/tmp full

[constantine]

Hi there ,

I think a cash program/module generate some files in /tmp . how can I stop or change the path ?

Here is example files are creating :

root@tmjid [/tmp]# ls -l -S | more
total 459669
-rw-------  1 nobody   nobody   48492544 Aug  4 17:02 20100804-161912-TFl2106feSAAAENBJFUAAABb-file-1ptyrP
-rw-------  1 nobody   nobody   11328497 Jul 31 13:11 20100731-125344-TFQAuE6feSAAADPG\@vYAAAAC-file-OT8zs1
-rw-------  1 nobody   nobody    6682123 Aug  1 12:21 20100801-120909-TFVHvU6feSAAAFHgcv0AAAA2-file-VAhGI6
-rw-------  1 nobody   nobody    6560586 Aug  3 09:09 20100803-085000-TFe8Dk6feSAAAFtXKDoAAAAY-file-rsLf9e
-rw-------  1 nobody   nobody    6519515 Aug  4 18:12 20100804-181023-TFmQ706feSAAAEW8XT8AAABE-file-3VLzo4
-rw-------  1 nobody   nobody    6364026 Aug  1 17:25 20100801-172050-TFWQhk6feSAAAEwTW8UAAAAb-file-Y2ARmO
-rw-------  1 nobody   nobody    5298204 Aug  4 13:55 20100804-135013-TFlT9U6feSAAADXDNkgAAAA2-file-1s9JNg
-rw-------  1 nobody   nobody    5144576 Aug  9 16:02 20100809-160039-TGAKBk6feSAAAH3HBEAAAAAa-file-LiXR8b
-rw-------  1 nobody   nobody    5038757 Aug  2 11:47 20100802-114505-TFaTnU6feSAAAAXDE0EAAACE-file-ywVTmm
-rw-------  1 nobody   nobody    4976640 Aug  9 15:54 20100809-155217-TGAIEE6feSAAAHFvdNEAAAAQ-file-WstF4L
-rw-------  1 nobody   nobody    4698440 Aug  8 13:55 20100808-134718-TF6ZP06feSAAAA4SVZQAAAAo-file-uaZnML
-rw-------  1 nobody   nobody    4519494 Jul 28 15:09 20100728-150810-TFAruk6feSAAAHDsznwAAAAn-file-H19Zar
-rw-------  1 nobody   nobody    4487330 Aug  2 09:05 20100802-085928-TFZqwU6feSAAAGlUKgIAAABi-file-EIiEgn
-rw-------  1 nobody   nobody    4297087 Aug  2 08:21 20100802-081655-TFZi1k6feSAAAC\@PlGwAAAB0-file-RZ6BPR
-rw-------  1 nobody   nobody    4279600 Aug  9 15:28 20100809-152614-TGAB9U6feSAAAFOIo\@EAAABN-file-xqdHsA
-rw-------  1 nobody   nobody    4092050 Aug  3 15:58 20100803-155202-TFgfAk6feSAAACqdQPEAAAAq-file-TpFru1
-rw-------  1 nobody   nobody    4039380 Jul 29 12:28 20100729-122207-TFFWSk6feSAAAFvUTTsAAABM-file-7OSOWj
-rw-------  1 nobody   nobody    3994557 Aug  4 16:36 20100804-161523-TFl1806feSAAAEG11j8AAABI-file-1y51Xi
-rw-------  1 nobody   nobody    3913586 Jul 31 11:15 20100731-111122-TFPot06feSAAABrltCwAAAAy-file-5IOL6K
-rw-------  1 nobody   nobody    3560646 Aug  1 21:53 20100801-212455-TFXKBk6feSAAAHsWce4AAAAz-file-9XnPvW
-rw-------  1 nobody   nobody    3478771 Aug  1 12:42 20100801-123953-TFVO9U6feSAAAAO-JBMAAAA7-file-9hEjFn
-rw-------  1 nobody   nobody    3395263 Aug  2 09:09 20100802-090523-TFZuLE6feSAAAAIXdw0AAAAf-file-jo1vIT
-rw-------  1 nobody   nobody    3362848 Jul 29 20:08 20100729-195537-TFG\@jU6feSAAAEelFcoAAAAe-file-cs6UpV
-rw-------  1 nobody   nobody    3329930 Aug  1 08:36 20100801-082320-TFUS1k6feSAAAGk9Yk4AAAAe-file-SBkMQP

 

[cPanelDon]

Hi there ,

I think a cash program/module generate some files in /tmp . how can I stop or change the path ?

