From owner-freebsd-questions Wed Nov 13 2:26: 7 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24E5037B401 for ; Wed, 13 Nov 2002 02:26:06 -0800 (PST) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id C906443E42 for ; Wed, 13 Nov 2002 02:26:03 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id gADAQ060026399 for ; Wed, 13 Nov 2002 10:26:00 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id gADAPtL6026398 for freebsd-questions@FreeBSD.ORG; Wed, 13 Nov 2002 10:25:55 GMT Date: Wed, 13 Nov 2002 10:25:55 +0000 From: Matthew Seaman To: freebsd-questions@FreeBSD.ORG Subject: Re: I'm probably overlooking something really stupid but... Message-ID: <20021113102555.GA26077@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , freebsd-questions@FreeBSD.ORG References: <008c01c28af0$fe072360$4500a8c0@lucifer> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <008c01c28af0$fe072360$4500a8c0@lucifer> User-Agent: Mutt/1.5.1i X-Spam-Status: No, hits=-3.0 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_02_03, USER_AGENT,USER_AGENT_MUTT version=2.43 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Nov 13, 2002 at 03:45:17AM -0500, J.M. Warenda wrote: > ...sometimes you need to just ask to see if you overlooked > something obvious. > > I'm running a FreeBSD 4.4-RELEASE box as my natd gateway for my > home LAN and lately it's been reporting that /var is full ... df > reports it at 107% capacity but du doesn't reveal what's filling it up. > > I had once had apache fill /var because of some trojan trying IIS > attacks on my apache server, but I've since disabled Apache so, it's > not that! Only other things running are ftpd, telnetd, and sshd ... > plus ezbounce (so I can ident on EFNet from machines behind the > gateway), natd, and xchat under X. > > Any thoughts on what might be filling var? I ran fsck -f and that > didn't reveal anything. It's possible that some process has an open file descriptor on a file that has been unlinked from the filesystem --- eg. through cycling log files. This will absorb space on /var, but there will be no way to access the data other than from the process with the open descriptor. You can track this down by running 'fstat -f /var' which will show you all the open file descriptors currently held on /var. Unfortunately, you're then going to have to take the inode numbers from that output and eliminate all of the ones that are associated with known files: #!/bin/sh find /var -xdev -ls > /tmp/var-files for i in $(fstat -f /var | sed -e 1d | awk '{ print $6 }' | sort -nu) ; do grep -e "^ *$i " /tmp/var-files || echo "**** inode $i not found ***" done Once you've pinned down the process with the open descriptor, you should be able to kill or restart it, which will release the space. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message