High CPU and IO peaks logged and strange results

February 26, 2015 783 views

In the control panel of digital ocean I see a lot of spikes in my graphs.
I decided to log the spikes with a script (based on iotop), here is some output I consider strange.

Most of the spikes I could address (updateb.mlocal which indexes the server files, php5-fpm wordfence scans), but this I cant explain:

05:00:04   604 be/4 root     10041.34 K/s    0.00 K/s  0.00 %  0.02 % copy
05:00:05   604 be/4 root     20070.79 K/s    0.00 K/s  0.00 %  0.01 % copy
05:00:06   604 be/4 root     10288.18 K/s    0.00 K/s  0.00 %  0.15 % copy
05:00:07   604 be/4 root     13941.40 K/s    0.00 K/s  0.00 %  0.54 % copy
05:00:08   604 be/4 root     16920.93 K/s    0.00 K/s  0.00 %  0.40 % copy
05:00:09   604 be/4 root     20078.27 K/s    0.00 K/s  0.00 %  0.90 % copy

Is this normal?

ubuntu 14.04 32 bit
running services:
mailserver (postfix, smtp, imap, pop3)
a few wordpress websites

  • I'm not sure how to read iotop output, but what that copy on the right means?
    Have you checked for:

    mailq (mail queue)
    Database stats.
    disable any new plugin from WP that might read/write into fyle system?

    Also why are you using 32bit OS? go 64bit.

  • Hello and thanks for responding. A short explanation of the log:

    05:00:04   604 be/4 root     10041.34 K/s    0.00 K/s  0.00 %  0.02 % copy

    This means in "human language":
    => copy is the command that is running and writing 10041.34K/s (high read speed) at 5 AM in the morning.
    I find this suspicious (high usage) and now I ask myself: what is been copied and what triggered it.
    About the 32bit OS: I am not planning to use more than 4 gig of ram in my vps so I 32bit is fine for me (less memory usage). It's a good suggestion for being future proof, but I think 1GB should be sufficient for my situation.
    mailq: empty (mail is properly configured and not suffering from migrations or attacks)
    Database stats is not needed in my opinion because it all runs in the mysql user-space. The copy command is runned by root. Though my database is under more load then normally so I will look into it.
    About the wordpress plugins: I use wordfence which scans my website. This could be it, but I doubt it because it should only scan and not alter or backup files. Also it should be handled by the php5-fpm socket, which runs as user web5 and not root.

Be the first one to answer this question.