Giorgos Keramidas wrote: > On 2006-10-18 07:13, Paul Murphy <[EMAIL PROTECTED]> wrote: >> Giorgos Keramidas wrote: >>> On 2006-10-18 07:53, "Office of CEO- rithy4u.NET" <[EMAIL PROTECTED]> wrote: >>>> Dear All, >>>> My firewall server was running out of space on / partition I >>>> have try to reboot/fsck and delete all unneccessary files >>>> inside / but I still get 12 MB of free space with total 495 MB >>>> worth of that partition. Any ideas? >>> First of all, try to track down where all the space has gone, by >>> using `df' and `du' with the -x option. For example, you can get >>> a good idea of which places in your root filesystem are the top-10 >>> users of space with: >>> >>> # cd / >>> # du -xm . | sort -nr | head -10 >>> >>> If this doesn't show up a lot of stuff, then there's probably a >>> rogue process which has opened a file and then removed it, so >>> it's not directly visible by traversing the tree with `du', but >>> you can still look for it with: >>> >>> # fstat -f / | sort -k +8 >>> >>> After you get this sort of information, we can make more informed >>> suggestions about the best way to move forward :) >> I have been trying to track down a similar problem! Using the above >> method I think I have found 'natd' to be the culprit. Should 'natd' >> receive a signal when 'alias.log' rolls over? Restarting 'natd' seems >> to have releases some megabytes. > > Nice catch, Paul! > > The `alias.log' file is supposed to be in `/var/log', but I guess if you > use a single root filesystem for everything, this can end up filling the > root filesystem. > > The file `alias.log' is not rotated by `newsyslog.conf', so maybe we > should add it there? Then we can let `newsyslog' signal `natd' by: > > %%% > diff -r 4474abb9619a etc/newsyslog.conf > --- a/etc/newsyslog.conf Fri Oct 13 17:34:54 2006 +0300 > +++ b/etc/newsyslog.conf Wed Oct 18 15:54:52 2006 +0300 > @@ -18,6 +18,7 @@ > # > # logfilename [owner:group] mode count size when flags > [/pid_file] [sig_num] > /var/log/all.log 600 7 * @T00 J > +/var/log/alias.log 600 7 100 * JC > /var/run/natd.pid > /var/log/amd.log 644 7 100 * J > /var/log/auth.log 600 7 100 * JC > /var/log/console.log 600 5 100 * J > %%% > > Can you please add this line to your newsyslog.conf file and let it run > for a while to see if it prevents the `alias.log' file of `natd' to fill > your /var/log filesystem? > > I don't use `natd', so I can't test this myself for a long enough > period.
natd doesn't do the close and re-open all filehandles thing on receipt of SIGHUP which pretty much makes it unsuitable for use with newsyslog. (SIGHUP is caught by natd, but the only thing it does is cause natd to update its idea of what the IP address is on the nat'ed interface.) There doesn't seem to be any signal that you can send natd with the usual 'reread all config files and re-open all file descriptors' effect that most daemons understand. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK
Description: OpenPGP digital signature