root sh/zcat process swamping CPU

root sh/zcat process swamping CPU

Post by Auga » Tue, 14 Jan 2003 02:24:17



Ordinarily I can find the solution to all my woes without troubling
you fine folk if I search hard enough, but this one has be stumped.

I have just built an Athlon XP2100+ and installed RedHat 7.1 on it.
This is the first computer I've built with effectually infinite space
to give to the / partition (including /usr), so I installed virtually
all packages. On previous machines I was forced to be much more
conservative.

I also, coincidentally, have found an issue that I haven't previously
run into.
Almost as soon as the machine was up and running, I started a
CPU-intensive job that was humming along nicely at >99% CPU. It ran
that way 36 hours or so, and then a root-owned "sh" job showed-up in
`top` soaking up 50% of my CPU. I wasn't too happy about it, had a
look around, tried `renicing` my job to -19 with little benefit, and
decided to `kill` it as it didn't appear to be doing anything
critical. As soon as it died, another `sh` job started. This time I
thought to look at the full command under `ps -aux` and found that
this one was `sh -c zcat ./socket.n.gz`, and also soaked up heaps of
my CPU.I killed it too. Thereafter a few root-owned `zcat` jobs popped
up with tiny CPU loads, which I left alone, and now all is quiet again
and my processor has the full resources of the CPU available to it
again.

My questions are these: what the *were those piggy processes? I
presume that they were being piped somewhere, as an arbitrary
uncompression delivered to stout alone doesn't make much sense for a
background process -- for my own edification, how could I have traced
where they were being piped to? Lastly, did I kill something
important?

Thanks so much

J

 
 
 

root sh/zcat process swamping CPU

Post by Bill Marcu » Wed, 15 Jan 2003 02:26:37


On 12 Jan 2003 09:24:17 -0800, Augasm

> My questions are these: what the *were those piggy processes? I
> presume that they were being piped somewhere, as an arbitrary
> uncompression delivered to stout alone doesn't make much sense for a
> background process -- for my own edification, how could I have traced
> where they were being piped to? Lastly, did I kill something
> important?

Have you looked in /etc/crontab or /etc/cron.(daily|weekly|monthly)?

 
 
 

root sh/zcat process swamping CPU

Post by Auga » Wed, 15 Jan 2003 13:24:32



> On 12 Jan 2003 09:24:17 -0800, Augasm

> > My questions are these: what the *were those piggy processes? I
> > presume that they were being piped somewhere, as an arbitrary
> > uncompression delivered to stout alone doesn't make much sense for a
> > background process -- for my own edification, how could I have traced
> > where they were being piped to? Lastly, did I kill something
> > important?

> Have you looked in /etc/crontab or /etc/cron.(daily|weekly|monthly)?

There's an indirect but possible candidate in cron.daily --
tripwire-check is a script to run `test -f /etc/tripwire/tw.cfg &&
/usr/sbin/tripwire --check` if `-e
/var/lib/tripwire/${HOST_NAME}.twd`. The only mention of zcat anywhere
in /etc is in /etc/tripwire/twpol.txt:  `/bin/zcat -> $(SEC_CRIT);` .
I can't find anything more meaningful about SEC_CRIT, and besides
that, mail is sent to root having failed the `-e
/var/lib/tripwire/${HOST_NAME}.twd` test. I'll look into the trip wire
thing, but do you (or anybody) have any other ideas?

thanks!

j