2 Replies Latest reply: Dec 2, 2012 11:37 PM by Mr. Latte
Mr. Latte Level 1 Level 1 (5 points)

Hi, my Xserve's RAID Utility is constantly rebuilding RAID1 by itself due to the Controller detected disorderly shutdown.


A deeper check of Console, I saw that my Xserve has this in the log:

DirectoryService[29]: Improper shutdown detected.


Since I have checked the option to Restart automatically if the computer "freezes", I realized that my Xserve was crashed 1-2 times a day. Then this will trigger RAID rebuild constantly. Then the crash will falsely make the raidutil or related programs to think that RAID rebuild is required.


Constant RAID rebuild can shorten the lifespan of Apple ADM and HDD life as I found that ADM and HDD become extremely hot during rebuild process.


A hacker could also exploit this weakness of RAID pitfall to increase the service load of the server.


How can I overcome this problem? Thanks.



Xserve: late 2006

OS X: 10.6.8


  • Camelot Level 8 Level 8 (46,480 points)

    A hacker could also exploit this weakness of RAID pitfall to increase the service load of the server.


    This statement makes no sense. Automatic rebuilding of a RAID mirror can hardly be called a hacker threat. It's not like a hacker is initiating the rebuild. If it bothers you, turn off automatic rebuilds, although I suspect that will lead to other problems.


    It's also a bit of a stretch to say that the RAID rebuild isn't required. I think I'd trust the OS to detect a difference in the drives (hence requiring a rebuild) more than anecdotal theory that it isn't needed.


    In any case, your real problem is that your server is crashing. The 'improper shutdown' and RAID rebuilds are an artifact of that. You need to investigate why the server is crashing and address that.


    What data is in the server logs immediately prior to the restart?

    What does sudo dmesg say?

    Is there any pattern to the restarts (such as time of day, activity levels, etc.)?

  • Mr. Latte Level 1 Level 1 (5 points)

    Hi, Camelot,

    Is there a way to accordion log files in Apple forum; they are too long but I will show them anyway.


    You are right. Normally I don't suspect hacker's attack immediately. I just meant that it could be a theoretically possible way to mess up a OS X server because I think repetitive RAID rebuild is harmful to the hardware.


    What leads me to the theory is that for the whole week, there is an unknown computer showing up in local area network. I saw him on my sidebar of the Finder with a hostname hppc. He sometimes mysteriously disappears and sometimes shows up in the midnight. I have no way of tracking him because I can only ping a known IP but I could not ping a strange hostname and hence impossible to track who the hack hppc is, not to mention trace route, whois, and nslookup. My firewall cannot show a nice history diagram of who has visited my network. I am stuck!


    I think he is doing the arp spoofing or DNS spoofing attack, a way that can sniff user passwords across the network. It irritates me very much because I trust OS X for its robust build. I don't even install any flash in my server system for security reason.


    How can my server suddenly crash for no apparent reason, which then triggers RAID rebuild? It looks like my server remain breached.


    The SMC and CR 2032 Lithium coin cell battery are fine as time and date are normal all the time. My 10.6.8 Server Admin crashes with a chance of about 10% probability, more often than 10.5.x OS X server but I think this is inherited flaw from 10.6.3.


    Per your suggestion, here is the excerpt of log file; I have removed the MAC address:



    PAE enabled

    64 bit mode enabled

    Darwin Kernel Version 10.8.0: Tue Jun  7 16:33:36 PDT 2011; root:xnu-1504.15.3~1/RELEASE_I386

    vm_page_bootstrap: 2044359 free pages and 36409 wired pages

    standard timeslicing quantum is 10000 us

    mig_table_max_displ = 73

    AppleACPICPU: ProcessorId=0 LocalApicId=0 Enabled

    AppleACPICPU: ProcessorId=1 LocalApicId=1 Enabled

    AppleACPICPU: ProcessorId=2 LocalApicId=7 Enabled

    AppleACPICPU: ProcessorId=3 LocalApicId=6 Enabled

    AppleACPICPU: ProcessorId=4 LocalApicId=0 Disabled

    AppleACPICPU: ProcessorId=5 LocalApicId=0 Disabled

    AppleACPICPU: ProcessorId=6 LocalApicId=0 Disabled

    AppleACPICPU: ProcessorId=7 LocalApicId=0 Disabled

    calling mpo_policy_init for TMSafetyNet

    Security policy loaded: Safety net for Time Machine (TMSafetyNet)

    calling mpo_policy_init for Quarantine

    Security policy loaded: Quarantine policy (Quarantine)

    calling mpo_policy_init for Sandbox

    Security policy loaded: Seatbelt sandbox policy (Sandbox)

    Copyright (c) 1982, 1986, 1989, 1991, 1993

              The Regents of the University of California. All rights reserved.



    MAC Framework successfully initialized

    using 16384 buffer headers and 4096 cluster IO buffer headers

    IOAPIC: Version 0x20 Vectors 64:87

    ACPI: System State [S0 S3 S4 S5] (S3)

    PFM64 0xf10000000, 0xf0000000

    [ PCI configuration begin ]

    PCI configuration changed (bridge=5 device=1 cardbus=0)

    [ PCI configuration end, bridges 14 devices 28 ]

    AppleIntelCPUPowerManagement: (built 16:44:45 Jun  7 2011) initialization complete

    mbinit: done (64 MB memory set for mbuf pool)

    rooting via boot-uuid from /chosen: AAF256FD-A28F-3614-AE49-F1DD13207974

    Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOResources</string><key>IOResourceMatch</key><string ID="2">boot-uuid-media</string></dict>

    com.apple.AppleFSCompressionTypeZlib kmod start

    com.apple.AppleFSCompressionTypeZlib load succeeded

    AppleIntelCPUPowerManagementClient: ready

    FireWire (OHCI) TI ID 8025 built-in now active, GUID 001d4ffffe720d48; max speed s800.

    Got boot device = IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPCI2PCIBridge/ SAS@0/AppleRAIDCard/SAS Target 50080007001E7C5D@1/IOSCSITargetDevice/IOSCSILogicalUnitNub@1/AppleRAIDCardDiskD river/IOBlockStorageServices/IOBlockStorageDriver/APPLE RAID Card Media/IOGUIDPartitionScheme/OS@2

    BSD root: disk0s2, major 14, minor 2

    ioqueue_depth = 60,   ioscale = 2

    IPv6 packet filtering initialized, default to accept, logging disabled

    AppleIntel8254XEthernet: Ethernet address

    AppleIntel8254XEthernet: Ethernet address

    systemShutdown false

    Apple16X50ACPI1: Identified Serial Port on ACPI Device=UAR1

    Apple16X50ACPI::start FOUND DB9 Property for AAPL,connector

    Apple16X50UARTSync: Detected 16550AF/C/CF FIFO=16 MaxBaud=115200

    Previous Shutdown Cause: 5

    DSMOS has arrived

    ioqueue_depth = 60,   ioscale = 2

    Ethernet [Intel8254X]: Link down on en0

    Ethernet [Intel8254x]: Link up on en0, 100-Megabit, Full-duplex, Symmetric flow-control, Debug [792d,6f08,0de1,0e00,45e1,4000]