This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[9.0044-33] Spikes of High CPU and memory

Hi All

I am using v9.0044-33 with UTM 120 rev 5. I am also using disk as part of the htp_local_db

It seems that the box is spiking on cpu and the memory is high .I have attached the relevant pic

As part of the troubleshooting I used perf top
Results

  
   PerfTop:    1403 irqs/sec  kernel:22.1%  exact:  0.0% [1000Hz cycles],  (all, 2 CPUs)
-------------------------------------------------------------------------------------------------------------------------------------

    58.13%  pngquant                [.] 0x558a
     4.60%  libz.so.1.2.3           [.] longest_match
     2.41%  libpng12.so.0.31.0      [.] 0xf93c
     2.21%  [kernel]                [k] read_hpet
     1.40%  [unknown]               [.] 0x8050ed3
     1.07%  libz.so.1.2.3           [.] deflate_slow
     0.97%  libc-2.11.3.so          [.] msort_with_tmp
     0.93%  libcairo.so.2.10800.8   [.] unpremultiply_data
     0.68%  perf                    [.] 0x1e000
     0.59%  libc-2.11.3.so          [.] memcpy
     0.58%  libexpat.so.1.5.2       [.] 0xf9e6
     0.56%  libz.so.1.2.3           [.] fill_window
     0.48%  libfontconfig.so.1.3.0  [.] .L110
     0.47%  ld-2.11.3.so            [.] do_lookup_x
     0.39%  libc-2.11.3.so          [.] _int_malloc
     0.36%  ntpd                    [.] 0x1d013
     0.36%  libfreetype.so.6.3.18   [.] TT_RunIns
     0.33%  libfreetype.so.6.3.18   [.] 0x17a25
     0.33%  libfontconfig.so.1.3.0  [.] FcCompareFamily
     0.32%  libasapsdk.so           [.] 0x20c35
     0.29%  libc-2.11.3.so          [.] strstr
     0.27%  libz.so.1.2.3           [.] adler32
     0.24%  libperl.so              [.] 0x101f1f
     0.22%  libc-2.11.3.so          [.] __i686.get_pc_thunk.bx
     0.21%  postgres                [.] 0x2b7d4c
     0.20%  libpixman-1.so.0.16.0   [.] pixman_rasterize_edges
     0.20%  libc-2.11.3.so          [.] malloc
     0.20%  libc-2.11.3.so          [.] strcmp
     0.19%  [kernel]                [k] __kmalloc
     0.19%  libc-2.11.3.so          [.] __memset_ia32
     0.18%  libz.so.1.2.3           [.] inflate_fast
     0.18%  [kernel]                [k] unmap_vmas
     0.17%  [vdso]                  [.] 0x55576431
     0.16%  [kernel]                [k] __schedule
     0.16%  [kernel]                [k] page_fault
     0.16%  [kernel]                [k] ia32_sysenter_target
     0.16%  libpthread.so.0         [.] 0xefbf
     0.15%  [kernel]                [k] timerqueue_add
     0.14%  libc-2.11.3.so          [.] _int_free
     0.14%  libpixman-1.so.0.16.0   [.] pixman_edge_init
     0.14%  [kernel]                [k] _raw_spin_lock
     0.14%  [kernel]                [k] hpet_legacy_next_event
     0.14%  libc-2.11.3.so          [.] free

what is that process and why it's inroducing spikes to the box?

/root # top -b -n 1 | head -n 12  | tail -n 5
13298 root      39  19  3640 2080  632 R     90  0.1   0:00.73 pngquant
 3729 root      20   0 11528 4788 1772 S     12  0.2  91:02.42 selfmonng.plx
 4162 root      20   0 10140 6212 1668 S      9  0.3  23:28.03 dns-resolver.pl
13299 root      20   0  2808 1212  804 R      9  0.1   0:00.07 top
 4686 root      20   0 32940  11m 3028 S      4  0.6 163:57.32 ctasd

Memory is normal at the moment:

/root # ps auxf | sort -nr -k 4 | head -5
810      28489  1.0 18.9 1205400 387520 ?      Ssl  12:18   3:07 /var/chroot-http/usr/bin/httpproxy -f -c /var/chroot-http -u httpproxy
root      4324  1.8 12.3 339384 253364 ?       Ssl  16:27   0:58 /usr/bin/cssd -d
snort     5520  0.3  5.5 385324 113612 ?       S

Most of the swap is allocated to the HTTP proxy (Run top then press 'O' (capital letter o) followed by 'p' then 'enter'. Now processes should be sorted by their swap usage.)

top - 17:22:28 up 3 days,  8:16,  1 user,  load average: 0.67, 1.22, 1.30
Tasks: 344 total,   1 running, 341 sleeping,   0 stopped,   2 zombie
Cpu(s):  2.4%us,  2.7%sy,  0.0%ni, 94.6%id,  0.3%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   2048484k total,  1666536k used,   381948k free,     3732k buffers
Swap:  1048572k total,   401552k used,   647020k free,   606832k cached

  PID USER      PR  NI  VIRT  RES  SHR S   %CPU %MEM    TIME+  SWAP COMMAND
28489 httpprox  20   0 1177m 377m 1312 S      0 18.9   0:36.18 799m httpproxy
28490 httpprox  20   0 1177m 377m 1312 S      0 18.9   0:07.72 799m httpproxy
28491 httpprox  20   0 1177m 377m 1312 S      0 18.9   0:00.74 799m httpproxy
28505 httpprox  20   0 1177m 377m 1312 S      0 18.9   0:00.14 799m httpproxy
28508 httpprox  20   0 1177m 377m 1312 S      0 18.9   0:00.75 799m httpproxy
28509 httpprox  20   0 1177m 377m 1312 S      0 18.9   0:00.83 799m httpproxy
28510 httpprox  20   0 1177m 377m 1312 S      0 18.9   0:00.50 799m httpproxy

28511 httpprox  20   0 1177m 377m 1312 S      0 18.9   0:00.47 799m httpproxy
28512 httpprox  20   0 1177m 377m 1312 S      0 18.9   0:00.43 799m httpproxy
28513 httpprox  20   0 1177m 377m 1312 S      0 18.9   0:00.43 799m httpproxy
28514 httpprox  20   0 1177m 377m 1312 S      0 18.9   0:00.41 799m httpproxy
28515 httpprox  20   0 1177m 377m 1312 S      0 18.9   0:00.45 799m httpproxy

There are too many child-processes for httpproxy is this normal?

