Use lsof to Find Files Opened by a Process

lsof, meaning “LiSt Open Files,” is used to find out which files are opened by which processes. As we all know, Linux/Unix considers everything to be a file (pipes, sockets, directories, devices etc). One of the reason to use the lsof command is to find out if there is any file system problem.

For example, we see some processes like the following in a CloudLinux environment: 

lscgid -n 161

and lscgid is constantly running 100%CPU 

1193334 root 20 0 15180 980 788 R 100.0 0.0 0:53.02 lscgid
lsof -p pid

Looks like cagefs mount points are messed up. It tries to use an endless file under /proc, 

more /proc/1204041/mounts

1204041 is live 100% cpu lscgid process.

it is endless 

/dev/mapper/centos_linux2-root /var/cagefs/78/tahacocukoyunpar/var/cpanel/userdata/tahacocukoyunpar xfs rw,nosuid,relatime,attr2,inode64,usrquota 0 0
/dev/mapper/centos_linux2-root /usr/share/cagefs-skeleton/var/cpanel/userdata xfs rw,nosuid,relatime,attr2,inode64,usrquota 0 0
/dev/mapper/centos_linux2-root /usr/share/cagefs-skeleton/var/cpanel/userdata/tahacocukoyunpar xfs rw,nosuid,relatime,attr2,inode64,usrquota 0 0
/dev/mapper/centos_linux2-root /usr/share/cagefs-skeleton/var/cpanel/userdata/tahacocukoyunpar xfs rw,nosuid,relatime,attr2,inode64,usrquota 0 0
/dev/mapper/centos_linux2-root /usr/share/cagefs-skeleton/var/cpanel/userdata/tahacocukoyunpar xfs rw,nosuid,relatime,attr2,inode64,usrquota 0 0
/dev/mapper/centos_linux2-root /usr/share/cagefs-skeleton/var/cpanel/userdata/tahacocukoyunpar xfs rw,nosuid,relatime,attr2,inode64,usrquota 0 0
/dev/mapper/centos_linux2-root /usr/share/cagefs-skeleton/var/cpanel/userdata/tahacocukoyunpar xfs rw,nosuid,relatime,attr2,inode64,usrquota 0 0
/dev/mapper/centos_linux2-root /usr/share/cagefs-skeleton/var/cpanel/userdata/tahacocukoyunpar xfs rw,nosuid,relatime,attr2,inode64,usrquota 0 0

Try cagefsctl --force-update, and lscgid process can finish now, but CPU usage is still high. The user will need to contact CloudLinux support for the cagefs mount problem.

lscgid -n xxx is used by LiteSpeed to start a Suexec PHP process, use lscgid to gain root, then change user id. Under normal circumstances, it will immediately execute the PHP binary, so you won't see it running.

  • Admin
  • Last modified: 2018/09/10 20:25
  • by Lisa Clarke