LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   A find process taking up CPU (su nobody -s /bin/sh -c /usr/bin/find /) (https://www.linuxquestions.org/questions/linux-newbie-8/a-find-process-taking-up-cpu-su-nobody-s-bin-sh-c-usr-bin-find-4175466008/)

linuxandtsm 06-14-2013 08:57 AM
A find process taking up CPU (su nobody -s /bin/sh -c /usr/bin/find /)
 
Hi all,

There is a find process running and taking up CPU and user is not happy with this.

Code:
# ps -ef|grep nobody
nobody    3772    1  0 May24 ?        00:00:00 /usr/sbin/gmond
root    12238 12230  0 09:30 ?        00:00:00 /bin/sh /usr/bin/updatedb --localuser=nobody --prunepaths=/mnt /cdrom /tmp /usr/tmp /var/tmp /var/spool /proc /media /sys
root    12258 12238  0 09:30 ?        00:00:00 /bin/sh /usr/bin/updatedb --localuser=nobody --prunepaths=/mnt /cdrom /tmp /usr/tmp /var/tmp /var/spool /proc /media /sys
root    12266 12258  0 09:30 ?        00:00:00 su nobody -s /bin/sh -c /usr/bin/find /      \( -fstype nfs -o -fstype NFS -o -fstype nfs4 -o -fstype afs -o -fstype proc -o -fstype smbfs -o -fstype autofs -o -fstype iso9660 -o -fstype ncpfs -o -fstype coda -o -fstype devpts -o -fstype ftpfs -o -fstype devfs -o -fstype mfs -o -fstype sysfs -o -fstype shfs -o -fstype cifs -o -fstype 9P -o      -type d -regex '\(^/mnt$\)\|\(^/cdrom$\)\|\(^/tmp$\)\|\(^/usr/tmp$\)\|\(^/var/tmp$\)\|\(^/var/spool$\)\|\(^/proc$\)\|\(^/media$\)\|\(^/sys$\)' \) -prune -o -print0
nobody  12267 12266 26 09:30 ?        00:06:14 /usr/bin/find / ( -fstype nfs -o -fstype NFS -o -fstype nfs4 -o -fstype afs -o -fstype proc -o -fstype smbfs -o -fstype autofs -o -fstype iso9660 -o -fstype ncpfs -o -fstype coda -o -fstype devpts -o -fstype ftpfs -o -fstype devfs -o -fstype mfs -o -fstype sysfs -o -fstype shfs -o -fstype cifs -o -fstype 9P -o -type d -regex \(^/mnt$\)\|\(^/cdrom$\)\|\(^/tmp$\)\|\(^/usr/tmp$\)\|\(^/var/tmp$\)\|\(^/var/spool$\)\|\(^/proc$\)\|\(^/media$\)\|\(^/sys$\) ) -prune -o -print0
root    13101 12875  0 09:53 pts/3    00:00:00 grep nobody
all i can find in /var/log/messages about this process is

Code:
Jun 14 09:30:14 lnxtest su: (to nobody) root on none

I killed this process several times but it appears after sometime again. Not sure what is causing this process to run.


Please help to understand what is this process and what is triggering this process to start.

How can i disable/kill permanently this process (not sure if this should be OK)


Please help!

thanks in advance!

thedaver 06-14-2013 10:00 AM
This is part of scheduled updates to support 'locate' on your machine

See

http://www.linuxquestions.org/questi...rmance-920990/

jpollard 06-14-2013 10:12 AM
I believe it is updatedb. If you check the process tree:

nobody 12267 12266... (the find)
root 12266 12258... (the "su nobody...")
root 12258 12238... (the updatedb)


This is used to speed up searches using the "locate" utility. Doing this allows locate to bypass the filesystem search (which is slow), but the database it uses needs to be updated periodically.

