/ (root) overflow
Check the following when the root file system (/) has become full.
- Use the following command to read the contents of the /etc/security/failedlogin file:
who /etc/security/failedlogin
The condition of TTYs recreating too rapidly can create failed login entries. To clear the file after reading or saving the output, execute the following command:cp /dev/null /etc/security/failedlogin
- Check the /dev directory for a device name
that is typed incorrectly. If a device name is typed incorrectly,
such as
rmto
instead ofrmt0
, a file will be created in /dev called rmto. The command will normally proceed until the entire root file system is filled before failing. /dev is part of the root (/) file system. Look for entries that are not devices (that do not have a major or minor number). To check for this situation, use the following command:cd /dev ls -l | pg
In the same location that would indicate a file size for an ordinary file, a device file has two numbers separated by a comma. For example:crw-rw-rw- 1 root system 12,0 Oct 25 10:19 rmt0
If the file name or size location indicates an invalid device, as shown in the following example, remove the associated file:crw-rw-rw- 1 root system 9375473 Oct 25 10:19 rmto
Note:- Do not remove valid device names in the /dev directory. One indicator of an invalid device is an associated file size that is larger than 500 bytes.
- If system auditing is running, the default /audit directory can rapidly fill up and require attention.
- Check for very large files that might be removed using the find command. For example,
to find all files in the root (/) directory larger
than 1 MB, use the following command:
find / -xdev -size +2048 -ls |sort -r -n +6
This command finds all files greater than 1 MB and sorts them in reverse order with the largest files first. Other flags for the find command, such as -newer, might be useful in this search. For detailed information, see the command description for the find command.Note: When checking the root directory, major and minor numbers for devices in the /dev directory will be interspersed with real files and file sizes. Major and minor numbers, which are separated by a comma, can be ignored.Before removing any files, use the following command to ensure a file is not currently in use by a user process:
Where filename is the name of the suspect large file. If a file is open at the time of removal, it is only removed from the directory listing. The blocks allocated to that file are not freed until the process holding the file open is killed.fuser filename