They were talking about LAuS (Linux Audit Subsystem). I'm not sure exactly what they were talking about, but by default auditd keeps 4 (preallocated) 20M binary files in which it stores it's audit info. When one of the binary files fills up, it writes the data to a unique file (save.1, save.2, etc, etc) and then switches to the next binary file. Over time, this will fill up /var/log/audit.d with these save files. If there is not enough available filesystem space to write the save file, auditd will suspend until there is enough room. When auditd is suspended, anything trying to write an audit event (sshd, for example) goes to sleep until auditd starts accepting events. The guest will appear to be hung, but it is actually still functioning (albeit with limited usefulness). This is fixed by cleaning up /var then kill -HUP the pid of auditd.
-----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Phil Smith III Sent: Tuesday, March 21, 2006 5:46 PM To: [email protected] Subject: Question I got a written comment on the "Sick Penguin" pitch at SHARE that I can't seem to confirm or refute, despite having spent a bunch o' time Googling for it. I figure someone in this group will know! The comment was: "FYI, if Linux auditing is enabled, by default file systems >= 80% full can cause the guest to hang." (Phil) Really? Why? How? What do they mean by "Linux auditing"? Maybe they meant "journaling"? Can anyone shed any light? Thanks, ...phsiii ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
