[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Finding what is accessing drive?



On Wed, Apr 13, 2005 at 06:39:25PM +1000, Neil Dugan wrote:
> On Sat, 2005-04-09 at 21:56 -0400, jludwig wrote:
> > On Saturday 09 April 2005 09:33 pm, Neil Dugan wrote:
> > > Hi
> > >
> > > I have a small computer with FC3 installed on a ext3 partition, being
> > > used as a PostgreSQL database server.
> > >
> > > I setup hdparm to turn off the hard-drive, but something is accessing
> > > the hard-drive making it stay on.
> > >
> > > Using 'top -i' it seems that kjournald seems to be accessing the hard-
> > > drive every few minutes.  There is no man page for kjournald.
> > >
> > > What is kjournald?
> > > Any ideas on locating what program is accessing the hard-drive if it
> > > isn't kjournald?
> > >
> > > Regards Neil.
> > There are many deamons that will do this syslogd, crond, updatedb, even 
> > iptables.  This is actually normal house keeping for a Linux/Unix system.
> 
> Yes I understand that many things could be doing the access.  I am
> looking for finding out what is doing the access, maybe I don't need it,
> and it can be disabled.
> 
> It doesn't seem to be syslogd (the /var/log/messages isn't expanding),
> it isn't crond (nothing is due to run), and updatedb is triggered by
> cron (witch isn't, and not so regulaly).
> 
> Because I am running lcd4linux, which was reading stuff from the hard
> drive every few seconds I remounted the partition with the option of
> 'noatime'.  So I would expect that whatever is accessing the hard drive
> is doing a write.  I tried to find the file with the command
> 'date;ls -at --full-time | head'
> but this didn't seem to get me anywhere. 
> 
> Any ideas on how to track down what is causing the access?
> 
> Regards Neil.
> 
> 

Three thoughts, but I don't know if any will be of help...
1) Can you catch any open files using the lsof command?
   For example, if the drive was "/dev/hda3", does
   lsof /dev/hda3
   show anything.  Problem with this approach is,
   lsof will list only currently open stuff, not stuff that was
   quickly opened/closed, and is not now open

   I believe one needs to run lsof as root, or one will only
   see one's own open files.

2) Can you umount the drive, and see what happens?
   Perhaps the program accessing the drive will complain in 
   /var/log/messages
   if it can't get to the file being accessed

3) I wonder if the SELinux stuff could be used to determine who
   or what is accessing a filesystem.  I wish I could make a
   suggestion, but I do not understand the SELinux stuff.  

   Hopefully, someone who understands SELinux can suggest something. 

-Rick


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]