The reason it runs as the user "nobody" is to eliminate any files that may be inaccessable to a user normally. That means that even if the file itself is rwxrwxrwx, that if the directory containing that file is rwx------, then only the user can access it through the directory tree - and running the find as "nobody" will block it from being added to the index file.

Normally (at least on servers that want this service) updatedb runs sometime in the middle of the night.

You might check your cron jobs and see if it is being run either too frequently or at a bad time.

linuxandtsm 06-14-2013 10:35 AM
thanks to both thedaver and jpollard,

jpollard - how to find the cron job that this is running from?

I do not seem to find anything from crontab -l

How to find it and how to fix it (to disable/change it to run less frequently/ change time of running etc)?

Thanks!

thedaver 06-14-2013 10:41 AM
Look in /etc/crontab/... you'll see some folders that would be daily or hourly
Most modern distros setup their cron to run everything in these folders at the appropriate interval, so that the crontab itself doesn't have to be touched so often.

There is a likely a script in hourly.d or daily.d that is named like 'locate' or 'updatedb' and should contain commands that look like what you're seeing.

you could move, remark out, chmod -x or otherwise delete such a script to prevent it's continued churn on your machine

jpollard 06-14-2013 02:00 PM
Depends on the installation.

In most, I would expect it to be in roots crontab entry. In a RH/Fedora system it is in the /etc/cron.daily in the file "mlocate.cron".

linuxandtsm 06-14-2013 04:07 PM
This is what i have in /etc/

Code:
# ls -ltrh /etc/ |grep cron
drwxr-xr-x  2 root  root      1 Sep 21  2007 cron.weekly
drwxr-xr-x  2 root  root      1 Sep 21  2007 cron.monthly
drwxr-xr-x  2 root  root      1 Sep 21  2007 cron.d
-rw-r--r--  1 root  root    255 Sep 21  2007 crontab
-rw-------  1 root  root      11 Sep 21  2007 cron.deny
drwxr-xr-x  2 root  root      8 Feb 14  2008 cron.hourly
drwxr-xr-x  2 root  root    4.0K Feb 15  2008 cron.daily


# ls -ltrh /etc/cron.daily/
total 52K
-rwxr-xr-x 1 root root 1.9K Sep  1  2003 suse.de-backup-rc.config
-rwxr-xr-x 1 root root  371 Sep  1  2003 suse.de-cron-local
-rwxr-xr-x 1 root root 2.1K Sep  8  2003 suse.de-backup-rpmdb
-rwxr-xr-x 1 root root  566 Jul 23  2004 suse.de-check-battery
-rwxr-xr-x 1 root root 1.3K Jul 27  2005 suse.de-clean-tmp
-rwxr-xr-x 1 root root  393 Sep 21  2007 logrotate
-rwxr-xr-x 1 root root 1.6K Sep 21  2007 suse.de-updatedb
-rwxr-xr-x 1 root root  42 Sep 21  2007 suse.de-update-preload
-rwxr--r-- 1 root root 1.2K Sep 21  2007 suse-do_mandb
-rwxr--r-- 1 root root  948 Sep 21  2007 suse-clean_catman
-rwxr-xr-x 1 root root  646 Sep 21  2007 suse.de-cyrus-imapd
-rwxr-xr-- 1 root root  672 Sep 22  2007 suse-texlive
-rwxr-xr-x 1 root root 3.1K Sep 26  2007 beagle-crawl-system

# ls -ltrh /etc/cron.hourly/
total 4.0K
-rwxr-xr-x 1 root root 71 Sep 21  2007 mcelog
is anyone of below the one responsible for this?
If so can i just move it from here?

Code:
# cd /etc/cron.daily/
/etc/cron.daily # ls -ltrh |grep update
-rwxr-xr-x 1 root root 1.6K Sep 21  2007 suse.de-updatedb
-rwxr-xr-x 1 root root  42 Sep 21  2007 suse.de-update-preload
Thanks!

jpollard 06-14-2013 04:35 PM
That should do it.


All times are GMT -5. The time now is 07:58 AM.