wtmp logs and shutdown

Post by Brian Hanl » Thu, 11 Dec 1997 04:00:00

Hi everyone...

I installed Slackware 3.3 on my home PC last week, and I've
noticed something odd...

If I examine the wtmp log using 'last', I see an entry with
the word 'crash' at the end for every time I shut down or
restarted the computer. This with the user column (the first
column) in the entry being the superuser.

Usually I shutdown or restart my computer with "shutdown -h 0"
or "shutdown -h now" (and "shutdown -r 0" or "shutdown -r now")
when logged in, or su'd, as root.

It's quite strange... because I wait until my "rc.0" script
prints "The system is halted", then I wait a little while before
actually powering down my PC.

The rc.0 script invokes "halt -w" to create a wtmp log entry,
but I would have expected it to say something other than "crash"...
It actually shuts down linux with "halt -f" ...

This is just a plain out-of-the-box install. I also have the
Slackware 3.4 CDs...

The other thing is, when I booted up this morning, fsck told
me that I had reached maximum mounts, or something to that effect.
Then it proceeded to do something (probably checking the filesystem),
and my boot continued merrily along its way.

I always unmount my cdrom or floppy when I'm done with it, so
I presume this is just a regular check that fsck performs after
every N mounts of the root filesystem? Or could this be related
to improper syncing of the disks, or somesuch? (Possibly related
to my wtmp logs?)

I have a Maxtor 4.3 GB EIDE HD on IDE 0, with 4 primary partions:
my DOS/Win95 primary, an entry for my DOS/Win95 extended partions,
my Linux primary, and my Linux swap. The MBR has Linux as the only
active partition, and LILO is installed in the superblock of the latter.

My CDROM is a 24x Sony EIDE/ATAPI on IDE 2.
I have my primary DOS/Windoze partition, as well as my two extended
DOS/Windoze partitions mounted on "/win95_C", etc, ...

Any ideas?


Brian Hanley
Systems Design Engineering, U of Waterloo
Class of 2001 "SyDe FX"

Brian S Hanley                   | "Fear is the main source of superstition,
1B/2A Systems Design Engineering |  and one of the main sources of cruelty.
U of Waterloo                    |  To conquer fear is the beginning of wisdom."
(On workterm at Telesat Canada)  |  - Bertrand Russell


1. shutdown and /var/log/wtmp mystery?

I have recently installed Slackware on my PC (with XFree86) and have
noticed a few strange things about the way the logins are recorded  in
/var/log/wtmp work with `shutdown'

If I use CTRL-ALT-DEL to reboot and I am still logged in, the output from
the `last' command indicates that the system went down as I expect it to.

jpw       ttyp0        :0.0             Sun Jan 18 12:47 - down   (00:25)

The entry for this function in my /etc/inittab is

   ca::ctrlaltdel:/sbin/shutdown -t5 -rfn now

However if I reboot/halt the system whilst logged in as root by a command
such as `shutdown -r now' or `shutdown -h now' from the prompt it seems to
suggest that the system has crashed, even though I don't get any errors
during the running of /etc/rc.d/rc.6 or creeping into my /var/log/syslog or
/var/log/messages files.

jpw       ttyp1        :0.0             Sat Jan 17 18:01 - crash  (00:01)

Does this mean that there is a bug in the logging mechanism or could it
indicate a problem with the `shutdown' or is CTRL-ALT-DEL safer than the
`shutdown' command itself?

I have also noticed that running X-windows seems to create additional
entries in /var/log/wtmp (on starting up a new xterm) but when the X server
is closed down the end times of these `logins' do not seem to be recorded
in this file, even though the processes seem to be properly terminated.

