I've noticed this on three different machines, three different architectures (x86, sparc, mips), and really don't know what is causing it. It used to appear on my x86 machine, or rather, it sometimes is there, and sometimes isn't there. Maybe init gets rid of it after awhile, I dunno, anyways, here's some sample output. -- x86 -- root 9029 0.0 0.2 1604 644 ? S 04:48 0:00 /usr/sbin/syslog-ng root 9030 0.0 0.0 0 0 pts/1 Z 04:48 0:00 [sh] <defunct> -- sparc -- root 906 0.0 0.2 1904 760 ? S Jan29 0:00 /usr/sbin/syslog-ng root 907 0.0 0.0 0 0 ? Z Jan29 0:00 [sh] <defunct> -- mips -- root 991 0.0 0.2 2876 704 ? SN Jan26 0:00 /usr/sbin/syslog-ng root 992 0.0 0.0 0 0 ? ZN Jan26 0:00 [sh] <defunct> I'm using the configuration provided in the Gentoo Security Guide, Code Listing 3.11, and it appears this zombie starts up immediately after syslog-ng starts up. All three machines are running syslog-ng-1.5.24-r1 (I have seen this behaviour on earlier syslog-ng versions too), x86 runs linux-2.4.20-xfs, sparc runs vanilla linux-2.4.20, mips runs modified (debian patch) linux-2.4.19. Not sure what other information I can give here. If anything else is requested, holler. This really isn't a major issue, but a zombie is a zombie, the dead deserve to stay dead, not roaming the system, eating up slots on a "ps x" output :P
When you see this again, please capture the output of "ps ax --forest" and post the output here. Thanks.
The Zombie process has disappeared on my x86 Box, but below are outputs from my sparc and mips boxes running gentoo. --sparc PID TTY STAT TIME COMMAND 1 ? S 0:03 init [3] --init 2 ? SW 0:00 [keventd] 3 ? SWN 0:00 [ksoftirqd_CPU0] 4 ? SW 0:11 [kswapd] 5 ? SW 0:00 [bdflush] 6 ? SW 0:00 [kupdated] 7 ? SW 0:00 [khubd] 8 ? SW 0:00 [kjournald] 32 ? S 0:00 /sbin/devfsd /dev 86 ? SW 0:00 [kjournald] 87 ? SW 0:03 [kjournald] 88 ? SW 0:01 [kjournald] 89 ? SW 0:00 [kjournald] 90 ? SW 0:00 [kjournald] 916 ? S 0:00 /usr/sbin/syslog-ng 917 ? Z 0:00 \_ [sh] <defunct> 922 ? SL 0:00 /usr/bin/ntpd -p /var/run/ntpd.pid 963 ? S 0:00 /usr/sbin/smbd 965 ? S 0:09 /usr/sbin/nmbd 971 ? S 0:00 \_ /usr/sbin/nmbd 1006 ? S 0:00 /usr/sbin/sshd 7814 ? S 0:24 \_ /usr/sbin/sshd 7816 pts/0 S 0:01 \_ -bash 5604 pts/0 R 0:00 \_ ps ax --forest 1044 ? S 0:00 /usr/sbin/cron 1055 tts/0 S 0:00 /sbin/agetty 38400 ttyS0 vt100 1056 vc/1 S 0:00 /sbin/agetty 38400 tty1 linux 1057 vc/2 S 0:00 /sbin/agetty 38400 tty2 linux 1058 vc/3 S 0:00 /sbin/agetty 38400 tty3 linux 1059 vc/4 S 0:00 /sbin/agetty 38400 tty4 linux 1060 vc/5 S 0:00 /sbin/agetty 38400 tty5 linux 1061 vc/6 S 0:00 /sbin/agetty 38400 tty6 linux 20984 ? S 0:00 /usr/sbin/apache -D GZIP -D PHP4 20986 ? S 0:00 \_ /usr/sbin/apache -D GZIP -D PHP4 20987 ? S 0:00 \_ /usr/sbin/apache -D GZIP -D PHP4 20988 ? S 0:00 \_ /usr/sbin/apache -D GZIP -D PHP4 20989 ? S 0:00 \_ /usr/sbin/apache -D GZIP -D PHP4 20990 ? S 0:00 \_ /usr/sbin/apache -D GZIP -D PHP4 20991 ? S 0:00 \_ /usr/sbin/apache -D GZIP -D PHP4 20992 ? S 0:00 \_ /usr/sbin/apache -D GZIP -D PHP4 --mips PID TTY STAT TIME COMMAND 1 ? S 0:04 init [3] 2 ? SW 0:00 [keventd] 3 ? SWN 0:00 [ksoftirqd_CPU0] 4 ? SW 0:01 [kswapd] 5 ? SW 0:00 [bdflush] 6 ? SW 0:00 [kupdated] 7 ? SW 0:00 [kjournald] 32 ? S 0:00 /sbin/devfsd /dev 375 ? SW 0:00 [kjournald] 376 ? SW 0:03 [kjournald] 377 ? SW 0:00 [kjournald] 378 ? SW 0:02 [kjournald] 379 ? SW 0:00 [kjournald] 1039 ? S 0:00 /usr/sbin/sshd 1095 ? S 1:15 \_ /usr/sbin/sshd 1097 pts/0 S 0:03 \_ -bash 29777 pts/0 R 0:00 \_ ps ax --forest 1088 tts/0 S 0:00 /sbin/agetty 38400 ttyS0 vt100 1089 vc/1 S 0:00 /sbin/agetty 38400 tty1 linux 1090 vc/2 S 0:00 /sbin/agetty 38400 tty2 linux 1091 vc/3 S 0:00 /sbin/agetty 38400 tty3 linux 1092 vc/4 S 0:00 /sbin/agetty 38400 tty4 linux 1093 vc/5 S 0:00 /sbin/agetty 38400 tty5 linux 1094 vc/6 S 0:00 /sbin/agetty 38400 tty6 linux 13537 ? S 0:01 /usr/sbin/smbd 13539 ? S 0:15 /usr/sbin/nmbd 13541 ? S 0:00 \_ /usr/sbin/nmbd 13680 ? SL 0:01 /usr/bin/ntpd -p /var/run/ntpd.pid 13860 ? S 0:00 /usr/sbin/syslog-ng 13861 pts/0 Z 0:00 \_ [sh] <defunct> 13894 ? S 0:01 /usr/sbin/cron 29778 ? S 0:00 \_ /USR/SBIN/CRON 29779 ? R 0:00 \_ /USR/SBIN/CRON Obviously, this defunct process is coming from syslog-ng. As to what causes it, no clue.
Kumba12345@aol.com, please post your /etc/syslog-ng/syslog-ng.conf
The syslog-ng conf file I use is the one from the Gentoo Security Guide, copied verbatim. http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap3, code segment 3.11.
what does /usr/bin/email.sh look like on your machine? ;-)
Actually, none of my systems have email.sh. If this is the cause, shouldn't it print a warning or fail quietly rather than spawn a zombie?
I think the example syslog listed on the web page is non-optimal. Try commenting out all the line that refer to mailprog. I run a much more simple syslog-ng.conf here and there are no zombies to be seen.
That looks like it does it. Should this be referenced to the document maintainer so they can remove that line to avoid any further oddities like this? Otherwise, I think this bug can be closed.
Reassigning to doc team to fix the Gentoo Security Guide
I've removed the 2 lines in the syslog-ng.conf referring to mailprog and email.sh, since nowhere in the document these tools/files are described. I cannot find them either in Portage (or not at first sight anyway). Committed into cvs.