Mastering Linux Disk Space: From Detection to Safe Deletion of Large Files
Learn how to quickly locate oversized files and directories on a Linux server, verify safety before removal, use proper commands for secure deletion, and implement automation to prevent future disk‑space emergencies.
1. Locate large files and directories
Start by checking overall disk usage with df -h to find mounts that are over 80% full. Then list directory sizes and sort them: du -ah --max-depth=1 / | sort -rh For targeted searches use find or the interactive tool ncdu (install with sudo apt install ncdu and run sudo ncdu /).
ncdu : keyboard navigation, press d to delete a selected file.
du + sort : du -ah /var | sort -rh | head -n 20 shows the top 20 biggest entries.
Find files larger than 100 MB : find / -type f -size +100M -exec ls -lh {} \; 2>/dev/null Find large log files :
find /var/log -type f -name "*.log" -size +1G -exec ls -lh {} \;2. Safety checks before deletion
Verify the file is not open by a running process: lsof /path/file.
Confirm the file is not a system‑critical component (kernel, configuration, library) using file and ls -lh.
Back up important data before removal, e.g., cp or tar for databases or logs.
Typical mistake
Running rm -rf /var/log/myapp.log on a log that is still being written leaves the file handle open, so df -h reports no freed space and the service may crash.
Correct approach: truncate the file while keeping the descriptor alive:
> /var/log/myapp.log3. Safe deletion techniques
Ordinary files : use interactive delete rm -i file.
Very large files : run the removal with low I/O priority ionice -c 3 rm -f /big.iso.
Active log files : clear the content but keep the file > /var/log/app.log.
Sensitive data : overwrite before removal shred -v -n 3 -z secret.txt.
4. Why space may not be freed after deletion
Often a “ghost” file – deleted but still held open by a process – prevents space reclamation. List such files with: lsof | grep deleted Resolution options:
Restart the affected service: systemctl restart <em>service-name</em>.
Close the file descriptor directly (if the process cannot be restarted): > /proc/<em>PID</em>/fd/<em>FD</em>.
Stop or kill the process that holds the deleted file.
5. Common “disk killers” and quick fixes
System log explosion : clean /var/log with logrotate or manually remove old logs.
Docker container logs : prune with docker system prune -a.
APT cache : run apt clean.
Temporary files : delete files in /tmp and /var/tmp older than 7 days, e.g., find /tmp -type f -mtime +7 -delete.
Deleted but still used files : locate with lsof and free them as described in section 4.
6. Automation & optimization to prevent recurrence
Configure log rotation (logrotate)
/var/log/myapp/*.log {
daily
rotate 7
compress
missingok
notifempty
create 0640 root adm
}Limit Docker log size
Add the following to /etc/docker/daemon.json:
{
"log-driver": "json-file",
"log-opts": {
"max-size": "50m",
"max-file": "3"
}
}Locate → Verify → Safely Delete → Prevent Recurrence
Following this systematic workflow helps recover disk space quickly while maintaining service stability.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Ray's Galactic Tech
Practice together, never alone. We cover programming languages, development tools, learning methods, and pitfall notes. We simplify complex topics, guiding you from beginner to advanced. Weekly practical content—let's grow together!
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.