/proc kcore file is huge

Question

After experiencing a DDOS attack, somehow /proc/kcore is very huge, I use a small php class to check the current disk space, and how many has been used.

It shows the following:

Total Disk Space: 39.2 GB Used Disk Space: 98 GB Free Disk Space: 811.6 MB 

My question is, is it safe to delete the /proc/kcore file? Or is there a solution on getting it to an normal size.

The filesize of /proc/kcore is 140.737.486.266.368 bytes

I have hosted my server at DigitalOcean.

If any more information needed to know, please ask ;)

Many thanks!

Edit...

df -h returns:

Filesystem      Size  Used Avail Use% Mounted on /dev/vda         40G   37G  755M  99% / udev            993M   12K  993M   1% /dev tmpfs           401M  224K  401M   1% /run none            5.0M     0  5.0M   0% /run/lock none           1002M     0 1002M   0% /run/shm 

du -shx returns:

du -shx * 8.7M    bin 27M     boot 12K     dev 6.3M    etc 4.8M    home 0       initrd.img 229M    lib 4.0K    lib64 16K     lost+found 8.0K    media 4.0K    mnt 4.0K    opt du: cannot access `proc/3765/task/3765/fd/3': No such file or directory du: cannot access `proc/3765/task/3765/fdinfo/3': No such file or directory du: cannot access `proc/3765/fd/3': No such file or directory du: cannot access `proc/3765/fdinfo/3': No such file or directory 0       proc 40K     root 224K    run 8.0M    sbin 4.0K    selinux 4.0K    srv 0       sys 4.0K    tmp 608M    usr 506M    var 0       vmlinuz 

Results of lsof | grep deleted:

mysqld     1356      mysql    4u      REG              253,0           0    1835011 /tmp/ib4jBFkc (deleted)     mysqld     1356      mysql    5u      REG              253,0           0    1835012 /tmp/ibcE99rr (deleted)     mysqld     1356      mysql    6u      REG              253,0           0    1835013 /tmp/ibrxYEzG (deleted)     mysqld     1356      mysql    7u      REG              253,0           0    1835014 /tmp/ibK95UJV (deleted)     mysqld     1356      mysql   11u      REG              253,0           0    1835015 /tmp/iboOi8Ua (deleted)     nginx     30057       root    2w      REG              253,0           0     789548 /var/log/nginx/error.log (deleted)     nginx     30057       root    5w      REG              253,0 37730323404     268273 /etc/nginx/off (deleted)     nginx     30057       root    6w      REG              253,0           0     789548 /var/log/nginx/error.log (deleted)     nginx     30058   www-data    2w      REG              253,0           0     789548 /var/log/nginx/error.log (deleted)     nginx     30058   www-data    5w      REG              253,0 37730323404     268273 /etc/nginx/off (deleted)     nginx     30058   www-data    6w      REG              253,0           0     789548 /var/log/nginx/error.log (deleted)     nginx     30059   www-data    2w      REG              253,0           0     789548 /var/log/nginx/error.log (deleted)     nginx     30059   www-data    5w      REG              253,0 37730323404     268273 /etc/nginx/off (deleted)     nginx     30059   www-data    6w      REG              253,0           0     789548 /var/log/nginx/error.log (deleted) 

Answer 1

In answer to your original question:

"Is it safe to delete the /proc/kcore file? Or is there a solution on getting it to an normal size."

No, it's not safe. Well, I wouldn't like to bet what would happen if you deleted it anyway!

The /proc directory is the mount point for procfs (run mount and see the output like below: )

proc on /proc type proc (rw) 

procfs is a bit of dark magic; no files in it are real. It looks like a filesystem, acts like a filesystem, and is a filesystem. But not one that is stored on disk (or elsewhere).

/proc/kcore specifically is a file which maps directly to every available byte in your virtual memory ... I'm not absolutely clear on the details; the 128TB comes from Linux allocating 47ish bits of the 64bits available for virtual memory.

(There's discussion on the 128TB limit here: https://unix.stackexchange.com/questions/116640/what-is-maximum-ram-supportable-by-linux )

Anyway, putting aside Linux's hard-coded virtual memory limits - what we come to understand in the context of your question is this: /proc/kcore is a system file, provided by the virtual procfs filesystem, and is not a real file.

Don't delete it ;-)

---

Update: 2016-06-03

My answer here keeps periodically being up-voted - so I assume people are still looking for an explanation of what /proc/kcore is.

There's a helpful Wikipedia article titled Everything is a file which gives a little background. If you're really curious - take a look into the Plan9 OS.

Hopefully my original answer sufficiently explains kcore itself. I'm speculating that people reading this answer may be curious about other files in /proc too - so here are some other "interesting" examples.

• /proc/sys/* is a mechanism for the user (you) to read/write details from the heart of Linux (the kernel and associated drivers etc). A cute example of a r/w item is "IP forwarding":

  Read: cat /proc/sys/net/ipv4/ip_forward (0 is off, 1 is on)

  Write: echo 1 > /proc/sys/net/ipv4/ip_forward

  As with kcore, this isn't a real file. But it acts like one. So when you write to it, you're actually changing software settings as opposed to bytes on a disk.

• /proc/meminfo and /proc/cpuinfo are read-only. You can cat or less them, or fopen() from your own application. They show you details about your hardware (memory and CPU).

• /proc/[0-9]+ are actually process IDs running on your machine! These are (IMHO) by far the coolest feature of /proc. Inside them you will find more fake files like cmdline which tell you what command was used to start the process.

Finally there's some other examples of "interesting filesystems", like /proc. There are purely in-memory and "user-space" to name just two. Again these (generally speaking) do not consume any real disk space, although tools like df and ls may report real file sizes.