Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

DirectoryService[29] Improper shutdown constantly triggers RAID Rebuild

Hi, my Xserve's RAID Utility is constantly rebuilding RAID1 by itself due to the Controller detected disorderly shutdown.


A deeper check of Console, I saw that my Xserve has this in the log:

DirectoryService[29]: Improper shutdown detected.


Since I have checked the option to Restart automatically if the computer "freezes", I realized that my Xserve was crashed 1-2 times a day. Then this will trigger RAID rebuild constantly. Then the crash will falsely make the raidutil or related programs to think that RAID rebuild is required.


Constant RAID rebuild can shorten the lifespan of Apple ADM and HDD life as I found that ADM and HDD become extremely hot during rebuild process.


A hacker could also exploit this weakness of RAID pitfall to increase the service load of the server.


How can I overcome this problem? Thanks.



Xserve: late 2006

OS X: 10.6.8

RAID1

Posted on Nov 26, 2012 1:11 AM

Reply
2 replies

Nov 26, 2012 9:57 AM in response to Mr. Latte

A hacker could also exploit this weakness of RAID pitfall to increase the service load of the server.


This statement makes no sense. Automatic rebuilding of a RAID mirror can hardly be called a hacker threat. It's not like a hacker is initiating the rebuild. If it bothers you, turn off automatic rebuilds, although I suspect that will lead to other problems.


It's also a bit of a stretch to say that the RAID rebuild isn't required. I think I'd trust the OS to detect a difference in the drives (hence requiring a rebuild) more than anecdotal theory that it isn't needed.


In any case, your real problem is that your server is crashing. The 'improper shutdown' and RAID rebuilds are an artifact of that. You need to investigate why the server is crashing and address that.


What data is in the server logs immediately prior to the restart?

What does sudo dmesg say?

Is there any pattern to the restarts (such as time of day, activity levels, etc.)?

Dec 2, 2012 11:37 PM in response to Camelot

Hi, Camelot,

Is there a way to accordion log files in Apple forum; they are too long but I will show them anyway.


You are right. Normally I don't suspect hacker's attack immediately. I just meant that it could be a theoretically possible way to mess up a OS X server because I think repetitive RAID rebuild is harmful to the hardware.


What leads me to the theory is that for the whole week, there is an unknown computer showing up in local area network. I saw him on my sidebar of the Finder with a hostname hppc. He sometimes mysteriously disappears and sometimes shows up in the midnight. I have no way of tracking him because I can only ping a known IP but I could not ping a strange hostname and hence impossible to track who the hack hppc is, not to mention trace route, whois, and nslookup. My firewall cannot show a nice history diagram of who has visited my network. I am stuck!


I think he is doing the arp spoofing or DNS spoofing attack, a way that can sniff user passwords across the network. It irritates me very much because I trust OS X for its robust build. I don't even install any flash in my server system for security reason.


How can my server suddenly crash for no apparent reason, which then triggers RAID rebuild? It looks like my server remain breached.


The SMC and CR 2032 Lithium coin cell battery are fine as time and date are normal all the time. My 10.6.8 Server Admin crashes with a chance of about 10% probability, more often than 10.5.x OS X server but I think this is inherited flaw from 10.6.3.


Per your suggestion, here is the excerpt of log file; I have removed the MAC address:


npvhash=4095

PAE enabled

64 bit mode enabled

Darwin Kernel Version 10.8.0: Tue Jun 7 16:33:36 PDT 2011; root:xnu-1504.15.3~1/RELEASE_I386

vm_page_bootstrap: 2044359 free pages and 36409 wired pages

standard timeslicing quantum is 10000 us

mig_table_max_displ = 73

AppleACPICPU: ProcessorId=0 LocalApicId=0 Enabled

AppleACPICPU: ProcessorId=1 LocalApicId=1 Enabled

AppleACPICPU: ProcessorId=2 LocalApicId=7 Enabled

AppleACPICPU: ProcessorId=3 LocalApicId=6 Enabled

AppleACPICPU: ProcessorId=4 LocalApicId=0 Disabled

AppleACPICPU: ProcessorId=5 LocalApicId=0 Disabled

AppleACPICPU: ProcessorId=6 LocalApicId=0 Disabled

AppleACPICPU: ProcessorId=7 LocalApicId=0 Disabled

calling mpo_policy_init for TMSafetyNet

Security policy loaded: Safety net for Time Machine (TMSafetyNet)

calling mpo_policy_init for Quarantine

Security policy loaded: Quarantine policy (Quarantine)

calling mpo_policy_init for Sandbox

Security policy loaded: Seatbelt sandbox policy (Sandbox)

Copyright (c) 1982, 1986, 1989, 1991, 1993

The Regents of the University of California. All rights reserved.



MAC Framework successfully initialized

using 16384 buffer headers and 4096 cluster IO buffer headers

IOAPIC: Version 0x20 Vectors 64:87

ACPI: System State [S0 S3 S4 S5] (S3)

PFM64 0xf10000000, 0xf0000000

[ PCI configuration begin ]

PCI configuration changed (bridge=5 device=1 cardbus=0)

[ PCI configuration end, bridges 14 devices 28 ]

AppleIntelCPUPowerManagement: (built 16:44:45 Jun 7 2011) initialization complete

mbinit: done (64 MB memory set for mbuf pool)

rooting via boot-uuid from /chosen: AAF256FD-A28F-3614-AE49-F1DD13207974

Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOResources</string><key>IOResourceMatch</key><string ID="2">boot-uuid-media</string></dict>

com.apple.AppleFSCompressionTypeZlib kmod start

com.apple.AppleFSCompressionTypeZlib load succeeded

AppleIntelCPUPowerManagementClient: ready

FireWire (OHCI) TI ID 8025 built-in now active, GUID 001d4ffffe720d48; max speed s800.

Got boot device = IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPCI2PCIBridge/ SAS@0/AppleRAIDCard/SAS Target 50080007001E7C5D@1/IOSCSITargetDevice/IOSCSILogicalUnitNub@1/AppleRAIDCardDiskD river/IOBlockStorageServices/IOBlockStorageDriver/APPLE RAID Card Media/IOGUIDPartitionScheme/OS@2

BSD root: disk0s2, major 14, minor 2

ioqueue_depth = 60, ioscale = 2

IPv6 packet filtering initialized, default to accept, logging disabled

AppleIntel8254XEthernet: Ethernet address

AppleIntel8254XEthernet: Ethernet address

systemShutdown false

Apple16X50ACPI1: Identified Serial Port on ACPI Device=UAR1

Apple16X50ACPI::start FOUND DB9 Property for AAPL,connector

Apple16X50UARTSync: Detected 16550AF/C/CF FIFO=16 MaxBaud=115200

Previous Shutdown Cause: 5

DSMOS has arrived

ioqueue_depth = 60, ioscale = 2

Ethernet [Intel8254X]: Link down on en0

Ethernet [Intel8254x]: Link up on en0, 100-Megabit, Full-duplex, Symmetric flow-control, Debug [792d,6f08,0de1,0e00,45e1,4000]

DirectoryService[29] Improper shutdown constantly triggers RAID Rebuild

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.