???UNSURE??? Re: Unwanted activation of root-processes getting highly activated

???UNSURE??? Re: Unwanted activation of root-processes getting highly activated

[secret]

Hi,
Firejail must have caused the high activity.
Whenever I stop it (process firejail), they lower to origin.
Regards

On 10/9/21 7:15 AM, Theodore Ts'o wrote:
> On Fri, Oct 08, 2021 at 05:04:55PM +0000, secret wrote:
>> Date: 08.10.2021
>>
>> Subject/Betreff: Unwanted activation of root-processes reading and writing
out
>> the whole SSD/harddrive ! / Kernel-5.4.134 (pclos, AppArmor / Tor
(OpenSuSE)
>> usw. etc.: Freigabe von Informationen, Ausführen von Code mit höheren
>> Privilegien und beliebiger Kommandos in Linux, Erzeugung, Lesen und
>> Überschreiben beliebiger Dateien
>>
>> Hi, Greg, dear Linux experts and friends,
>>
>> this is one of the most dangerous and worst things, Linux can happen!
>> Refering to the actual kernel 5.4.134 ( now up to the actual version
5.4.151
>> and higher, additional remark from 10.08.2021), there still is a problem
with
>> unexpectedly activated, highly active root-processes (making the tower-LED
>> causing readwrites onto harddiscs and making the SSD/harddrive blink
serious-
>> madly hard for about up to 20 minutes). The whole SSD/harddrive seems to
get
>> read out and overwritten!
>>
>> The unwanted, highly by tor (pclos, mga7) resp. firejail activated kernel-
>> root-processes are named
>>
>> kworker/u2:1-kcryptd/253:2 (escpecially this one, CPU: gt; 10%)
>> kworker/0:1H-kblockd
>> dmcrypt_write/2 and
>> jbd2/dm2--8
>
> Activity by these kernel threads indicate that some userspace program
> running on your system is reading (and in the case of the
> dmcrypt_write and jbd2 kernel threads, writing) data to your hard
> drive.  They are a symptom, not the cause of whatever is causing the
> large amount of activity on your SSD/hard drive.
>
> It is not something that can be "patched" in the kernel.  It is an
> indication of some program (or possibly malware) running on your
> system is doing a lot of file I/O.
>
> It is possible that as a result of some web site that you visited, it
> is causing the web browser ("firejail", which sounds like the firefox
> browser running some kind of security sandbox) to do a lot of I/O.  So
> the first thing you might try is to exit the web browser and see that
> causes the I/O to abate.  If it does, and if it starts up again when
> you start the web browser and the web browser is not open on any web
> pages, then you might have some misbehaving browser extension that
> somehow got installed, and you might want to try clearing your browser
> profile and uninstalling all of your browser extensions.
>
> If exiting the browser does not cause the SSD/HDD activity to stop
> within half a minute or so, then some other userspace program must be
> causing it.  It is possible that this might be some background system
> indexing (for example, rebuilding the locatedb), although normally if
> you've left the system up at night, this sort of activity is done when
> the system is idle typically in the wee hours of the morning.
>
> But it is also possible that you have some kind of malware installed
> on your system, in which case the only good solution is to reinstall
> it.  In any case, this is not something that kernel developers can
> help you with.  Perhaps if there is a local Linux User's Group that
> you can contact for more assistance, they can help you.  If not,
> you'll need to find someone who can help you with Linux system
> administration.
>
> Cheers,
> 						- Ted

Hi,
Did you try any of what Ted suggested?
and what happened when you did that?

--
~Randy

Re: ???UNSURE??? Re: Unwanted activation of root-processes getting highly activated

[Theodore Ts'o]

On Thu, Oct 14, 2021 at 12:40:08PM +0000, secret wrote:
> Hi,
> Firejail must have caused the high activity.
> Whenever I stop it (process firejail), they lower to origin.

This is what I had been trying to tell you repeatedly.  Firejail
(firefox run in a sandbox/jail) is a browser which will do various
activities on behalf of whatever web pages that you visit.  Some of
these webpages may have javascript, or other web-based application
code which is causing a lot of file I/O.  So when visiting that web
page causes firefox to execute a lot of file I/O, on behalf of the web
site, in order to service the file I/O, the kernel will do that work
in the kernel threads that you seem to be objecting to having
activity.

However, those kernel threads being active when there is file I/O is
*normal*.  It is the system working as intended.  I don't know why you
would be objecting to those kernel threads being active, but if you
don't like it, don't do any file I/O, and if that means not using
firefox (or "firejail") to visit those web sites.

