«xz» process question

Hi

More recently I have noticed, a couple of times, an «xz» process that just runs on for ‘ever’, using 25% of the cpu; one core on full load I presume.
The process is owned by root, but I have not checked ppid. The last time this occurred was yesterday evening; I haven’t noticed any pattern concerning what or when this process invokes yet, though.
This behaviour may be perfectly normal for all I know, and something that regularly occurs; though I am unsure, this brings the system fans up at max as well so it is quite noticeable when it drags out.

My question(s): should I pay closer attention to it or does the system regularly initiate «xz» (compression/decompression, is it?), and is it normal that these processes takes a long long time to finish (yesterday I forced it to stop after maybe half an hour)?

NB
I’ve been speculating whether «xz» is connected with rkhunter, it may be, perhaps, but rkhunter was not running yesterday when I terminated the process.

Not very clearly laid out, but thanks for any answers.

Olav

I realy had no idea. But what I would do in your case (and what I did) is trying to find the file with the name xz:

boven:~ # find / -name xz 2>/dev/null
/usr/share/doc/packages/xz
/usr/share/doc/kde/HTML/en/kioslave/xz
/usr/share/doc/kde/HTML/nl/kioslave/xz
/usr/bin/xz
boven:~ #

And seeing that there is such a file in a very common (system wise) place as /usr/bin, i checked if this gives some information:

man xz

And yes, it does.

Over to you.

Hello

Thanks, I knew about the program. However, I don’t know if it gets me any wiser reading the manual.

Are there any easy way to sort out the potential daemons/programs which could have initiated this command?
It seems to me as a process that hangs.

Hi
Maintenance tasks… Logs being rotated and xz’ing up…

Hi

Thanks
Checking the /var/log directory revealed that something indeed has been going on:

DDAchtung:/home/olav # du /var/log -h
4.0K    /var/log/apparmor
60K     /var/log/libvirt/qemu
64K     /var/log/libvirt
8.0K    /var/log/cups
4.0K    /var/log/krb5
756K    /var/log/zypp
20K     /var/log/YaST2/internet-test
11M     /var/log/YaST2
4.0K    /var/log/samba
4.0K    /var/log/kvm
4.0K    /var/log/audit
4.0K    /var/log/hp/tmp
8.0K    /var/log/hp
4.0K    /var/log/news
67G     /var/log

Any tips on how to deal with this?
I’m going to clean it up, but would be nice to have a clue on what creates all these large logs.

