CPU usage for user "root" (in WHM>CPU/Memory/MySQL
Usage) has usually been below 6%, then it started climbing and when it hit 15% daily and it began to be highlighted in yellow and red, I decided to investigate...


User Domain %CPU %MEM Mysql Processes
root 13.82 0.51 1.8 <- This was highlighted yellow
Top Process %CPU 68.5 netstat -nlp
Top Process %CPU 59.0 netstat -nlp
Top Process %CPU 52.3 netstat -nlp



I contacted support and they told me that it's OK for "root" to use 15% CPU and told me to refer to VZPP's resource usage and look out for QoS alerts... i was not convinced however and continued my investigation :)


One of the programs running this process turned out to be LSM (It is a network socket monitor - http://www.rfxnetworks.com/lsm.php)
It runs as a cron job (/etc/cron.d/lsm) every 10 minutes
Changing it to run every 30 minutes solved the problem...

User root is back to its usual CPU consumption of around 3% and "netstat -nlp" is no longer among the top processes...

No yellow or red highlights make me more relaxed :)

P.S.
As for QoS alerts in VZPP, I've seen cpuunits hit the limit many times(see attachment) and it's hitting it right now, but it's not logged in QoS alerts.... why?

Hah.. I just changed my LSM cron today too. Was reading about it on cpanel forums.

Thanks for the info

wow, how are you using soo much CPU? I'm only using 20 units outta 1969. But I only run http/mysql/mail/dns on my box. It uses alot of memory rather CPU. I remember my CPU was at 100% when its backing up logs and rotating them. Also the time i didnt have an index on one of my tables which was 13,000 rows and couldnt figure out why it was slow for days.

wow, how are you using soo much CPU?
I have one busy forum.... it's not always like that, just a few times a day, but still I don't get how come it's not getting logged at VZPP's QoS?!

Hah.. I just changed my LSM cron today too. Was reading about it on cpanel forums.

Thanks for the info

That's where I got the info also :)

Crazy how many hits per min? I get around 500 hits per min on http. But the site is highly optimized. Cache is my best friend (: Adodb works wonders caching the database queries.

Crazy how many hits per min? I get around 500 hits per min on http. But the site is highly optimized. Cache is my best friend (: Adodb works wonders caching the database queries.
I'm about at the same number at peak hours... the forum has about 80-100 users at that time...

Maybe I was a bit misleading in my previous post when I said "many times"... It doesn't stay at 100 for a long time, just a few seconds (and I am lucky to catch it sometimes :) ), bit it still hits the limit and I was wondering why it's not being logged...

I like adodb also and use it in all the new projects that I start...

Hah.. I just changed my LSM cron today too. Was reading about it on cpanel forums.


So from:
MAILTO=
SHELL=/bin/sh
# */10 * * * * root /usr/local/sbin/lsm -c >> /dev/null 2>&1


To this right?
MAILTO=
SHELL=/bin/sh
# */30 * * * * root /usr/local/sbin/lsm -c >> /dev/null 2>&1


Excuse the noob :)

Just to clarify about CPU use. It is very possible to hit 100% cpu, since you can burst. Many customers spend more time getting over 100% most of the time. If its available and you need it, you will get it. The 100% is just your guarantee.

Vince, those LSM entries are commented out, so it doesn't make a difference in your case. Our default config is to have it commented out since our firewall thwarts an attack where a random executable tries to listen on some port (it can but wont get any traffic).

charles

Vince, those LSM entries are commented out, so it doesn't make a difference in your case. Our default config is to have it commented out since our firewall thwarts an attack where a random executable tries to listen on some port (it can but wont get any traffic).


Gosh, how stupid of me not noticing the #
I'll get my coat ...
:o :o :o

That is exactly what I did Vince.

So from:


To this right?


Excuse the noob :)

OK, so what is the lsm cron actually for, and charles, you are saying effectly not to bother enabling it?

Thanks for your patience.

- V

It essentially looks for new sockets opened which can be an idication you have been hacked (or at the very least have something listening on a port that you didn't have before).

I am saying its another layer of security, but if your trying to tweak performance, i think its ok to disable.

See http://rfxnetworks.com/lsm.php for details

charles

The biggest problem I've seen with LSM are the occasional false alerts caused by passive FTP ports. If a new port is opened for passive FTP in the firewall, LSM occasionally will send a notice about it when it's just a regular FTP session.

is there a way to tell pure-ftpd to stay in a certain port range for passive ftp ?
So the false alert can be "ignored" or verified with the feeling that it's a false alert...