Regards,

					- Ted

???UNSURE??? Re: Unwanted activation of root-processes getting highly activated

[secret]

10.27.2021
Hello, today it manages us (Gooken) to prevent the highly active kernel-
processes from above after a look into the home-directory of tor
(/home/surfuser).
There the size of a file increases all the times during the activation of tor
surrounded by firejail (that causes the high activity of the kernel-
processes), it is named:

cached-microdesc-consensus

and its size was incredible high (much over 100 MB)!

It prevents Tor from building up any connection, so I had to wait up to 20
minutes.

Deleting it did not help: This file occured and larges its size again.

So we set integrity on it (this file) by "chattr +i";. Now the problem
described next indeed got solved, Tor immediately builds up connections,
kernel-processes activity lowered to the current percentage far below 10
percent and the tower-LED for readwrites stopped blinking,
but nevertheless this is not really a good solution,
tor or firejail and kernel (here 5.4) of course still have to get patched ! (
!!! )
The listed processes becoming highly active themselves got started by khreadd.

Hi,
Firejail must have caused the high activity.
Whenever I stop it (process firejail), they lower to origin.
Regards

On 10/9/21 7:15 AM, Theodore Ts'o wrote:
> On Fri, Oct 08, 2021 at 05:04:55PM +0000, secret wrote:
>> Date: 08.10.2021
>>
>> Subject/Betreff: Unwanted activation of root-processes reading and writing
out
>> the whole SSD/harddrive ! / Kernel-5.4.134 (pclos, AppArmor / Tor
(OpenSuSE)
>> usw. etc.: Freigabe von Informationen, Ausführen von Code mit höheren
>> Privilegien und beliebiger Kommandos in Linux, Erzeugung, Lesen und
>> Überschreiben beliebiger Dateien
>>
>> Hi, Greg, dear Linux experts and friends,
>>
>> this is one of the most dangerous and worst things, Linux can happen!
>> Refering to the actual kernel 5.4.134 ( now up to the actual version
5.4.151
>> and higher, additional remark from 10.08.2021), there still is a problem
with
>> unexpectedly activated, highly active root-processes (making the tower-LED
>> causing readwrites onto harddiscs and making the SSD/harddrive blink
serious-
>> madly hard for about up to 20 minutes). The whole SSD/harddrive seems to
get
>> read out and overwritten!
>>
>> The unwanted, highly by tor (pclos, mga7) resp. firejail activated kernel-
>> root-processes are named
>>
>> kworker/u2:1-kcryptd/253:2 (escpecially this one, CPU: gt; 10%)
>> kworker/0:1H-kblockd
>> dmcrypt_write/2 and
>> jbd2/dm2--8
>
> Activity by these kernel threads indicate that some userspace program
> running on your system is reading (and in the case of the
> dmcrypt_write and jbd2 kernel threads, writing) data to your hard
> drive.  They are a symptom, not the cause of whatever is causing the
> large amount of activity on your SSD/hard drive.
>
> It is not something that can be "patched" in the kernel.  It is an
> indication of some program (or possibly malware) running on your
> system is doing a lot of file I/O.
>
> It is possible that as a result of some web site that you visited, it
> is causing the web browser ("firejail", which sounds like the firefox
> browser running some kind of security sandbox) to do a lot of I/O.  So
> the first thing you might try is to exit the web browser and see that
> causes the I/O to abate.  If it does, and if it starts up again when
> you start the web browser and the web browser is not open on any web
> pages, then you might have some misbehaving browser extension that
> somehow got installed, and you might want to try clearing your browser
> profile and uninstalling all of your browser extensions.
>
> If exiting the browser does not cause the SSD/HDD activity to stop
> within half a minute or so, then some other userspace program must be
> causing it.  It is possible that this might be some background system
> indexing (for example, rebuilding the locatedb), although normally if
> you've left the system up at night, this sort of activity is done when
> the system is idle typically in the wee hours of the morning.
>
> But it is also possible that you have some kind of malware installed
> on your system, in which case the only good solution is to reinstall
> it.  In any case, this is not something that kernel developers can
> help you with.  Perhaps if there is a local Linux User's Group that
> you can contact for more assistance, they can help you.  If not,
> you'll need to find someone who can help you with Linux system
> administration.
>
> Cheers,
> 						- Ted

Hi,
Did you try any of what Ted suggested?
and what happened when you did that?

--
~Randy

Re: ???UNSURE??? Re: Unwanted activation of root-processes getting highly activated

[andreas-stoewing]

Listed processes get already highly active during the start of pale moon, before the surfing itself. No webside is called, when it already happens. 


