1

Based on this question : How to disable swap files in ESXi?.

The main answer states that it is possible to extract data from the swap files (for exemple using strings) so I tried to make a simple copy of the file, but ESXi puts a lock on it. The exact error is Device or resource busy

Here is what i got from vmkfstools -D:

    Lock [type 10c00001 offset 45031424 v 499, hb offset 3256320
gen 51, mode 1, owner 54e48032-69f209cc-06f6-c454440c07d0 mtime 30417
num 0 gblnum 0 gblgen 0 gblbrk 0]
Addr <4, 83, 172>, gen 498, links 1, type reg, flags 0, uid 0, gid 0, mode 600
len 4294967296, nb 4096 tbz 0, cow 0, newSinceEpoch 4096, zla 3, bs 1048576

The only way to remove the lock is to poweroff the virtual machine, but if I do, the file is deleted. That is why I am wondering, is it possible to remove the lock, or to prevent the deletion of the file?

I could not ask drectly on the thread because I do not have enough points to comment but I think it deserves an entire question. What are the possibilities to retrieve this file.

EDIT : A first suggestion is to simply delete the lock, either by killing all processes using the file (cannot be done for me), or using something like flock. It isn't installed on ESXi so it is not a valid option I am afraid

Another idea is to lock the file between the time it is unlocked, and the deletion, I have not tried this yet, still lookin for a way to lock/unlock any file

Community
  • 1
user3779430
  • 121
  • 2
  • The lock is normal since ESXi is actually using it. Is there a reason you can't just run `strings` against the original file? – GregL Mar 10 '15 at 15:48
  • actually i have not tried `strings` because it is not installed on my server and I do not have the rights to install it, I tried `cat` hoping it was acting the same way. The lock is normal but isn't there a way of deleting it through a command since we have control on ESXi. – user3779430 Mar 10 '15 at 15:58
  • Deleting the lock? I can't imagine the VMKernel would appreciate that but it's possible it would deal with it (semi)-gracefully. I don't think I'd try it though. – GregL Mar 10 '15 at 16:55
  • If you're on a remote storage that supports it, you could take an array snapshot and present the new volume to the ESXi host and do what you want to the files since they're not being read. – GregL Mar 10 '15 at 16:56
  • @GregL the idea of deleting the lock sounds interesting, I made a quick search on the internet and it seems the only way of doing it is to stop the processes using the file, in my case lsof showed a list that seemed way too long to do that, isn't there another way? Also I had another idea, using a script isn't it possible to prevent the deletion of the file by locking it between the time it is unlocked and the time ESXi tries to delete it? – user3779430 Mar 11 '15 at 10:21

0 Answers0