Date: Thu, 9 Sep 2004 19:08:23 +0200 From: cpghost@cordula.ws To: Paul Schmehl <pauls@utdallas.edu> Cc: FreeBSD-questions <questions@freebsd.org> Subject: Re: Phantom /var full messages Message-ID: <20040909170823.GA6148@bsdevil.farid-hajji.net> In-Reply-To: <44A044721750C2FA9877513F@utd49554.utdallas.edu> References: <44A044721750C2FA9877513F@utd49554.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 09, 2004 at 11:50:36AM -0500, Paul Schmehl wrote: > I'm running snort 2.1.3 and mysql 3.23.58 on FreeBSD 4.9 RELEASE. All > applications are built from ports. > > Periodically I get /var full messages and everything comes to a grinding > halt. The problem is, /var isn't full. > > df -h will show /var at 104%, but du -h /var shows /var at 40% (for > example). If I shut down snort and mysql, wait for a minute and then start > them back up, df agrees with du again. > > The system works fine because only /var is full (although things can get > squirrelly if I let it go long enough because the system can't write to the > logs or the mail spool), so I can still ssh in and run utilities. > > I suspect this is some sort of filehandle not being released issue, but I'm > not sure how to track it down. I've got lsof installed, but I'm not an > expert on it yet. If you can afford it, just restart every server process that may be consuming resources. Some programs open(2) a file, then immediately unlink(2) it from the directory. lsof(1) wouldn't help you there, because the file is effectively invisible to every other process. Stopping that process will effectively free all resources, including the disk blocks belonging to the open file. Or at least, you may be able to see a big file appear, after you've restarted the process. > Any hints would be welcomed. What's the best way to troubleshoot this > problem? > > Paul Schmehl (pauls@utdallas.edu) > Adjunct Information Security Officer > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu -cpghost. -- Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040909170823.GA6148>