
lsof /foo
but that does not show me whether files are open read-only or read-write. Is there any way to list only files which are open as read-write ?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
To answer this question specifically, you could do:
lsof /foo | awk 'NR==1 || $4~/[0-9]+u/'
This will show files which are opened read-write under the mount point foo. However, likely you really want to do is list all files which are open for writing. This would include files a which opened write-only as well as those opened read-write. For this you would do:
lsof /foo | awk 'NR==1 || $4~/[0-9]+[uw]/'
These commands should work provided FD is the 4th field in the output and none of the other fields are blank. This is the case for me on Debian when I include a path in the lsof command, however if I don’t it prints and extra TID field which is sometimes blank (and will confuse awk). Mileage may vary between distros or lsof versions.
Method 2
Look at the FD column values in the output of lsof. For example:
sudo lsof +d /foo
The manpages describe the interpretation; ‘r’ for read; ‘w’ for write’ and ‘u’ for read and write access.
This can easily be used to list the objects of interest:
sudo lsof +d /foo | awk '/$4~/u/ {print $NF}'
Method 3
I didn’t have any luck using lsof to list processes with read-write access to files (maybe I just overlooked the option in my version of lsof), but I ended up finding this Digital Ocean guide which showed how to get that info using fuser.
Here is some test output from an Ubuntu 16.04 box:
$ sudo fuser -v /etc/os-release
USER PID ACCESS COMMAND /usr/lib/os-release: root 827 f.... snapd
$ sudo fuser -v /proc/kmsg
USER PID ACCESS COMMAND /proc/kmsg: syslog 989 f.... rsyslogd
As noted in the guide:
The above output shows that, when ran in verbose mode, the fuse
utility gives information about the USER, PID, ACCESS and COMMAND. There are many access types such as e(executable being
run), r(root directory), f(open file. f is omitted in default display
mode), F(open file for writing, F is omitted in default display mode)
and m (mmap’ed file or shared library).
In each of those above examples the files are open for reading. Here is an example of a file that is open for writing:
$ sudo fuser -v /run/systemd/journal/syslog
USER PID ACCESS COMMAND
/run/systemd/journal/syslog:
root 1 F.... systemd
syslog 989 F.... rsyslogd
Here you can see that both systemd and rsyslogd have write access to the /run/systemd/journal/syslog “file” (socket in this case).
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0