When the bard said, "There are more things in heaven
and earth...
than are dreamt of in your philosophy," he could
have been speaking
of objects in the UNIX filesystem. To be able to answer
from your users and handle problems that arise during
software installations,
you, as system administrator, need to understand all
the filesystem
objects in the UNIX heavens. This article covers a collection
of filesystem
topics that I find most beginning (and some experienced)
system administrators
don't know about or understand well.
Two Sys Admin articles by Emmett Dulaney -- "Understanding
Filesystems" (March/April 1995) and "When
inodes Go Bad"
(July/August 1994) -- explain the underlying structure
of the UNIX
filesystem. This underlying structure (superblocks and
inodes) is
generally invisible to the user. The present article
takes a look
at the unfamiliar, but visible, objects in the filesystem
and at some
unusual behaviors of familiar objects:
Although most of what I say applies to System V Release
4 in general and even to such oddball **ixes as the
Coherent 4.2 system
I run at home, some of the commands and details are
specific to Sun
Solaris 2.4. I encourage you to see how these commands
and examples
work on your system by trying them out as you read.
Files, Directories, and Links
The logical concept of a file under UNIX is a string
of bytes pointed
to by a directory entry. Most of the time this concept
serves quite
well, but occasionally files exhibit behavior that makes
it clear
this concept is an oversimplification.
Sparse Files
The data portion of a file is not actually one big string
of bytes.
If you open a file, position out to byte 9,999 (using
something like
the lseek system call) and write one byte, the resulting
does not use up 10,000 bytes of disk space. Only the
data you write
takes up disk space. If you write only one byte, the
file is reported
as the same size in blocks, regardless of the offset
of that byte
in the file. (Just how many blocks a one-byte file takes
up depends
on invisible things I won't go into. Try the program
in Listing 1
and see what happens on your system.)
When you read from a sparse file it looks as if the
file truly has
all those bytes. You get 9,999 NULs and the one byte
you wrote. But
only the one byte is actually out there on the disk.
This is why system
files like quotas and lastlog show different block
and byte sizes in an ls -ls listing:
320 -rw-r--r-- 1 root root 1026720 Mar 23 12:35 quotas
176 -rw-r--r-- 1 root root 593320 Mar 24 19:39 lastlog
These files contain entries indexed on UID. When an
entry for, say,
UID 15432 is made, the offset into the file is calculated
and the
entry is written at that offset. This results in a file
full of "holes."
If you move such a sparse file (using the mv command),
remains a sparse file. A move (within the same filesystem)
is a change
to directory entries only and does not involve the data
portion of
the file. Moving a file is the same as making a second
hard link to
it, then removing the original hard link. Moving a file
to a different
filesystem acts like a copy followed by removal of the
original file
(because of the way directories work -- see the section
of this
article on links.)
If you copy a sparse file (using cp or tar), it will
no longer be a sparse file! Copy the example file and
the copy will
use 10,000 bytes of disk to hold 9,999 NULs and one
final byte. Backup
utilities such as ufsdump work at a lower level and
do backup
and restore sparse files correctly. You can copy a directory
sparse files like this:
ufsdump 0f - /directory | (cd /new/location; ufsrestore xvf -)
You must be root to use dump and restore
because they access the raw device. This enables them
to read and
write the actual blocks that make up a file. They can
also back up
named pipes and device special files.
Directories are fairly straightforward (unless you accidentally
vi on one), but here, too, there are some quirks. Have
ever copied a tree from one place to another and wondered
why the
size of the copy is a few blocks smaller than the original,
yet all
the file sizes are unchanged?
As you add entries to a directory it grows in size to
hold the entries,
but does not shrink again when entries are removed.
When you copy
a directory using cp or tar, a new directory is built,
without the unused blocks, so the directory takes less
space. (Again,
dump/restore makes an exact copy). You can see a directory
shrink by doing this:
cp -r /lost+found /var/tmp
You probably have to do this as root because lost+found
is usually not world readable. Copy to /var/tmp because
already has a lost+found directory if you are using
The lost+found directory is always created with extra
for lots of entries so it does not have to be expanded
while fsck
is cleaning up a disk. When you copy lost+found, it
will shrink
to the minimum size for a directory, usually one block.
