Date: Thu, 9 Oct 2014 15:29:26 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: elof2@sentor.se Cc: freebsd-net <freebsd-net@freebsd.org>, snort-devel mailinglist <snort-devel@lists.sourceforge.net> Subject: Re: Unable to kill a non-zombie process with -9 Message-ID: <20141009222926.GC1852@funkthat.com> In-Reply-To: <alpine.BSF.2.00.1410081310340.39263@farmermaggot.shire.sentor.se> References: <alpine.BSF.2.00.1410081310340.39263@farmermaggot.shire.sentor.se>
next in thread | previous in thread | raw e-mail | index | archive | help
elof2@sentor.se wrote this message on Wed, Oct 08, 2014 at 13:30 +0200:
>
> I guess this is a bug report for FreeBSD 10.0.
>
>
>
> Sometimes I can't kill my snort process on FreeBSD 10.0.
> It won't die, even with kill -9.
>
> I'm not talking about a zombie process. Snort is a process that should
> die normally.
> I've run snort on over 100 nodes since FreeBSD v6.x and I've never seen
> this behavior until now in FreeBSD 10.0.
>
>
> Example:
>
> #ps faxuw
> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME
> COMMAND
> root 49222 53.4 2.2 492648 183012 - Rs 11:46AM 7:05.59
> /usr/local/bin/snort -q -D -c snort.conf
> root 47937 0.0 2.2 488552 182864 - Ts 10:56AM 29:35.98
> /usr/local/bin/snort -q -D -c snort.conf
What is the MWCHAN? add l to the ps command...
> The pid 47937 has been killed (repeatedly) with -9.
> Its status is "Ts" meaning it is Stopped.
have you tried to kill -CONT <pid> to resume it?
> But it won't actually die and disappear. The only way to get rid of it
> seem to be to reboot the machine. :-(
>
> (pid 49222 is the new process that was started after 47937 was killed)
>
>
> The problem doesn't happen all the time and I haven't found any patterns
> as to when it does. :-(
> If I restart snort once every day, it fails to die approximately 2-4 times
> per month.
> Even though the problem doesn't happen on every kill, it is a definately a
> recurring event.
Can you run kgdb on the machine? (yes, it works on a live machine), use
info threads to find the thread id, and then use thread <threadid> to
switch to it, and run bt to get a back trace...
> I began to see it on a heavily loaded 10GE sensor, so I thought it could
> have something to do with the ix driver, or the heavy load.
> But now another FreeBSD 10.0-sensor had the exact same problem, and this
> sensor don't have any 10GE NICs. In fact, this sensor has been running
> just fine with both FreeBSD 9.1 and 9.3 for the past years. Snort has
> always terminated correctly! After I reinstalled this machine with FreeBSD
> 10.0 last friday, snort has then terminated correctly every day until
> today, when it failed with the above pid 47937. (this sensor use the 'em'
> driver, not 'ixgbe')
>
> I'm running snort with the same configuration, settings, version, daq,
> libs, etc on 10.0 as I do on 9.3.
> None of the 9.3 sensors have this problem, so it has to be something new
> in FreeBSD 10.0.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141009222926.GC1852>