/proc kcore file is huge

Love2Code picture Love2Code · Jan 16, 2014 · Viewed 90.3k times · Source

After experiencing a DDOS attack, somehow /proc/kcore is very huge, I use a small php class to check the current disk space, and how many has been used.

It shows the following:

Total Disk Space: 39.2 GB
Used Disk Space: 98 GB
Free Disk Space: 811.6 MB

My question is, is it safe to delete the /proc/kcore file? Or is there a solution on getting it to an normal size.

The filesize of /proc/kcore is 140.737.486.266.368 bytes

I have hosted my server at DigitalOcean.

If any more information needed to know, please ask ;)

Many thanks!

Edit...

df -h returns:

Filesystem      Size  Used Avail Use% Mounted on
/dev/vda         40G   37G  755M  99% /
udev            993M   12K  993M   1% /dev
tmpfs           401M  224K  401M   1% /run
none            5.0M     0  5.0M   0% /run/lock
none           1002M     0 1002M   0% /run/shm

du -shx returns:

du -shx *
8.7M    bin
27M     boot
12K     dev
6.3M    etc
4.8M    home
0       initrd.img
229M    lib
4.0K    lib64
16K     lost+found
8.0K    media
4.0K    mnt
4.0K    opt
du: cannot access `proc/3765/task/3765/fd/3': No such file or directory
du: cannot access `proc/3765/task/3765/fdinfo/3': No such file or directory
du: cannot access `proc/3765/fd/3': No such file or directory
du: cannot access `proc/3765/fdinfo/3': No such file or directory
0       proc
40K     root
224K    run
8.0M    sbin
4.0K    selinux
4.0K    srv
0       sys
4.0K    tmp
608M    usr
506M    var
0       vmlinuz

Results of lsof | grep deleted:

mysqld     1356      mysql    4u      REG              253,0           0    1835011 /tmp/ib4jBFkc (deleted)
    mysqld     1356      mysql    5u      REG              253,0           0    1835012 /tmp/ibcE99rr (deleted)
    mysqld     1356      mysql    6u      REG              253,0           0    1835013 /tmp/ibrxYEzG (deleted)
    mysqld     1356      mysql    7u      REG              253,0           0    1835014 /tmp/ibK95UJV (deleted)
    mysqld     1356      mysql   11u      REG              253,0           0    1835015 /tmp/iboOi8Ua (deleted)
    nginx     30057       root    2w      REG              253,0           0     789548 /var/log/nginx/error.log (deleted)
    nginx     30057       root    5w      REG              253,0 37730323404     268273 /etc/nginx/off (deleted)
    nginx     30057       root    6w      REG              253,0           0     789548 /var/log/nginx/error.log (deleted)
    nginx     30058   www-data    2w      REG              253,0           0     789548 /var/log/nginx/error.log (deleted)
    nginx     30058   www-data    5w      REG              253,0 37730323404     268273 /etc/nginx/off (deleted)
    nginx     30058   www-data    6w      REG              253,0           0     789548 /var/log/nginx/error.log (deleted)
    nginx     30059   www-data    2w      REG              253,0           0     789548 /var/log/nginx/error.log (deleted)
    nginx     30059   www-data    5w      REG              253,0 37730323404     268273 /etc/nginx/off (deleted)
    nginx     30059   www-data    6w      REG              253,0           0     789548 /var/log/nginx/error.log (deleted)

Answer

wally picture wally · Sep 15, 2014

In answer to your original question:

"Is it safe to delete the /proc/kcore file? Or is there a solution on getting it to an normal size."

No, it's not safe. Well, I wouldn't like to bet what would happen if you deleted it anyway!

The /proc directory is the mount point for procfs (run mount and see the output like below: )

proc on /proc type proc (rw)

procfs is a bit of dark magic; no files in it are real. It looks like a filesystem, acts like a filesystem, and is a filesystem. But not one that is stored on disk (or elsewhere).

/proc/kcore specifically is a file which maps directly to every available byte in your virtual memory ... I'm not absolutely clear on the details; the 128TB comes from Linux allocating 47ish bits of the 64bits available for virtual memory.

(There's discussion on the 128TB limit here: https://unix.stackexchange.com/questions/116640/what-is-maximum-ram-supportable-by-linux )

Anyway, putting aside Linux's hard-coded virtual memory limits - what we come to understand in the context of your question is this: /proc/kcore is a system file, provided by the virtual procfs filesystem, and is not a real file.

Don't delete it ;-)


Update: 2016-06-03

My answer here keeps periodically being up-voted - so I assume people are still looking for an explanation of what /proc/kcore is.

There's a helpful Wikipedia article titled Everything is a file which gives a little background. If you're really curious - take a look into the Plan9 OS.

Hopefully my original answer sufficiently explains kcore itself. I'm speculating that people reading this answer may be curious about other files in /proc too - so here are some other "interesting" examples.

  • /proc/sys/* is a mechanism for the user (you) to read/write details from the heart of Linux (the kernel and associated drivers etc). A cute example of a r/w item is "IP forwarding":

    Read: cat /proc/sys/net/ipv4/ip_forward (0 is off, 1 is on)

    Write: echo 1 > /proc/sys/net/ipv4/ip_forward

    As with kcore, this isn't a real file. But it acts like one. So when you write to it, you're actually changing software settings as opposed to bytes on a disk.

  • /proc/meminfo and /proc/cpuinfo are read-only. You can cat or less them, or fopen() from your own application. They show you details about your hardware (memory and CPU).

  • /proc/[0-9]+ are actually process IDs running on your machine! These are (IMHO) by far the coolest feature of /proc. Inside them you will find more fake files like cmdline which tell you what command was used to start the process.

Finally there's some other examples of "interesting filesystems", like /proc. There are purely in-memory and "user-space" to name just two. Again these (generally speaking) do not consume any real disk space, although tools like df and ls may report real file sizes.