This thread was automatically locked due to age.

0 William Warren over 12 years ago

what features are in use on both utms? 8.x doesn't have the total predilection for swapping that utm9 does...but depending on the configuration it can go nuts as well. give specifics on both then we might be able to find something..[:)]

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 12 years ago in reply to wingman

Swap is going crazy. I haven't changed any settings since my last reboot

I wish all of you a happy new year [[:)]]

[ATTACH]9127[/ATTACH]

Sent from my iPhone using Astaro.org

yeppers. I actually have reduced my utm9 vm to 3 gigs to try to get some more ram available for another vm..i'm sitting at Swap Usage 0% 0.00% 0.00% 0.00%. I'm using two snorts..memory http proxy but i am using my vm.swappiness=0 tweak. If i tried two gigs the system would start hanging as it went into massive swapping which i've already detailed in earlier posts..[[:)]]

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel
0 GMF over 12 years ago in reply to William Warren
what features are in use on both utms? 8.x doesn't have the total predilection for swapping that utm9 does...but depending on the configuration it can go nuts as well. give specifics on both then we might be able to find something..[:)]
As I said before:
Both configs are pretty much the same.

System A features:
Firewall is active with 85 rules
Intrusion Prevention is active with 4688 of 14277 patterns
Web Filtering is active, 0 requests served today
Network Visibility is active, 5 Application Control rules active
FTP Proxy is active
SMTP Proxy is inactive
POP3 Proxy is inactive
Web Application Security is inactive
AntiVirus is active for protocols HTTP/S,FTP
AntiSpam is inactive
AntiSpyware is active
Email Encryption is inactive
Site2Site VPN is active with 11 of 11 tunnels
Remote Access is active with 0 online users
HA/Cluster is active in mode HA with 2/2 nodes
Wireless Security is active, 2 APs connected

System B features:
Firewall is active with 71 rules
Intrusion Prevention is active with 4688 of 14277 patterns
Web Filtering is active, 171 requests served today
Network Visibility is active, 4 Application Control rules active
FTP Proxy is active
SMTP Proxy is inactive
POP3 Proxy is inactive
Web Application Security is inactive
AntiVirus is active for protocols HTTP/S,FTP
AntiSpam is inactive
AntiSpyware is active
Email Encryption is inactive
Site2Site VPN is active with 9 of 9 tunnels
Remote Access is active with 0 online users
HA/Cluster is active in mode HA with 2/2 nodes
Wireless Security is active, 2 APs connected

Additionally system B hosts 6 REDs.
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 12 years ago

any reds on the first one?
could you head to the advanced area and copy/paste the process list in the webamin of the first one?

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel
0 GMF over 12 years ago

No reds on system A.

process list in attachement. [:D]
Would be to big for or plain txt [:(]

proclist.zip
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 12 years ago

Hmmm, postgresql looks like you might have database corruption. This might be the issue.

Some defunct confd processes - that might slow things down, but I don't see how it would cause much swappiness.

It would be interesting to see a memory graph of the 24 hours after using one of the tricks above or rebooting to bring the swap file back to zero.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 12 years ago

in Linux defunct or zombie processes take no ram just entries in the process table...[:)]

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel
0 GMF over 12 years ago

First of all I will wait for support to solve this next week. (Hope so)
I really don´t want to play around with a productive firewall hosting services for the whole world. [;)]

When I have more infos about this, you will hear/read it. [H]
Cancel
Vote Up 0 Vote Down

Cancel
0 bryans2k over 12 years ago in reply to GMF

#!/bin/bash
# Get current swap usage for all running processes
# Erik Ljungstrom 27/05/2011
# Modified by Mikko Rantalainen 2012-08-09
# Pipe the output to "sort -nk3" to get sorted output
SUM=0
OVERALL=0
for DIR in `find /proc/ -maxdepth 1 -type d -regex "^/proc/[0-9]+"`
do
    PID=`echo $DIR | cut -d / -f 3`
    PROGNAME=`ps -p $PID -o comm --no-headers`
    for SWAP in `grep Swap $DIR/smaps 2>/dev/null | awk '{ print $2 }'`
    do
        let SUM=$SUM+$SWAP
    done
    if (( $SUM > 0 )); then
        echo "PID=$PID swapped $SUM KB ($PROGNAME)"
    fi
    let OVERALL=$OVERALL+$SUM
    SUM=0
done
echo "Total swapped: $OVERALL KB"

./getswap.sh | egrep -v "swapped: 0" |sort -n -k 3

this should show current process swap usage, on my 8.308 220 the majority of swap is used by IPS but it would be interesting to see what is using the swap then view the configurations.
Cancel
Vote Up 0 Vote Down

Cancel
0 GMF over 12 years ago

Thanks for that.
I will execute this one next week.
Cancel
Vote Up 0 Vote Down

Cancel