How to *really* remove a file?

[Robert Heller]

At Thu, 05 Jan 2023 09:19:11 +0100 bo.berglund at gmail.com, "Ubuntu user technical support,? not for general discussions" <ubuntu-users at lists.ubuntu.com> wrote:

> 
> I have noted that on Ubuntu if I have a file and run:
> 
> rm filename
> 
> the file vanishes from sight (is no longer listed by ls or the like) but it
> seems to still exist!

The Linux 'rm' (and 'mv') command don't ever directly reclaim disk space.  
Instead, these commands update the contents of the directory files.  The file 
system keeps track of things with reference counts in the inode records (which 
the directory entries point to.  When the reference count drops to zero, the 
blocks of the file are reclaimed.  There are two things that affect the 
reference count: how many "names" (in directories) point to the inodes and how 
many *processes* have an open file descriptor to the inode.  When ALL of the 
names no longer point to the inode and ALL of the processes close their file 
descriptors pointing to the inode, the reference count becomes zero and the 
inode and its blocks are reclaimed.

So, once you have rm'ed and/or mv'ed the file *names* away from the inode AND 
all of the processes that have the inode open have closed their connections, 
the inode and its blocks are "deleted" (reclaimed).

> 
> For example if I have a process logging to the file when I run the rm command it
> still continues to log (invisibly) to the now removed file instead of creating
> the file anew and log to the new (same name) file.

Most deamons can be "reloaded" with systemctl:

sudo systemctl reload deamon

This generally causes the deamon to close and re-open its log file(s).
This is in fact the "trick" logrotate uses.

> 
> Same if I don't rm it but instead mv it to a new name, then the logging
> continues into the new name of the old file.
> 
> The logging case is just an example, my real concern is access to video files,
> which I may remove in order to disallow further access. It seems like any
> process that has started reading the video still has access to the removed file
> including Apache....
> 
> What can I do to *really* remove the file I want to kill?

You need to arange for the *processes* to *close* the files.  Most deamons 
(including Apache) will do this on reload and will certainly do it on restart. 
Otherwise you need to use lsof to find the process in question and then kill 
the process.

> 
> Is the only way to do the following:
> 
> echo "killed" > filename
> 
> in order to kill the *content* and then
> 
> mv filename someotherfilename
> 
> Or if I want to keep the file but remove current access to the content:
> 
> mv filename newfilename
> cp newfilename filename
> echo "killed" > newfilename
> 
> I figure that the file name is only used at the very instant the file is opened
> for either read or write and then a *handle* to the file is used by the
> accessing process.
> 
> This would explain what I see happening and then the question becomes:
> 
> How to remove a file completely such that it does no longer exist for future AND
> existing accesses?
> 
> PS:
> The logging case is touched upon in my earlier thread here:
>  "How to persist MQTT logging across reboot?"
> That also contained a section about rotating logs every 24 hours where the
> solution was to copy the current logfile content into a new file and reset the
> content of the existing log allowing current processes to continue logging new
> content into it.
> DS
> 

-- 
Robert Heller             -- Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller at deepsoft.com       -- Webhosting Services