2

I've got Ubuntu 20.04.2 on good hardware with Mate and all updated packages.

The process identifiers (pid's) are in the 800,000's after only 7 days of uptime.

how do I determine which process is launching so frequently to cause PIDs to get so large?

The output of dump-acct indicates thousands of occurrences of file and occasionally ping commands.

What's going on and how can I figure out what's launching so many processes?

What system process needs to run file and why?

muru
  • 193,181
  • 53
  • 473
  • 722
Marc Compere
  • 770
  • 9
  • 13
  • 1
    lsof | grep file might give some info. and watch -d 'df | grep files' . htop, atop, top . try sudo killall -9 file and see what happens, does it kill an app? and echo $pidof ) gives the pids of an . – pierrely Jun 20 '21 at 06:30
  • this may be helpful but I've been watching with top updating quickly and cannot ever see `file` running. I'm running clamav and rkhunter after booting from a live usb. the `df | grep files` is an interesting command but I don't think will find anything because `file` is a binary and not a mount – Marc Compere Jun 23 '21 at 01:14

1 Answers1

0

the open source system monitor glances executes the /usr/bin/file command every N seconds for it's update. that was the source of thousands of file occurrences in the system accounting log.

this was verified quite clearly by running glances for 4 update cycles and verifying with the resulting output from dump-acct /var/log/account/pacct

with this explanation, there was likely no nefarious source of all those file entries.

this issue has caused me to monitor process number increase rate. this is a simple bash script to monitor pid rate:

loop_cnt=0
loop_cnt_max=10000
sleep_time=60 #5 # (seconds)

ppl=2  # ppl--> processes per loop from this script; remove this many new processes in the rate estimate

pid_cnt=`sysctl -n kernel.ns_last_pid`
let pid_cnt=$pid_cnt-1 # 1st loop only

while [ "$loop_cnt" -le "$loop_cnt_max" ];
 do
     pid_cnt_last=$pid_cnt
     pid_cnt=`sysctl -n kernel.ns_last_pid`
     let delta_pid=($pid_cnt - $pid_cnt_last - $ppl) # get pid delta over the last loop interval
     let pid_rate=$delta_pid/$sleep_time
     pid_rate=`bc <<< "scale=2; $delta_pid/$sleep_time"` # floating point arithmetic
     echo 'pid_cnt=' $pid_cnt ', an increase of' $delta_pid,' over the last' $sleep_time, ' seconds,  pid_rate=' $pid_rate '(pid/s),    cnt = ' $loop_cnt ', and cnt_max = ' $loop_cnt_max
     let loop_cnt=loop_cnt+1
     
     sleep $sleep_time
done
Marc Compere
  • 770
  • 9
  • 13