authentication hangs when disk > 80% full
Alfred Hovdestad
alfred.hovdestad at usask.ca
Sat Dec 31 18:03:38 UTC 2005
The problem is that auditd "suspends" activities when /var falls below
20% free.
From /etc/audit/audit.conf
output {
mode = bin;
num-files = 4;
file-size = 20M;
file-name = "/var/log/audit.d/bin";
notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u
-C -T 20
%";
# AUDBIN THRESHOLDS:
# The above notify will cause auditd to enter 'suspend' mode when
# free space on the /var/ filesystem falls below 20%.
You can change the activity that auditd takes when the disk with /var
reaches 80%, or you can turn auditd off:
service audit stop
chkconfig audit off
Alfred Hovdestad, RHCE
University of Saskatchewan
Stephen Jascourt wrote:
> I discovered that PAM authentication hangs in at least 4 different
> kernels of Enterprise Linux, including one installed last week, when the
> partition containing /var is more than 80% full (e.g. less than 20%
> available).
>
> The following appears in the /var/log/messages file:
> audbin[2673]: saving binary audit log /var/log/audit.d/bin.2
> audbin[2673]: threshold 20.00 exceeded for filesystem /var/log/audit.d/.
> - free blocks down to 16.24%
> auditd[2130]: Notify command /usr/sbin/audbin -S
> /var/log/audit.d/save.%u -C -T 20% exited with status 1
> auditd[2130]: output error
> auditd[2130]: output error
> auditd[2130]: output error; suspending execution
>
> [numbers in brackets are probably process id numbers or something, they
> change each time; all other parts of the message repeat on each boot
> attempt]
>
> I don't know what auditd does or what it's connection to authentication
> is. What I do know is that when this happens at a time when you have
> open xterm windows, you can still execute commands and use the system,
> but you cannot ssh or sftp or otherwise enter from outside - you can
> connect, but upon entering your password, the connection will hang.
> Similarly, trying to change user from an open window or go to root via
> "su" also hangs upon entering password. Other open windows and processes
> will be unaffected. I don't have any cron scripts, but if they involve
> authentication, they probably would also hang. However, once you end
> your session and have no open windows into the machine, you are locked
> out entirely. A regular boot proceeds normally aside from the above
> messages in the message log, but it does not startx, the screen with the
> color login box (control-alt-F7) does not appear, and logging in from
> the text login screen (such as the screen on control-alt-F1) hangs upon
> entering password, as do attempts to login from outside. Same result for
> logging in as root.
>
> The problem is resolved by reducing disk usage under 80% for the
> partition containing /var. You need to find a bootable disk, mount your
> hard drives, set permissions to write, and delete some files. After
> getting under 80%, everything is fine, shut down and do a normal boot
> and you're back in business.
>
> I am not a system manager or IT person, nor am I a linux expert, just a
> linux user who needed to access his work PC to do work when our local
> linux experts are on their holiday vacation. I could not find any web
> messages or other documentation on this problem, so apparently it has
> not been documented before or it is documented in a place that does not
> show up in web searches.
>
> The problem had been happening intermittently for a while and would
> clear up upon rebooting. I guess I may have been near 80% and booting
> cleaned up all the temporary files bringing me under 80%. I didn't
> troubleshoot the problem, didn't have any clues, so I didn't know about
> the magic 80% threshold. Then I downloaded some large data files and got
> locked out until someone suggested I use a bootable CD, mount my hard
> drives, and someone else suggested looking in /var/log/messages, where I
> found the above lines and tried deleting files. Once I got under 80%, it
> was fine.
>
> There may be some parameter in some configuration file that sets the 20%
> threshold for available disk space required, but I don't know where that
> would be. If so, I could lower it to say 1% or something small. Another
> solution is when configuring a new system, you could partition /var by
> itself with only the amount of space it will need and run a daily script
> to monitor space in /var and send a warning message when space available
> starts getting close to 20%. But it would be much better if folks who
> work on linux source code could just fix the problem.
>
> Stephen Jascourt
> UCAR/COMET meteorologist at National Weather Service Headquarters
>
>
>
>
>
More information about the redhat-list
mailing list