This describes the beginning of an anxious moment in the life of an
administrator. You're watching while it looks like a rogue process
and a runaway file consume the free space on a Solaris filesystem.
The question is, can you find the file and the process, or will a costly
emergency shutdown be required?
Most administrators have used the find command with the -mtime,
-ctime, or -atime options to find files by date range.
But on a large filesystem, with half of a day gone by and the system failing,
using the "find / -mtime -1 -print" command might find a lot of
extra files that we don't have time to see. All of this leads us
to the question: Is it possible to search for files that have been
created or modified in just the last 20 minutes?
Using the touch command, we create an empty file in the /tmp directory with a modification time stamp of 1:50 p.m.:
$ touch -mt 08301350 /tmp/empty_fileLooking at the file with the ls -l command, we see that it has the proper time stamp:
$ ls -l /tmp/empty_fileIf you haven't used the touch command before, you'll see that it's a unique command that can be used to update the time stamp on files. Using touch, you can make a file look very old or very new, just by changing it's access or modification time. This has a variety of purposes, from updating the time stamp of old files to include them in tape backups, to touching a file so a make utility will notice the new date and recompile a file. As an added purpose, touch can also be used to create empty files, which is useful in shell scripts and training exercises.
-rw-r--r-- 1 root other 0 Aug 30 13:50 /tmp/empty_file
The second step in our search for the runaway file is to use the find command with the -newer option. We tell the find command to locate any files in the local filesystem that are newer than our /tmp/empty_file, which appears to have been modified at 1:50 p.m.:
$ find / -newer /tmp/empty_file -local -printNotice that we also add the -local option to our command, telling find not to waste any time looking on NFS filesystems. It's obvious that our local hard disk is churning, so don't waste time looking on NFS-mounted filesystems. I also recommend adding the "-type f" option to tell find to locate only normal files, and ignore directories, links, and other filesystem objects.
Once the find command locates the new file, you can identify
the user and process that created the runaway file. If it really
is some type of runaway process, we can terminate the process and remove
the file, without performing a costly emergency shutdown.