olav@DDAchtung:~> ls -ls /var/log
total 69507528
       0 -rw-r----- 1 root root           0 Mar 17 19:24 acpid
      20 -rw-r--r-- 1 root root       19328 Apr 29 02:27 alternatives.log
       4 drwxr-xr-x 2 root root        4096 Nov 17  2014 apparmor
       4 drwx------ 2 root root        4096 Sep 28  2013 audit
       8 -rw-r--r-- 1 root root        8151 May 29 03:44 boot.log
       4 -rw------- 1 root root        3840 May 29 02:47 btmp
       4 drwxr-xr-x 2 lp   lp          4096 Mar 17 19:33 cups
       0 lrwxrwxrwx 1 root root          10 Mar 17 22:04 dump -> /var/crash
      16 -rw------- 1 root root       15968 Mar 18 04:47 faillog
    1340 -rw-r----- 1 root root     1365347 May 29 14:53 firewall
       4 drwxrwxr-x 3 root lp          4096 Jan 15  2014 hp
     644 -rw-r--r-- 1 root root      652775 May 29 03:44 kdm.log
       4 drwx------ 2 root root        4096 Mar 12 11:06 krb5
       4 drwxr-xr-x 2 root root        4096 Mar 31 15:43 kvm
     148 -rw-r--r-- 1 root root      292292 May 29 03:44 lastlog
       4 drwx------ 3 root root        4096 Mar 17 22:04 libvirt
     168 -rw-r--r-- 1 root root      166259 May 29 03:45 localmessages
      88 -rw-r----- 1 root root       83312 May 29 03:45 mail
       4 -rw-r----- 1 root root         230 Mar 17 19:24 mail.err
      88 -rw-r----- 1 root root       83312 May 29 03:45 mail.info
       4 -rw-r----- 1 root root         230 Mar 17 19:24 mail.warn
     188 -rw-r----- 1 root root      184595 May 29 15:36 messages
     204 -rw-r----- 1 root root      208688 Mar 19 19:00 messages-20150319.xz
     244 -rw-r----- 1 root root      247020 Mar 25 01:15 messages-20150325.xz
  491164 -rw-r----- 1 root root   502947060 Mar 26 01:15 messages-20150326.xz
   97664 -rw-r----- 1 root root   100005276 Mar 27 03:45 messages-20150327.xz
  186392 -rw-r----- 1 root root   190865248 Mar 28 06:15 messages-20150328.xz
     252 -rw-r----- 1 root root      256872 Mar 29 07:15 messages-20150329.xz
   45244 -rw-r----- 1 root root    46326232 Mar 30 07:15 messages-20150330.xz
 3895776 -rw-r----- 1 root root  3989269510 Apr  1 12:00 messages-20150401
   40016 -rw-r----- 1 root root    40976384 Apr  1 12:30 messages-20150401.xz
   33344 -rw-r----- 1 root root    34142896 Apr  2 12:30 messages-20150402.xz
     840 -rw-r----- 1 root root      858412 Apr  3 15:45 messages-20150403.xz
  242108 -rw-r----- 1 root root   247911976 Apr  4 15:45 messages-20150404.xz
   22720 -rw-r----- 1 root root    23263052 Apr  5 15:45 messages-20150405.xz
  233652 -rw-r----- 1 root root   239255140 Apr  7 15:45 messages-20150407.xz
    4380 -rw-r----- 1 root root     4482408 Apr  8 15:45 messages-20150408.xz
37060140 -rw-r----- 1 root root 37949555119 Apr  9 15:45 messages-20150409
 1021268 -rw-r----- 1 root root  1045774336 Apr 10 00:33 messages-20150409.xz
    7700 -rw-r----- 1 root root     7882180 Apr 14 15:45 messages-20150414.xz
  181668 -rw-r----- 1 root root   186020380 Apr 15 15:45 messages-20150415.xz
   55192 -rw-r----- 1 root root    56510600 Apr 16 15:45 messages-20150416.xz
  157056 -rw-r----- 1 root root   160818552 Apr 17 15:45 messages-20150417.xz
   58164 -rw-r----- 1 root root    59554100 Apr 20 15:45 messages-20150420.xz
  216616 -rw-r----- 1 root root   221808132 Apr 21 15:45 messages-20150421.xz
  197400 -rw-r----- 1 root root   202131988 Apr 22 15:45 messages-20150422.xz
   18220 -rw-r----- 1 root root    18654848 Apr 25 15:45 messages-20150425.xz
  104924 -rw-r----- 1 root root   107437628 Apr 26 15:45 messages-20150426.xz
   88016 -rw-r----- 1 root root    90124048 Apr 27 15:45 messages-20150427.xz
  148980 -rw-r----- 1 root root   152550876 Apr 28 15:45 messages-20150428.xz
   43808 -rw-r----- 1 root root    44854308 Apr 30 15:45 messages-20150430.xz
   44640 -rw-r----- 1 root root    45704036 May  2 15:45 messages-20150502.xz
   52216 -rw-r----- 1 root root    53468844 May  5 15:45 messages-20150505.xz
    5220 -rw-r----- 1 root root     5344488 May  7 15:45 messages-20150507.xz
    5320 -rw-r----- 1 root root     5447628 May 11 21:00 messages-20150511.xz
 3159576 -rw-r----- 1 root root  3235399474 May 12 21:00 messages-20150512
     196 -rw-r----- 1 root root      200668 May 20 21:00 messages-20150520.xz
    1384 -rw-r----- 1 root root     1415740 May 22 22:00 messages-20150522.xz
 3610008 -rw-r----- 1 root root  3696642492 May 24 22:00 messages-20150524
  119464 -rw-r----- 1 root root   122331136 May 24 22:58 messages-20150524.xz
   31284 -rw-r----- 1 root root    32028564 May 25 22:00 messages-20150525.xz