Here is ls
-ls before and after making a copy of the directory:
7 drwxr-xr-x 2 root 3232 Sun Feb 12 18:11 /lost+found
1 drwxr-xr-x 2 lisa 32 Sat Apr 1 16:46 /usr/tmp/lost+found
You can think of a directory entry as being the head
pointer of the
linked list that is a file's data. When you make a "hard
ln file1 file2
you now see both file1 and file2 when
you do an ls -l, and they have identical entries except
the link count field, which is "2" for each
-rw-r--r-- 2 lisa parent 509 Sat Mar 25 19:19 file1
-rw-r--r-- 2 lisa parent 509 Sat Mar 25 19:19 file2
The file has not been copied. In fact, the data portion
of the file has not been touched. What has happened,
is that the directory entry has been cloned but with
a different file
name. Both directory entries point to the same data.
You can delete
either entry and the data is still there. If you delete
the entry
for file1 in this example, the effect is exactly the
mv file1 file2
As stated earlier, moving a file to a different filesystem
turns into a copy followed by removal of the original
file. A directory
entry contains inode numbers, which are unique only
within a filesystem.
A directory entry cannot be "cloned" to a
different filesystem;
there is no way for a directory entry to point to the
data portion
of a file on a different filesystem. So you cannot hard-link
a file
to a different filesystem. But you can make a soft or
symbolic link:
ln -s file1 file2
which looks like:
-rw------- 1 lees manager 70 Mar 25 19:31 file1
lrwxrwxrwx 1 lees manager 5 Mar 25 19:31 file2 -> file1
A soft link is not a cloned directory entry, but is
a file, the content of which is a pathname. This pathname
may point
anywhere, or nowhere, or to itself! It has no direct
relation to the
data in the original file. If the original file is moved,
or removed,
the soft link remains and is now simply wrong.
Soft links use space outside a directory. No error checking
is done
when a soft link is created. Soft links require extra
disk accesses
to resolve. Nothing guarantees that a soft link will
remain valid.
Still, if you want to link two objects in different
filesystems, you
have no choice but to use a soft link.
Soft links are useful within a filesytem because they
preserve the
notion of an original file that is pointed to, or aliased.
If you
have installed SunOS binary compatibility, there is
a /dev
directory full of soft links, and links to links, such
as (ls
-l /dev/rdsk/c0t0d0s0):
2 lrwxrwxrwx 1 root root 55 Mar 8 13:28 c0t3d0s0 ->
This could be a hard link, but then you could not tell
by looking at it what it is a link to. That is the great
to hard links. The link count field tells you there
are one or more
other hard links to the object, but gives no clue at
all as to what
they are.
A device special file ("device" for short)
is a filesystem
object created by the mknod command. When a device is
control is given to a device driver. The device driver
knows how to
do the required operation (open, read, write,
ioctl, and so on) on the hardware associated with the
if any. Devices are a way of providing a very similar
interface to
a wide range of physically very different objects.
The mknod command doesn't know anything about devices
or device
drivers. It creates a special file object of type character
(raw) or block (file), and gives it a name and a major
a minor number. The major number determines which device
driver is
invoked when the device file is accessed. The minor
number is just
handed to the device driver; it is used to choose the
unit, partition,
or whatever is appropriate. Here are the device special
files for
the c0t3d0s0 device:
0 brw-r----- 1 root sys 32, 24 Mar 8 12:29 sd@3,0:a
0 crw-r----- 1 root sys 32, 24 Mar 8 13:07 sd@3,0:a,raw
The "b" in the listing signifies the block
device, the "c" the character or raw device.