Here is example files are creating :

root@tmjid [/tmp]# ls -l -S | more
total 459669
-rw-------  1 nobody   nobody   48492544 Aug  4 17:02 20100804-161912-TFl2106feSAAAENBJFUAAABb-file-1ptyrP
-rw-------  1 nobody   nobody   11328497 Jul 31 13:11 20100731-125344-TFQAuE6feSAAADPG\@vYAAAAC-file-OT8zs1
-rw-------  1 nobody   nobody    6682123 Aug  1 12:21 20100801-120909-TFVHvU6feSAAAFHgcv0AAAA2-file-VAhGI6
-rw-------  1 nobody   nobody    6560586 Aug  3 09:09 20100803-085000-TFe8Dk6feSAAAFtXKDoAAAAY-file-rsLf9e
-rw-------  1 nobody   nobody    6519515 Aug  4 18:12 20100804-181023-TFmQ706feSAAAEW8XT8AAABE-file-3VLzo4
-rw-------  1 nobody   nobody    6364026 Aug  1 17:25 20100801-172050-TFWQhk6feSAAAEwTW8UAAAAb-file-Y2ARmO
-rw-------  1 nobody   nobody    5298204 Aug  4 13:55 20100804-135013-TFlT9U6feSAAADXDNkgAAAA2-file-1s9JNg
-rw-------  1 nobody   nobody    5144576 Aug  9 16:02 20100809-160039-TGAKBk6feSAAAH3HBEAAAAAa-file-LiXR8b
-rw-------  1 nobody   nobody    5038757 Aug  2 11:47 20100802-114505-TFaTnU6feSAAAAXDE0EAAACE-file-ywVTmm
-rw-------  1 nobody   nobody    4976640 Aug  9 15:54 20100809-155217-TGAIEE6feSAAAHFvdNEAAAAQ-file-WstF4L
-rw-------  1 nobody   nobody    4698440 Aug  8 13:55 20100808-134718-TF6ZP06feSAAAA4SVZQAAAAo-file-uaZnML
-rw-------  1 nobody   nobody    4519494 Jul 28 15:09 20100728-150810-TFAruk6feSAAAHDsznwAAAAn-file-H19Zar
-rw-------  1 nobody   nobody    4487330 Aug  2 09:05 20100802-085928-TFZqwU6feSAAAGlUKgIAAABi-file-EIiEgn
-rw-------  1 nobody   nobody    4297087 Aug  2 08:21 20100802-081655-TFZi1k6feSAAAC\@PlGwAAAB0-file-RZ6BPR
-rw-------  1 nobody   nobody    4279600 Aug  9 15:28 20100809-152614-TGAB9U6feSAAAFOIo\@EAAABN-file-xqdHsA
-rw-------  1 nobody   nobody    4092050 Aug  3 15:58 20100803-155202-TFgfAk6feSAAACqdQPEAAAAq-file-TpFru1
-rw-------  1 nobody   nobody    4039380 Jul 29 12:28 20100729-122207-TFFWSk6feSAAAFvUTTsAAABM-file-7OSOWj
-rw-------  1 nobody   nobody    3994557 Aug  4 16:36 20100804-161523-TFl1806feSAAAEG11j8AAABI-file-1y51Xi
-rw-------  1 nobody   nobody    3913586 Jul 31 11:15 20100731-111122-TFPot06feSAAABrltCwAAAAy-file-5IOL6K
-rw-------  1 nobody   nobody    3560646 Aug  1 21:53 20100801-212455-TFXKBk6feSAAAHsWce4AAAAz-file-9XnPvW
-rw-------  1 nobody   nobody    3478771 Aug  1 12:42 20100801-123953-TFVO9U6feSAAAAO-JBMAAAA7-file-9hEjFn
-rw-------  1 nobody   nobody    3395263 Aug  2 09:09 20100802-090523-TFZuLE6feSAAAAIXdw0AAAAf-file-jo1vIT
-rw-------  1 nobody   nobody    3362848 Jul 29 20:08 20100729-195537-TFG\@jU6feSAAAEelFcoAAAAe-file-cs6UpV
-rw-------  1 nobody   nobody    3329930 Aug  1 08:36 20100801-082320-TFUS1k6feSAAAGk9Yk4AAAAe-file-SBkMQP

I am not aware what exact module or program may generate the specific files shown in the example output you've provided. If they are created by a specific user account it will help greatly to first ensure that the system is using both suPHP and suEXEC so that files written by users will be owned by the applicable system user account and less likely to be written as the shared user nobody. If using DSO as the PHP handler or CGI without suEXEC then PHP will run as user nobody; user nobody is the same user that Apache/httpd runs as.

