Re: "top" consumes 25% cpu time

From: Tobias Meyer (bimee0vpussz94j_at_jetable.net)
Date: 07/27/05 

Date: 27 Jul 2005 01:52:57 -0700

Thanks for the help Moe,

I'll try to be a bit more precise...

Moe Trin schrieb:
> In the Usenet newsgroup alt.os.linux.suse, in article
> <1122384970.227599.156660@g43g2000cwa.googlegroups.com>, Tobias Meyer wrote:
>
> >one of our machines has gotten quite slow recently, so i tries using
> >the "top" command to find the culprit.
>
> What has gotten slow? Network access? File access? The displays?
> The clock or calendar?
>
Actually it's a webserver - what has gotten slow is the page loading
time.
To have some numbers: On my local test machine with local database (a
snapshot of the actual database, so it's not the db-size) loading of a
page takes about 250ms tops, on the web server the same operation takes
about 30 seconds...
Alas, once the page has been loaded it is re-displayed quite quickly
(because we cache the data).

My conclusion was that it has to be the database, but the profiler
shows no sign of that.

We also have to calculate quite a bit when first loading the page,
(which is also cached), so that might be the reason.

Last but not least the loaded page takes up some memory in the cache,
so it might also be memory access or swapping...

Unfortunately xosview (yeah, I know X11 on a webserver is bad - it was
not my choice...) shows no sign of swapping, we have plenty of disk
space left, the machine is equipped with a gigabit nic, and there are
no CPU-eating processes running. The machine is by any means better
equipped than my local test machine.

We are also talking about 10-20 concurrent sessions on the life server
with maybe 40 page hits per minute (all sessions) - under normal
circumstances that would not pose the slightest problem.

> >On other machines top uses something below 1% of the cpu time, on that
> >particular machine (a P4 2,5 GHz) it takes 25% and more.
>
> Depends on what the system is doing.

see above.
Top should imho never consume so much cpu-time in any case...

>
> >My first thought was that we might have caught something, but there are
> >no unreasonable modules or processes loaded and chkrootkit also shows
> >no sing of infection.
>
> chkrootkit (and the similar 'rkhunter') look for symptoms that have been
> seen before as indications of rootkits. For example, the first checks
> in chkrootkit-0.45 are to look for /tmp/.../a or /tmp/.../r, and if those
> are present, warn that the system may have the 55808 Worm installed.
> While this might be wonderful, if the malware writer has renamed the
> directory /tmp/.../b, it won't be detected.

True, that's why I was wondering if anyone has seen similar behaviour
caused by something not (yet) detected by chkrootkit.

(and it would have to be something clever to hide the process)

Thanks,
Tobias

Loading