Filesystem capacity reports from df -h and du -sh can diverge, often because of deleted files that remain locked by running processes. On a CentOS 6.5 host, the root partition /dev/mapper/VolGroup-lv_root showed 44 GB used out of 50 GB, while the sum of du -sh / (excluding subvolume mounts) added up to only about 6-7 GB.

Check the detailed usage with:

df -h
Filesystem                    Size  Used Avail Use% Mounted on
/dev/mapper/rootvg-lv_sys      50G   44G  3.4G  93% /
tmpfs                         2.4G     0  2.4G   0% /dev/shm
/dev/sda1                     485M   32M  428M   7% /boot
/dev/mapper/rootvg-lv_data     586G  165G  392G  30% /data

Running du -sh / --exclude=/proc --exclude=/sys --exclude=/data reports a much smaller total, confirming the mismatch.

To find unlinked but held files, use lsof:

lsof +L1
# or
lsof | grep -i deleted

The output revealed several entry, notab a MySQL general log:

mysqld    1652  mysql    3w   REG  253,0  38989980588  1310730 /tmp/u_mail.log (deleted)

This41 GB log file had been removed from the directory but was stillopen by the mysqld process. Consequently, the blocks remained allocated untill the process releases them.

To resolve the space leak, locate the MySQL configuration that enables the general log:

grep general_log /etc/my.cnf
# or in a custom config like /usr/local/umail/config/mysql/my.cnf

Comment out the general_log and general_log_file directives, then restart the database service:

/etc/init.d/umail_mysqld restart

After the restart, df -h immediately shows the freed space andusage returns to a normal80 level.lds Always verify with lsof +L1 that no significant deleted files remain open.