  205740 -rw-r----- 1 root root   210676648 May 26 22:00 messages-20150526.xz
    7900 -rw-r----- 1 root root     8087944 May 28 00:30 messages-20150528.xz
13221672 -rw-r----- 1 root root 13538980218 May 29 00:30 messages-20150529
  376948 -rw-r----- 1 root root   385990656 May 29 03:44 messages-20150529.xz
       0 -rw-r----- 1 root root           0 Mar 17 19:24 NetworkManager
       4 drwxr-x--- 2 news news        4096 Nov  6  2013 news
       0 -rw-r--r-- 1 root root           0 Nov  6  2013 ntp
     268 -rw-r--r-- 1 root root      273096 May 10 21:43 nvidia-installer.log
       4 -rw-r--r-- 1 root root        1736 May 10 21:43 nvidia-uninstall.log
     812 -rw------- 1 root root      823308 May 10 13:31 pbl.log
     172 -rw-r----- 1 root root      172057 Mar 17 19:49 pk_backend_zypp
       0 -rw-r--r-- 1 root root           0 May 29 03:44 pm-powersave.log
     248 -rw-r----- 1 root root      248301 May 28 00:34 rkhunter.log
      28 -rw-r----- 1 root root       28328 May  9 18:46 rkhunter.log-20150510.xz
      28 -rw-r----- 1 root root       26612 May 17 21:01 rkhunter.log-20150518.xz
      28 -rw-r----- 1 root root       24600 May 23 22:01 rkhunter.log-20150524.xz
     124 -rw-r----- 1 root root      124151 May 25 22:14 rkhunter.log-20150526
       4 drwxr-x--- 2 root root        4096 Feb 23 17:24 samba
      12 -rw-r----- 1 root root       11264 May 29 12:21 warn
  244140 -rw-r--r-- 1 root root   249992704 Mar 26 01:15 warn-20150326.xz
   48760 -rw-r----- 1 root root    49927912 Mar 27 03:45 warn-20150327.xz
   92092 -rw-r----- 1 root root    94299292 Mar 28 06:15 warn-20150328.xz
   22500 -rw-r----- 1 root root    23034292 Mar 30 07:15 warn-20150330.xz
   66248 -rw-r----- 1 root root    67833024 Apr  1 12:00 warn-20150401.xz
   16484 -rw-r----- 1 root root    16878316 Apr  2 12:30 warn-20150402.xz
     404 -rw-r----- 1 root root      409644 Apr  3 15:45 warn-20150403.xz
  120792 -rw-r----- 1 root root   123684024 Apr  4 15:45 warn-20150404.xz
   11220 -rw-r----- 1 root root    11486848 Apr  5 15:45 warn-20150405.xz
  115000 -rw-r----- 1 root root   117753156 Apr  7 15:45 warn-20150407.xz
    2128 -rw-r----- 1 root root     2175984 Apr  8 15:45 warn-20150408.xz
  593780 -rw-r----- 1 root root   608025968 Apr  9 15:45 warn-20150409.xz
    3664 -rw-r----- 1 root root     3750324 Apr 14 15:45 warn-20150414.xz
   90040 -rw-r----- 1 root root    92196412 Apr 15 15:45 warn-20150415.xz
   27552 -rw-r----- 1 root root    28205596 Apr 16 15:45 warn-20150416.xz
   77872 -rw-r----- 1 root root    79735816 Apr 17 15:45 warn-20150417.xz
   28552 -rw-r----- 1 root root    29232356 Apr 20 15:45 warn-20150420.xz
  107404 -rw-r----- 1 root root   109974080 Apr 21 15:45 warn-20150421.xz
   95944 -rw-r----- 1 root root    98245344 Apr 22 15:45 warn-20150422.xz
    8872 -rw-r----- 1 root root     9081192 Apr 25 15:45 warn-20150425.xz
   52320 -rw-r----- 1 root root    53569660 Apr 26 15:45 warn-20150426.xz
   43236 -rw-r----- 1 root root    44266100 Apr 27 15:45 warn-20150427.xz
   73400 -rw-r----- 1 root root    75157052 Apr 28 15:45 warn-20150428.xz
   21388 -rw-r----- 1 root root    21897696 Apr 30 15:45 warn-20150430.xz
   21752 -rw-r----- 1 root root    22271052 May  2 15:45 warn-20150502.xz
   25724 -rw-r----- 1 root root    26339692 May  5 15:45 warn-20150505.xz
    2636 -rw-r----- 1 root root     2696288 May  7 15:45 warn-20150507.xz
    2616 -rw-r----- 1 root root     2676256 May 11 20:01 warn-20150511.xz
 1520456 -rw-r----- 1 root root  1556941019 May 12 13:22 warn-20150512
   50280 -rw-r----- 1 root root    51486720 May 12 21:14 warn-20150512.xz
     764 -rw-r----- 1 root root      781492 May 22 21:58 warn-20150522.xz
   60756 -rw-r----- 1 root root    62210436 May 24 16:19 warn-20150524.xz
   15564 -rw-r----- 1 root root    15934200 May 25 19:52 warn-20150525.xz
  104860 -rw-r----- 1 root root   107375560 May 26 19:54 warn-20150526.xz
    3920 -rw-r----- 1 root root     4010872 May 28 00:29 warn-20150528.xz
  234756 -rw-r----- 1 root root   240387156 May 28 23:36 warn-20150529.xz
       8 -rw-r--r-- 1 root root        6040 May 29 03:44 wpa_supplicant.log
     360 -rw-rw-r-- 1 root utmp      362496 May 29 15:23 wtmp
      16 -rw-rw-r-- 1 root utmp       12884 Apr 15 11:54 wtmp-20150415.xz
      28 -rw-r--r-- 1 root root       28093 May 29 03:44 Xorg.0.log
      32 -rw-r--r-- 1 root root       29723 May 29 03:44 Xorg.0.log.old
       4 drwx------ 3 root root        4096 May 29 03:38 YaST2
       4 drwxr-xr-x 2 root root        4096 Aug  1  2014 zypp