The major
number 32 is the SCSI driver. The minor number 24 identifies
the SCSI
unit and slice (partition). The pattern in minor numbers
should be
evident from a few more SCSI device files:
0 brw-r----- 1 root sys 32, 25 Mar 8 12:29 sd@3,0:b
0 brw-r----- 1 root sys 32, 26 Mar 8 12:29 sd@3,0:c
0 brw-r----- 1 root sys 32, 48 Mar 8 12:29 sd@6,0:a
0 crw-r----- 1 root sys 32, 48 Mar 8 12:29 sd@6,0:a,raw
Notice the minor number incrementing for each new slice,
then jumping by 24 for the next SCSI logical unit (next
physical device
on that controller). Under Solaris the minor numbers
may change when
you add a disk and do boot -r. This usually did not
under SunOS, because the kernel config file defined
all the
devices that could reasonably exist and these device
files were created
whether or not the physical devices were present.
The device major number is an index into an operating
system table
of device drivers. Under SunOS you knew this number
because you had
to edit /sys/sun/conf.c and rebuild the kernel when
a new device driver. Under Solaris the kernel is configured
at boot
time (though additional modules may be added via the
command). The modinfo command tells you the major number
device drivers built into the operating system at boot
time or installed
with the modload command. These are a few of the loaded
on my SPARCstation 2 running Solaris 2.4; the "Info"
is the major number:
Id Loadaddr Size Info Rev Module Name
12 ff137000 cb70 32 1 sd (SCSI Direct Access Disk Driver)
51 ff2d6000 7dfc 11 1 tmpfs (filesystem for tmpfs)
61 ff40f000 6fdd 36 1 fd (Floppy Driver)
71 ff654000 9968 33 1 st (SCSI Sequential Access Driver)
Sun some time ago started making physical devices smart
enough to identify themselves at boot time (the adapter
cards contain
FORTH routines in ROM that do this). When you boot -r
a tree
is built under /devices containing the device files
for all
the physical devices that identify themselves in this
If you are using "compatibility mode," a tree
of soft links
-- the links having the name of the SunOS device file
-- is
built under /dev to the Solaris device file. You can
use mknod
here, but the preferred approach is to make a soft link
to the appropriate
device special file in the /devices tree. If you forget
do boot -r the following set of commands does more or
the same thing:
The mknod command can also make an object that is not
a device,
but a named pipe. We're all familiar with pipes, the
use of the "|"
character to connect the standard output of one process
to the standard
input of another process. A named pipe is similar, but
it is a permanent
object in the filesystem. The command
mknod my_fifo p
creates a named pipe named my_fifo. A named pipe
has ownership and permissions just like a file, so you
can restrict
its use with groups and file permissions. This named
pipe is read/write
for owner and for group parent:
prw-rw---- 1 lisa parent 0 Sun Mar 26 19:12 my_fifo
Named pipes have several advantages over "|"
pipes. The processes writing to and reading from the
named pipe do
not have to be related in any way. They can be run by
different users.
One can be foreground and one background. They can even
be on different
machines if the named pipe is an object in a mounted
filesystem! Root
privileges are not needed to create named pipes.
You will find named pipes in a number of places around
They are used in the Service Access Facility and in
the print spooling
tmpfs Filesystems
Sun introduced the tmpfs filesystem quite some time
ago (in 4.1.something)
and it is now the default for /tmp when installing Solaris
2. This makes /tmp an in-memory filesystem, kind of
like a
RAM disk on a PC. What tmpfs actually is doing is putting
/tmp in virtual memory, which means that files on /tmp
compete with programs for space in RAM and are paged
out to swap
space when memory is needed for something else.
Normally, all the data structures of a file (directory
entries, inodes,
data blocks) exist on disk. Many operations on a file
in a disk-based
filesystem require multiple accesses to disk to retrieve
or update
information in these data structures. In a tmpfs filesystem,
only file data is paged to disk. The associated information
stays in memory. So fewer, even zero, disk accesses
are needed to
use a file on a tmpfs filesystem.
But there are tradeoffs. Because the control information
is always
kept in memory, the number of files that can be created
is limited.
The limit is based on RAM size, not on the size of the
swap partition.
Heavily loaded systems with inadequate RAM memory may
be pushed into
thrashing by the use of tmpfs filesytems. This is one
thing to be aware of in analyzing and tuning performance.
The best use of a tmpfs /tmp is for many small, short-lived
files, such as the intermediate and scratchpad files
written by compilers.
