Disk space suddenly used up for no apparent reason in 20.04
I went to bed last night with about 180gb of unused space on my SSD and when I woke up got an error that my root drive was out of space. After I restarted I couldn't boot back into Ubuntu until I booted in recovery mode to delete unused packages and clear a bit of space. Here's my df -h:
And here's the disk use analyzer:
The only thing I had running when I left it was a web scraper, but it was a very small job and the whole file ended up being 87mb. Any ideas on why this happened and how to fix it?
EDIT: syslog and kern.log each seem to be taking up ~78gb when I look at each file in my var folder. Not sure why that happened though or how much of this stuff in the var folder I can just trash. I'd really like to know why they got to this size before I just delete them and forget about it.
EDIT2: Not sure if it's relevant, but the gnome-shell process is eating up about 15-40% of CPU while simply moving my mouse which I don't remember it doing in the past.
EDIT3: I peeked in the syslog and found this over and over:
May 3 00:00:31 me-ThinkPad-T480s kernel: [ 3260.559176] audit: type=1400 audit(1588478431.146:58519): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=4545 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
May 3 00:00:31 me-ThinkPad-T480s kernel: [ 3260.559236] audit: type=1400 audit(1588478431.146:58520): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/1398/cmdline" pid=4545 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 3 00:00:31 me-ThinkPad-T480s kernel: [ 3260.559243] audit: type=1400 audit(1588478431.146:58521): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=4545 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
May 3 00:00:31 me-ThinkPad-T480s kernel: [ 3260.559384] audit: type=1400 audit(1588478431.146:58522): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=4545 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
May 3 00:00:31 me-ThinkPad-T480s kernel: [ 3260.559395] audit: type=1400 audit(1588478431.146:58523): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/1420/cmdline" pid=4545 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 3 00:00:31 me-ThinkPad-T480s kernel: [ 3260.559430] audit: type=1400 audit(1588478431.146:58524): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=4545 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
I also saw a lot of other things so I have no idea how relevant this is in particular, it's hard to tell what's meaningful in these logs (and also hard to read a lot of what's happening).
Solution 1:
The snap application called Discord is the bad guy...
From the Ubuntu Software center...
All-in-one voice and text chat for gamers that's free, secure, and works on both your desktop and phone.
Snaps are confined, as such Discord may be unable to perform some of the tasks it typically does when unconfined. This may result in the system log getting spammed with apparmor errors. Granting access to the system-observe interface when in the snap will enable the features, and thus reduce the logging.
snap connect discord:system-observe
Note: granting access may be a security risk, and a privacy issue.
Note: from @mchid, see https://github.com/snapcrafters/discord/issues/23
Personally, because of the privacy and security concerns, I wouldn't use Discord. I'd remove it from my system. Any snap app that needs access outside of its sandboxed environment to perform its actions are very suspect... especially ones that have code to figure out what other apps you're running at the same time as Discord.
Then delete the large syslog and kern.log files.