Well now, you could copy paste some lines from the messages file which is just a normal text file to, for example, Pastebin.

http://pastebin.ca/

Hi
Yikes, 67GB!!! you have some issues going on for sure generating huge logs…

Looks like this one never finished?

13538980218 May 29 00:30 messages-20150529

I would have a look in the latest xz files to see what’s up with your system.

I think I know what it is now.

I am in the process of recovering an HD using ddrescue, which will probably take another year or so, and it seems like every read/access failure (I presume) onto the disc is logged. It’s a very long log file so I can’t be sure, but logged ‘failed access attempts’ entries goes on and on; referring to the last message-xxxxxx.xz, (thank you Malcolm).

Actually, I think I may avoid most of the logging by adding a parameter to the ddrescue command, limiting failed read attempts on the same sector/block (don’t know what the smallest logical/physical?] hard-drive quantity is called - archè logos:O).

BTW, is it possible to split, or pull a sector out of, a file to make it easier to handle in cases like this (this file was 10.2 GiB - the largest (compressed one), given same compression ratio, would have been approximately 30GiB - there was an uncompressed part which was even larger)?
Or any other better method, for that matter?

Thank you!

Cheers,
Olav

On Fri, 29 May 2015 12:46:01 +0000, F Sauce wrote:

> Hi
>
> More recently I have noticed, a couple of times, an «xz» process that
> just runs on for ‘ever’, using 25% of the cpu; one core on full load I
> presume.
> The process is owned by root, but I have not checked ppid. The last time
> this occurred was yesterday evening; I haven’t noticed any pattern
> concerning what or when this process invokes yet, though.
> This behaviour may be perfectly normal for all I know, and something
> that regularly occurs; though I am unsure, this brings the system fans
> up at max as well so it is quite noticeable when it drags out.
>
> My question(s): should I pay closer attention to it or does the system
> regularly initiate «xz» (compression/decompression, is it?), and is it
> normal that these processes takes a long long time to finish (yesterday
> I forced it to stop after maybe half an hour)?
>
>
> NB I pondered if «xz» may have been connected with rkhunter, it may,
> perhaps, but rkhunter was not running yesterday when I terminated the
> process.
>
>
> Not very clearly laid out, but thanks for any answers.
>
> Olav

pstree can be very helpful to find out what is using the xz instance
that’s causing the issue.

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Interesting tool.

Thank you!

Olav

Hi
Or send it to dev/null if you not interested? Depending on the drive smartctl -A should show you the physical/logical or fdisk.

Sorry not sure what you mean, as in getting info out of the log files? Or a file on the disk your trying to recover?

Hi

I just wondered if there were good ways of handing, reading basically, large text files; e.g. divide, if possible, the text file into 10 new files for instance. Kate crashed when I tried to launch it there, so I used less. It was a strange question I suppose.

