Skip to main content

lfd on server.cloudware.network: Excessive resource usage: username (3017915 (Parent PID:3017915))

Comments

6 comments

  • cPRex Jurassic Moderator

    Hey there!  Yes, you can likely ignore this message.  This is just letting you know that a process is running longer than the default threashold of that software, which is set to 1800 seconds.

    Please remember that cPanel doesn't provide or support the CSF tools.

    0
  • Metro2

    I too am running CloudLinux 8 + CSF, and strange coincidence - just within the past 24 hours I started receiving this same lfd alert every hour for just one user account (out of hundreds) on one of my servers and there has been absolutely no change whatsoever to that user's account. There is no indication at all as to why this alert would just start happening out of nowhere just for that one single account.

    lfd on hostname.example.com: Excessive resource usage: example (4156531 (Parent PID:4156531))

    Time:         Wed Jul 24 09:02:56 2024 -0400
    Account:      example
    Resource:     Process Time
    Exceeded:     126210 > 2400 (seconds)

    Executable:   /usr/bin/gpg-agent
    Command Line: gpg-agent --homedir /home/example/.gnupg --use-standard-socket --daemon
    PID:          4156531 (Parent PID:4156531)
    Killed:       No

    I've been running CSF/LFD (actually the entire ConfigServer suite of tools) on all of my servers for 19 years through many changes and migrations etc..., and have never once seen this before.

    Contacting ConfigServer support would not be practical in such a case, since it's not CSF/LFD causing it - the source of the issue is a process that just began running on a single account (in this case, gpg-agent --homedir /home/example/.gnupg --use-standard-socket --daemon) and that's outside the scope of CSF support.

    This is a cPanel server related item, not a CSF issue. If it were a CSF issue then we'd be seeing these alerts for all accounts on the server, not just one account.

    Something's up here, but I can't quite figure out what. The account / user / site in question is one that I've been hosting since 2001, and I oversee / manage the user's account entirely myself. Nobody else has access, and there have been no changes to the account nor it's website nor it's applications. I can't find any reason why, out of the blue, this just started.

    Normally I would say cPRex 's response is on point - normally this is just a "hey, you have a process running longer than 1800 seconds, and it's continuing to run" - but specifically in this case, just like the OP, it is gpg-agent --homedir /home/example/.gnupg --use-standard-socket --daemon that just started running / being detected as running for no apparent reason on a single account.

    Hmmm.... coincidence? In this case I don't think so.

    0
  • Metro2

    PS - Under normal circumstances I would consider just adding this to csf.pignore:

    pexe:/usr/bin/gpg-agent

    That's something we do with processes that we don't need an alert about every hour.

    But the circumstances in this situation are unusual and need a closer look.

    In the /home/example/.gnupg folder I can see that:

    - Almost all of the files are 0 bytes

    - The /private-keys-v1.d folder is empty

    - The options file (from 2003) is populated with just all of the basic stuff commented-out with # at the beginning of each line, so it's not doing anything

    - The secring.gpg and pubring.gpg files (from 2003) are also empty

    - The S* files, all empty, were generated (or possibly updated for some odd reason) on July 22, 2024

    - The trustdb.gpg database file was updated this morning (but can't view the contents since it's binary and there is no key associated with it)

    - The cPanel > Email > Encryption center does not contain any existing keys

    This is really odd...

    0
  • cPRex Jurassic Moderator

    I can confirm that a default cPanel account does not put anything related to gnupg in the user's home directory.  We do create this directory if you have used the cPanel >> Email >> Encryption option, but that is just a one-time process that I wouldn't expect to be running very long on the account.

    0
  • Metro2

    Thanks for the response. Mystery afoot...

    When I can figure out how this could possibly happen, I will update this for the OP and others who might possibly encounter this unusual issue.

    0
  • cPRex Jurassic Moderator

    Thanks for that!  I did also check internally on my end and we don't have any reports similar to this, so I'm wondering if there's something else running on the account that could explain this.

    Maybe checking the cPanel log around the timestamp of the email could be a start?

    0

Please sign in to leave a comment.