Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 13 Nov 2002 10:25:55 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-questions@FreeBSD.ORG
Subject:   Re: I'm probably overlooking something really stupid but...
Message-ID:  <20021113102555.GA26077@happy-idiot-talk.infracaninophi>
In-Reply-To: <008c01c28af0$fe072360$4500a8c0@lucifer>
References:  <008c01c28af0$fe072360$4500a8c0@lucifer>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Nov 13, 2002 at 03:45:17AM -0500, J.M. Warenda wrote:
>     ...sometimes you need to just ask to see if you overlooked
> something obvious.
> 
>     I'm running a FreeBSD 4.4-RELEASE box as my natd gateway for my
> home LAN and lately it's been reporting that /var is full ... df
> reports it at 107% capacity but du doesn't reveal what's filling it up.
> 
>     I had once had apache fill /var because of some trojan trying IIS
> attacks on my apache server, but I've since disabled Apache so, it's
> not that! Only other things running are ftpd, telnetd, and sshd ...
> plus ezbounce (so I can ident on EFNet from machines behind the
> gateway), natd, and xchat under X.
> 
>     Any thoughts on what might be filling var?  I ran fsck -f and that
> didn't reveal anything.

It's possible that some process has an open file descriptor on a file
that has been unlinked from the filesystem --- eg. through cycling log
files.  This will absorb space on /var, but there will be no way to
access the data other than from the process with the open descriptor.

You can track this down by running 'fstat -f /var' which will show you
all the open file descriptors currently held on /var.  Unfortunately,
you're then going to have to take the inode numbers from that output
and eliminate all of the ones that are associated with known files:

    #!/bin/sh

    find /var -xdev -ls > /tmp/var-files
    for i in $(fstat -f /var | sed -e 1d | awk '{ print $6 }' | sort -nu) ;
    do
       grep -e "^ *$i " /tmp/var-files || echo "**** inode $i not found ***"
    done

Once you've pinned down the process with the open descriptor, you
should be able to kill or restart it, which will release the space.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
                                                      Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021113102555.GA26077>