How do you read large log files?

On Fri, 29 May 2015 16:16:01 +0000, F Sauce wrote:

> Interesting tool.
>
> Thank you!

You bet. If you use ‘pstree -p’ you’ll get the PIDs as well, and if you
pipe it through less, you can search for the process that seems to be the
issue. That’ll make sure you’re looking at the right one.

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Hi
Use less or more or there is tail and add a number range… Or just use journalctl -f and follow the logging.

On 2015-05-29 21:06, malcolmlewis wrote:

> Hi
> Use less or more or there is tail and add a number range… Or just use
> journalctl -f and follow the logging.

If the “syslog” logs are 67 GB, then journalctl will crash handling that

Just examine the traditional /var/log/ files.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

On 2015-05-29 20:16, F Sauce wrote:

> Hi
>
> I just wondered if there were good ways of handing, reading basically,
> large text files; e.g. divide, if possible, the text file into 10 new
> files for instance. Kate crashed when I tried to launch it there, so I
> used less. It was a strange question I suppose.
>
> How do you read large log files?

With less. If it is compressed, “zless”, but it should happen
automatically. Or you can search for a pattern using grep (or zgrep) and
pipe the result into another file.

xz is run by “logrotate”, which in turn is being run by a systemd timer
in 13.2, and by a cron job in 13.1 or older. It takes a lot of cpu
because the messages file is very large, and xz compresses a lot.

And syslog is simply recording the kernel error messages generated when
trying to read a bad sector from the damaged disk that you are trying to
recover.

It would be best that instead of using dd_rescue you used dd_rhelp,
which is a script that in turn calls dd_rescue, but using a pattern that
minimizes time and failed reads. The idea is that first it copies all
good areas of the disk, and then progressively zeroes on bad areas. It
tells you what percent it has copied. For instance, in just a few hours
it might copy 99% of the disk, and the remaining 1% might take hours,
and the last 0.1% days. You can simply stop it when you had enough.

This also reduces log entries

HTH.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Hello.

Thanks for the tips.

The partition / was so full that if I had extracted both the last warn and messages files in the /var/log dir I probably would have crashed the system:) Root is on a 120GB SSD and before I cleaned up the logs I backed those two files up to a back-up hard-drive, then extracted them there with ark (I didn’t know about zless, and didn’t know I would be able to read a file in its compressed state that way).

Concerning the recovery tool:
It isn’t the old dd_rescue I’m using, I’m using this one: Ddrescue - GNU Project - Free Software Foundation (FSF)
Actually, I prepared for using dd_rhelp (actually a tip I got from you, a while ago, Carlos), but on its home-site the author recommended this tool instead of his: Kalysto - /Utilities/dd_rhelp - (rescue hard disk helper), so I just went along with the recommendation.

Thanks all of you, I’ve learnt several things today.

Cheers,
Olav

On 2015-05-30 03:06, F Sauce wrote:

> Hello.
>
> Thanks for the tips.

Welcome.

> The partition / was so full that if I had extracted both the last
> -warn- and -messages- files in the /var/log dir I probably would have
> crashed the system:)

And it did not crash before because the system was rotating the logs

> Root is on a 120GB SSD and before I cleaned up the
> logs I backed those two files up to a back-up hard-drive, then extracted
> them there with ark (I didn’t know about zless, and didn’t know I would
> be able to read a file in its compressed state that way).

Mind, I do not know if it is uncompressed it /tmp or just a chunk in
memory. Because zless can page forward or backwards, and I can’t imagine
how to do that unless the whole is uncompressed.

> Concerning the recovery tool:
> It isn’t the old dd_rescue I’m using, I’m using this one:
> http://www.gnu.org/software/ddrescue/
> Actually, I prepared for using dd_rhelp (actually a tip I got from you,
> a while ago, Carlos), but on its home-site the author recommended this
> tool instead of his:
> http://www.kalysto.org/utilities/dd_rhelp/index.en.html, so I just went
> along with the recommendation.

Ah, I see, yes, the gnu version. I rather like the old version, although
the new version may be better. I never know by looking at the name which
one is which

You should also check the size of the systemd journal, it may be huge. I
suppose it auto-purges, I know not how.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

OK, where would I find this?