(You should set the TMPDIR environment variable to /tmp
to make certain that compilers use /tmp instead of /usr/tmp
for these files.) The worst use of a tmpfs /tmp is to
large files that are written once and read many times.
Use a disk-based
filesystem local to the workstation for these files.
One last caveat: Although the man page for tmpfs claims
that tmpfs "provides standard file operations and
the exercise of creating sparse files (Listing 1) shows
this is not
completely true. There are no holes in a file on a tmpfs
Also, the df command does not give useful information
a tmpfs filesystem.
This is a collection of wisdom I have picked up
in the school of hard knocks.
Weird File Names
What do you do when one of your users manages to name
a file Ctrl-D
or embed a space in a filename? Once you realize that
something funny
is going on, you can use ls -b to show the problem filename,
with the control characters. Then it is a question of
figuring out
how to name the file to the rm command. Using single
solves many problems, such as:
rm 'a space'
rm 'back\slash'
You may be able to use wildcards:
rm a?space
rm back*
And if all else fails,
rm -ir dir
will go through all the files in a directory, even those
composed of completely untypeable names. (WARNING: Do
not, as root,
ever do something like
/bin/rm -rf .*
in a well-meaning attempt to remove all the files in
a directory. The wildcard ".*" includes "..",
is the parent directory of the one you are in. The syntax
.." means to remove everything in the parent directory.
I know
of a beginning sysadmin who did this (/bin/rm -rf .*)
to remove
a user directory and found to her horror that she was
removing all
user home directories on that filesystem! I believe
she has a job
doing something else now.)
How does the file command figure out the type of a file?
The secret
is in the file /etc/magic. This file defines file types
on the value of the initial bytes of a file. It as an
ASCII file,
so you can edit it and add new types or correct wrong
types (for example,
if the file command tells you a spreadsheet is a "pdp11/pre
V vax executable").
What's Going On Here?
How can you find out who is using a filesystem you need
to unmount?
With the fuser command
fuser -c /home/pixel/u40
The fuser command shows you the process ID of
all processes using the specified filesystem object.
You can then
use the ps command to find the users associated with
processes and ask them to do something else for a while
(see Figure 1).
You must be root to use the fuser command because
it needs
access to /dev/kmem.
A related command is truss. This command lets you trace
system calls made by a process (open, read, write,
and so on) and hence lets you find out what files the
process uses.
This command displays filenames as they are opened:
truss -t open command-string
and is even better than doing:
strings command | grep / | less
because you see filenames generated as the program runs,
and you get some feel for what the program is doing
as it accesses
the files. Any user can use the truss command, but it
not work with setuid or setgid programs, so it is
not a security hole. The man page for truss gives
detailed information on its options and examples of
its use. I find
truss particularly helpful in determining why a program
Move It!
Finally, if you are not familiar with the dd command,
do cultivate an acquaintance. This is the way to move
blocks from
one device to another. It can do many manipulations
on what it is
moving, but I find it most useful for making exact copies
in situations
where cp cannot be used. For example,
rsh server dd if=/dev/nrst0 | cat > file.tar
reads a tar file from a tape on one machine and
puts it in a disk file on the current machine. The commands:
dd if=/dev/fd0 of=/tmp/floppy bs=36b count=80
(insert and format a new floppy)
dd if=/tmp/floppy of=/dev/fd0 bs=36b count=80
perform a sector-by-sector copy of a high density floppy
disk to a file, then copy it out to a floppy disk again.
This is a
way to make an exact copy of a floppy disk. (A high-density
disk has 18 512-byte blocks on a track, 80 tracks, 2
cylinders, hence
my choice of bs and count. You may have to be
root to access the floppy drive, and details are system
You still have to low-level format the floppy disk before
you write
to it. Use the fdformat command.)
About the Author
Lisa Lees has an M.S. in computer science and has worked
the past twenty years as a teacher, writer, programmer,
and system
administrator. Her love/hate relationship with UNIX
dates to 1985.
Lisa is a systems analyst with the Department of Computer
and is the manager of the Pattern Recognition and Image
Lab at Michigan State University. She is a member of
and the USENIX System Administrators Guild. She can
be reached at:
[email protected]; http://www.cps.msu.edu/~lees.