Re: Root file system is growing strangely

Fri, 18 Dec 2009 02:47:43 -0800 

On Fri, Dec 18, 2009 at 10:36:46AM +0200, Daniel Zhelev wrote:
> Hello list.
> I`ve set up a little bash script to tell me when some file system is
> over 95% full and after a month I got a mail about my root file system
> ( / ) after log in I sow that the root file system is over 100%. That
> is fine I tried to do a search for big and nasty files and so on but
> after a hour magically the file system was at 20%.  That got me very
> worried about any security issue, but nothing was missing and so on.
> The issue is that the file system continues to grow about a 2 presents
> a day, which is strange.

> Here is some output:
> 
> Filesystem     Size    Used   Avail Capacity  Mounted on
> /dev/wd0a     1005M    251M    704M    26%    /
> /dev/wd0k     46.7G   26.0K   44.4G     0%    /home
> /dev/wd0d      3.9G    8.0K    3.7G     0%    /tmp
> /dev/wd0f      2.0G    615M    1.3G    32%    /usr
> /dev/wd0g     1005M    145M    809M    15%    /usr/X11R6
> /dev/wd0h      5.4G    206M    5.0G     4%    /usr/local
> /dev/wd0i      2.0G    619M    1.3G    32%    /usr/src
> /dev/wd0e      8.9G    585M    7.8G     7%    /var
> /dev/wd0j      2.0G    961M    951M    50%    /usr/obj
> /dev/wd1a      295G    562M    280G     0%    /storage/storages
> /dev/wd1b      110G   20.7G   83.7G    20%    /storage/windows
> 
> r...@sgate:/root# find / -xdev -size +1000 -type f | xargs ls -laSh
> -rwxr-xr-x  1 root  wheel   6.9M Nov 25 16:39 /bsd
> -rw-r--r--  1 root  wheel   6.9M Nov 25 14:16 /obsd
> -rw-r--r--  1 root  wheel   5.8M Nov 25 14:16 /bsd.rd
> -r-xr-xr-x  1 root  bin     1.2M Dec  7 15:05 /sbin/isakmpd
> -r--r--r--  1 root  bin     526K Dec  7 15:06 /etc/magic
> 
> r...@sgate:/root# find / -xdev -mtime -1 -type f | xargs ls -laSh
> -rw-------  1 root  wheel   2.0K Dec 18 03:09 /etc/pf.conf
> -rw-r--r--  1 root  wheel   507B Dec 18 03:08 /etc/hosts
> -rw-r--r--  1 root  wheel     0B Dec 18 02:49 /etc/resolv.conf

> The other strange thing is that I`ve set up the /etc/daily root backup
> and here is the compare between two discs:
> 
> /dev/wd1d     1005M   42.2M    912M     4%    /altroot
> /dev/wd0a     1005M    251M    704M    26%    /
> 
> since /altroot is exact dd copy of / isn`t they at the same size?

It's quite possible that some process is holding open a file descriptor
to a file which has no links from the filesystem. To see this, run 'vi
bigfile', suspend, and run 'rm bigfile'. The space is still used. Then
quit vi, and optionally run 'sync', and you'll see the space has been
reclaimed.

To see which process is the culprit, try fstat.

(Note that this is only one possibility!)

                Joachim

Reply via email to