Is the affected system using both suPHP and suEXEC? If yes, this will make it easier to track which users may be contributing to an increased server load. The status of suPHP and suEXEC can be determined using the following command via root SSH access:

# /usr/local/cpanel/bin/rebuild_phpconf --current

 

[B12Org]

Get a program called tmpwatch - it watches the tmp directory and cleans it out - the default I think is like 720 or 240 hours, but I would recomend changing it to 24 hours so that it cleans out old files.

You can set it even lower like an hour or so if you want to if your space is being eaten up faster than that.

or in a cron job you can do a simple bash command

This will delete everything except for the mysql.sock (and maybe clamd.sock) file(s)

cd /tmp;rm -Rf `ls | grep -v sock`;

This will delete anythign owned by nobody - may not be the best way but should work based on what you posted

cd /tmp;rm -Rf `ls -la | grep nobody | awk '{print $9}'`;

This will delete anything *not* owned by root

cd /tmp;rm -Rf `ls -la | grep -v root | awk '{print $9}'`;

 

[GaryT]

I never seen or heard of tmpwatch but after googling it seems to be a decent little script, But Im cusious on this as how will or does it know whats good or bad and even what to remove.

How does it function, Is this an addon via WHM, I would like your opinion on this and a good tut.

Thanks.

 

[B12Org]

it doesnt make any determination of good or bad - it only removes files that match a criteria.

On RedHat/Centos you can just do

yum install tmpwatch

It sets it to run in a cron job and will delete things that have not been accessed for 720 minutes in /tmp directory - I think thats the default, but you can easily change the times.

NAME
tmpwatch - removes files which haven't been accessed for a period of time
SYNOPSIS
tmpwatch [-u|-m|-c] [-faqstv] [--verbose] [--force] [--all] [--test]
[--fuser ] [--atime|--mtime|--ctime] [--quiet] <hours> <dirs>


DESCRIPTION
tmpwatch recursively removes files which haven't been accessed for a given number of hours. Normally, it's used to clean up directories which are used for temporary holding space such as /tmp.
When changing directories, tmpwatch is very sensitive to possible race conditions and will exit with an error if one is detected. It does not follow symbolic links in the directories it's cleaning (even if a symbolic link is given as its argument), will not switch filesystems,
and only removes empty directories and regular files.

By default, tmpwatch dates files by their atime (access time), not their mtime (modification time). If files aren't being removed when ls -l implies they should be, use ls -u to examine their atime to see if that explains the problem.

If the --atime, --ctime or --mtime options are used in combination, the decision about deleting a file will be based on the maximum of this times.

The hours parameter defines the threshold for removing files. If the file has not been accessed for hours hours, the file is removed. Following this, one or more directories may be given for tmpwatch to clean up.




OPTIONS
-u, --atime
Make the decision about deleting a file based on the file's atime (access time). This is the default.


-m, --mtime
Make the decision about deleting a file based on the file's mtime (modification time) instead of the atime.

-c, --ctime
Make the decision about deleting a file based on the file's ctime (inode change time) instead of the atime; for directories, make the decision based on the mtime.

-a, --all
Remove all file types, not just regular files and directories.

-d, --nodirs
Do not attempt to remove directories, even if they are empty.

-f, --force
Remove files even if root doesn't have write access (akin to rm -f).

-t, --test
Doesn't remove files, but goes through the motions of removing them. This implies -v.

-s, --fuser
Attempt to use the "fuser" command to see if a file is already open before removing it. Not enabled by default. Does help in some circumstances, but not all. Dependent on fuser being installed in /sbin.

-v, --verbose
Print a verbose display. Two levels of verboseness are available -- use this option twice to get the most verbose output.


SEE ALSO
cron(1), ls(1), rm(1), fuser(1)


WARNINGS
GNU-style long options are not supported on HP-UX.

 

[GaryT]

Thanks for the update - However !

root@webhosting [~]# yum install tmpwatch
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
addons | 951 B 00:00
base | 2.1 kB 00:00
extras | 2.1 kB 00:00
updates | 1.9 kB 00:00
Excluding Packages in global exclude list
Finished
Setting up Install Process
Package tmpwatch-2.9.7-1.1.el5.2.x86_64 already installed and latest version
Nothing to do
root@webhosting [~]#

Is there some config file for this or something ?

 

[cPanelDon]

Consider the following list of files that are included with the tmpwatch RPM installation:

# rpm -q --filesbypkg tmpwatch
tmpwatch                  /etc/cron.daily/tmpwatch
tmpwatch                  /usr/sbin/tmpwatch
tmpwatch                  /usr/share/man/man8/tmpwatch.8.gz

Customization of command-line (CLI) options used to execute tmpwatch can be setup similar to how the default cron.daily entry is configured; I would consider copying the default to create a custom cron entry.