Re: [psad-discuss] Zombie Processes

Dan Dickey Wed, 11 Jun 2014 09:54:54 -0700

Mike -
The defunct processes have all called exit and are done done done.
They are still hanging around because the parent process (psad?) hasn't
done a wait() call on them to collect the exit information.
I haven't looked at the psad code in some time, but it may be worthwhile
in the loop logic to call waitpid(-1, &status, WNOHANG) periodically.
It would then clean up children processes who have exited.


Just trying to be helpful... I've been using psad on my systems for some time.
Thanks for a quality product and the support you've given it over the years!
        -Dan

On Wednesday, June 11, 2014 08:52:43 AM Michael Rash wrote:
> On Tue, Jun 10, 2014 at 6:18 PM, 3Turtles <3turt...@videotron.ca> wrote:
> > Here's what ps is showing me:
> > 
> > UID        PID  PPID  C STIME TTY          TIME CMD
> > root      1167 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root      4689 26489  0 13:59 ?        00:00:00 [sh] <defunct>
> > root      6781 26489  0 14:38 ?        00:00:00 [sh] <defunct>
> > root      7072 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root      7390 26489  0 14:51 ?        00:00:00 [sh] <defunct>
> > root      7989 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root      8715 26489  0 15:14 ?        00:00:00 [sh] <defunct>
> > root     10157 26489  0 15:46 ?        00:00:00 [sh] <defunct>
> > root     10249 26489  0 15:48 ?        00:00:00 [sh] <defunct>
> 
> This is most likely an artifact of how psad gathers whois information for
> IP's that is has flagged.  The problem is that the whois client sometimes
> takes a while to return data because it has to query upstream whois
> databases over the network.  psad makes the tradeoff that if whois is
> taking too long to respond, then it doesn't wait around before moving on so
> the process becomes a zombie.  There is likely a better way to do this
> though.  I may need to make this more configurable, and I'm hoping that the
> whois client itself either already has a 'timeout' parameter (or one can be
> added).  There is a variable in the psad.conf file WHOIS_TIMEOUT which is
> set to 60 seconds by default which seems pretty long.  One thing you could
> try is disabling whois lookups just to confirm that this is the problem -
> use the --no-whois option.
> 
> Thanks,
> 
> --Mike
> 
> > root     13369 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     13709 26489  0 16:53 ?        00:00:00 [sh] <defunct>
> > root     15342 26489  0 17:23 ?        00:00:00 [sh] <defunct>
> > root     15999 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     17398 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     19833 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     23286 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     25189 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     25546 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     26489     1  0 Jun09 ?        00:00:18 /usr/bin/perl -w
> > /usr/sbin/psad
> > root     26868 26489  0 00:00 ?        00:00:00 [sh] <defunct>
> > root     28371 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     35755 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     36124 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     36214 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     36484 26489  0 03:07 ?        00:00:00 [sh] <defunct>
> > root     41507 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     41513 26489  0 04:52 ?        00:00:00 [sh] <defunct>
> > root     42148 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     44183 26489  0 05:45 ?        00:00:00 [sh] <defunct>
> > root     44235 26489  0 05:46 ?        00:00:00 [sh] <defunct>
> > root     44280 26489  0 05:47 ?        00:00:00 [sh] <defunct>
> > root     44898 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     45006 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     47485 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     49095 26489  0 07:17 ?        00:00:00 [sh] <defunct>
> > root     49538 26489  0 07:27 ?        00:00:00 [sh] <defunct>
> > root     50873 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     51348 26489  0 08:03 ?        00:00:00 [sh] <defunct>
> > root     51767 26489  0 08:10 ?        00:00:00 [sh] <defunct>
> > root     52446 26489  0 08:25 ?        00:00:00 [sh] <defunct>
> > root     53859 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     55522 26489  0 09:27 ?        00:00:00 [sh] <defunct>
> > root     56889 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     57510 26489  0 10:05 ?        00:00:00 [sh] <defunct>
> > root     58433 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     59599 26489  0 10:51 ?        00:00:00 [sh] <defunct>
> > root     60515 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     60786 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     62869 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     63332 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     63646 26489  0 Jun09 ?        00:00:00 [sh] <defunct>
> > root     63774 26489  0 12:11 ?        00:00:00 [sh] <defunct>
> > root     65493 26489  0 12:49 ?        00:00:00 [sh] <defunct>
> > 
> > How do i fix this?
> > 
> > On 08/06/2014 8:51 PM, 3Turtles wrote:
> > > My Ubuntu servers are all currently suffering from zombie processes.  I
> > > narrowed down the culprit to PSAD (sh <defunct>'s parent is psad).
> > > 
> > > In my psad.conf file i have the noemail configured, but emails are still
> > > trying to send out and they are failing (i did this on purpose so my
> > > email doesnt get spammed to death) and being sent to my root mail
> > 
> > instead.
> > 
> > > Any idea how i can solve this?  After a few hours i have around 35
> > > zombie processes.
> > 
> > --------------------------------------------------------------------------
> > ----> 
> > > HPCC Systems Open Source Big Data Platform from LexisNexis Risk
> > > Solutions
> > > Find What Matters Most in Your Big Data with HPCC Systems
> > > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> > > Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> > > http://www.hpccsystems.com
> > > _______________________________________________
> > > psad-discuss mailing list
> > > psad-discuss@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/psad-discuss
> > 
> > --------------------------------------------------------------------------
> > ---- HPCC Systems Open Source Big Data Platform from LexisNexis Risk
> > Solutions Find What Matters Most in Your Big Data with HPCC Systems
> > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> > Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> > http://p.sf.net/sfu/hpccsystems
> > _______________________________________________
> > psad-discuss mailing list
> > psad-discuss@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/psad-discuss

-- 
Dan A. Dickey
ddic...@icecoldsoftware.com

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Re: [psad-discuss] Zombie Processes

Reply via email to