After experiencing a DDOS attack, somehow /proc/kcore
is very huge, I use a small php class to check the current disk space, and how many has been used.
It shows the following:
Total Disk Space: 39.2 GB
Used Disk Space: 98 GB
Free Disk Space: 811.6 MB
My question is, is it safe to delete the /proc/kcore
file? Or is there a solution on getting it to an normal size.
The filesize of /proc/kcore
is 140.737.486.266.368 bytes
I have hosted my server at DigitalOcean.
If any more information needed to know, please ask ;)
Many thanks!
Edit...
df -h
returns:
Filesystem Size Used Avail Use% Mounted on
/dev/vda 40G 37G 755M 99% /
udev 993M 12K 993M 1% /dev
tmpfs 401M 224K 401M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 1002M 0 1002M 0% /run/shm
du -shx
returns:
du -shx *
8.7M bin
27M boot
12K dev
6.3M etc
4.8M home
0 initrd.img
229M lib
4.0K lib64
16K lost+found
8.0K media
4.0K mnt
4.0K opt
du: cannot access `proc/3765/task/3765/fd/3': No such file or directory
du: cannot access `proc/3765/task/3765/fdinfo/3': No such file or directory
du: cannot access `proc/3765/fd/3': No such file or directory
du: cannot access `proc/3765/fdinfo/3': No such file or directory
0 proc
40K root
224K run
8.0M sbin
4.0K selinux
4.0K srv
0 sys
4.0K tmp
608M usr
506M var
0 vmlinuz
Results of lsof | grep deleted
:
mysqld 1356 mysql 4u REG 253,0 0 1835011 /tmp/ib4jBFkc (deleted)
mysqld 1356 mysql 5u REG 253,0 0 1835012 /tmp/ibcE99rr (deleted)
mysqld 1356 mysql 6u REG 253,0 0 1835013 /tmp/ibrxYEzG (deleted)
mysqld 1356 mysql 7u REG 253,0 0 1835014 /tmp/ibK95UJV (deleted)
mysqld 1356 mysql 11u REG 253,0 0 1835015 /tmp/iboOi8Ua (deleted)
nginx 30057 root 2w REG 253,0 0 789548 /var/log/nginx/error.log (deleted)
nginx 30057 root 5w REG 253,0 37730323404 268273 /etc/nginx/off (deleted)
nginx 30057 root 6w REG 253,0 0 789548 /var/log/nginx/error.log (deleted)
nginx 30058 www-data 2w REG 253,0 0 789548 /var/log/nginx/error.log (deleted)
nginx 30058 www-data 5w REG 253,0 37730323404 268273 /etc/nginx/off (deleted)
nginx 30058 www-data 6w REG 253,0 0 789548 /var/log/nginx/error.log (deleted)
nginx 30059 www-data 2w REG 253,0 0 789548 /var/log/nginx/error.log (deleted)
nginx 30059 www-data 5w REG 253,0 37730323404 268273 /etc/nginx/off (deleted)
nginx 30059 www-data 6w REG 253,0 0 789548 /var/log/nginx/error.log (deleted)
In answer to your original question:
"Is it safe to delete the
/proc/kcore
file? Or is there a solution on getting it to an normal size."
No, it's not safe. Well, I wouldn't like to bet what would happen if you deleted it anyway!
The /proc
directory is the mount point for procfs (run mount
and see the output like below: )
proc on /proc type proc (rw)
procfs is a bit of dark magic; no files in it are real. It looks like a filesystem, acts like a filesystem, and is a filesystem. But not one that is stored on disk (or elsewhere).
/proc/kcore
specifically is a file which maps directly to every available byte in your virtual memory ... I'm not absolutely clear on the details; the 128TB comes from Linux allocating 47ish bits of the 64bits available for virtual memory.
(There's discussion on the 128TB limit here: https://unix.stackexchange.com/questions/116640/what-is-maximum-ram-supportable-by-linux )
Anyway, putting aside Linux's hard-coded virtual memory limits - what we come to understand in the context of your question is this: /proc/kcore
is a system file, provided by the virtual procfs filesystem, and is not a real file.
Don't delete it ;-)
Update: 2016-06-03
My answer here keeps periodically being up-voted - so I assume people are still looking for an explanation of what /proc/kcore
is.
There's a helpful Wikipedia article titled Everything is a file which gives a little background. If you're really curious - take a look into the Plan9 OS.
Hopefully my original answer sufficiently explains kcore
itself. I'm speculating that people reading this answer may be curious about other files in /proc
too - so here are some other "interesting" examples.
/proc/sys/*
is a mechanism for the user (you) to read/write details from the heart of Linux (the kernel and associated drivers etc). A cute example of a r/w item is "IP forwarding":
Read: cat /proc/sys/net/ipv4/ip_forward
(0
is off, 1
is on)
Write: echo 1 > /proc/sys/net/ipv4/ip_forward
As with kcore
, this isn't a real file. But it acts like one. So when you write to it, you're actually changing software settings as opposed to bytes on a disk.
/proc/meminfo
and /proc/cpuinfo
are read-only. You can cat
or less
them, or fopen()
from your own application. They show you details about your hardware (memory and CPU).
/proc/[0-9]+
are actually process IDs running on your machine! These are (IMHO) by far the coolest feature of /proc
. Inside them you will find more fake files like cmdline
which tell you what command was used to start the process.
Finally there's some other examples of "interesting filesystems", like /proc
. There are purely in-memory and "user-space" to name just two. Again these (generally speaking) do not consume any real disk space, although tools like df
and ls
may report real file sizes.