Gesendet von Andreas

Am 14.10.2021 20:27 schrieb Theodore Ts'o <tytso@mit.edu>:
>
> On Thu, Oct 14, 2021 at 12:40:08PM +0000, secret wrote: 
> > Hi, 
> > Firejail must have caused the high activity. 
> > Whenever I stop it (process firejail), they lower to origin. 
>
> This is what I had been trying to tell you repeatedly.  Firejail 
> (firefox run in a sandbox/jail) is a browser which will do various 
> activities on behalf of whatever web pages that you visit.  Some of 
> these webpages may have javascript, or other web-based application 
> code which is causing a lot of file I/O.  So when visiting that web 
> page causes firefox to execute a lot of file I/O, on behalf of the web 
> site, in order to service the file I/O, the kernel will do that work 
> in the kernel threads that you seem to be objecting to having 
> activity. 
>
> However, those kernel threads being active when there is file I/O is 
> *normal*.  It is the system working as intended.  I don't know why you 
> would be objecting to those kernel threads being active, but if you 
> don't like it, don't do any file I/O, and if that means not using 
> firefox (or "firejail") to visit those web sites. 
>
> Regards, 
>
> - Ted 

???UNSURE??? Re: Unwanted activation of root-processes getting highly activated

[secret]

The listed processes becoming highly active themselves got started by khreadd.

Hi,
Firejail must have caused the high activity.
Whenever I stop it (process firejail), they lower to origin.
Regards

On 10/9/21 7:15 AM, Theodore Ts'o wrote:
> On Fri, Oct 08, 2021 at 05:04:55PM +0000, secret wrote:
>> Date: 08.10.2021
>>
>> Subject/Betreff: Unwanted activation of root-processes reading and writing
out
>> the whole SSD/harddrive ! / Kernel-5.4.134 (pclos, AppArmor / Tor
(OpenSuSE)
>> usw. etc.: Freigabe von Informationen, Ausführen von Code mit höheren
>> Privilegien und beliebiger Kommandos in Linux, Erzeugung, Lesen und
>> Überschreiben beliebiger Dateien
>>
>> Hi, Greg, dear Linux experts and friends,
>>
>> this is one of the most dangerous and worst things, Linux can happen!
>> Refering to the actual kernel 5.4.134 ( now up to the actual version
5.4.151
>> and higher, additional remark from 10.08.2021), there still is a problem
with
>> unexpectedly activated, highly active root-processes (making the tower-LED
>> causing readwrites onto harddiscs and making the SSD/harddrive blink
serious-
>> madly hard for about up to 20 minutes). The whole SSD/harddrive seems to
get
>> read out and overwritten!
>>
>> The unwanted, highly by tor (pclos, mga7) resp. firejail activated kernel-
>> root-processes are named
>>
>> kworker/u2:1-kcryptd/253:2 (escpecially this one, CPU: gt; 10%)
>> kworker/0:1H-kblockd
>> dmcrypt_write/2 and
>> jbd2/dm2--8
>
> Activity by these kernel threads indicate that some userspace program
> running on your system is reading (and in the case of the
> dmcrypt_write and jbd2 kernel threads, writing) data to your hard
> drive.  They are a symptom, not the cause of whatever is causing the
> large amount of activity on your SSD/hard drive.
>
> It is not something that can be "patched" in the kernel.  It is an
> indication of some program (or possibly malware) running on your
> system is doing a lot of file I/O.
>
> It is possible that as a result of some web site that you visited, it
> is causing the web browser ("firejail", which sounds like the firefox
> browser running some kind of security sandbox) to do a lot of I/O.  So
> the first thing you might try is to exit the web browser and see that
> causes the I/O to abate.  If it does, and if it starts up again when
> you start the web browser and the web browser is not open on any web
> pages, then you might have some misbehaving browser extension that
> somehow got installed, and you might want to try clearing your browser
> profile and uninstalling all of your browser extensions.
>
> If exiting the browser does not cause the SSD/HDD activity to stop
> within half a minute or so, then some other userspace program must be
> causing it.  It is possible that this might be some background system
> indexing (for example, rebuilding the locatedb), although normally if
> you've left the system up at night, this sort of activity is done when
> the system is idle typically in the wee hours of the morning.
>
> But it is also possible that you have some kind of malware installed
> on your system, in which case the only good solution is to reinstall
> it.  In any case, this is not something that kernel developers can
> help you with.  Perhaps if there is a local Linux User's Group that
> you can contact for more assistance, they can help you.  If not,
> you'll need to find someone who can help you with Linux system
> administration.
>
> Cheers,
> 						- Ted

Hi,
Did you try any of what Ted suggested?
and what happened when you did that?

--
~Randy