Notes for Week 4

1. The system log file is /var/log/messages, and security logging is done to /var/log/secure. Recent entries can be examined using "tail --lines 100 /var/log/messages". grep can be used to search the log file for recurring events of interest, such as reboots:

   grep /var/log/messages -ie 'syslogd.*restart'

   users logging in as root, or su-ing to become root:

   grep /var/log/secure -ie 'root'

   or hardware errors:

   grep /var/log/messages -ie '(device file name)'

   where "(device file name)" is, for example, hdd.
2. The kernel is essentially a large C program. The main program is responsible for interrogating the CPU, RAM, the I/O devices, the PCI bus, the Plug and Play BIOS, etc. The root partition is then mounted read-only (so that it can be checked without corrupting it) and the init program is started. init stays running as long as the system is up, and is the ultimate "ancestor" (parent, grandparent, etc.), of every process that runs.

   The following output of the "pstree -npl" command (here on a single processor system) illustrates this:

   init(1)---ksoftirqd/0(2)
           --events/0(3)
           --khelper(4)
           --kthread(5)---kacpid(7)
                        --kblockd/0(82)
                        --pdflush(130)
                        --pdflush(131)
                        --aio/0(133)
           --khubd(85)
           --kswapd0(132)
           --kseriod(719)
           --syslogd(3233)
           --klogd(3241)
           --ntpd(3375)---ntpd(3686)
           --gpm(3388)
           --lpd(3412)
           --agetty(3416)
           --agetty(3417)
           --agetty(3418)
           --agetty(3419)
           --agetty(3420)
           --bash(3566)---startx(3575)---xinit(3588)---X(3589)
                                                     --sh(3646)---wmaker(3648)---wmaker(3649)---endeavour2(3653)
                                                                                              --xclock(3654)
                                                                                              --mozilla(3723)---run-mozilla.sh(3726)---mozilla-bin(3731)
                                                                                              --xterm(3834)---bash(3835)---pstree(3836)
   

   The numbers in parentheses are "pids" (process identifiers); every process that is running has a unique pid whose maximum value is a function of RAM size (after the pids increment to the maximum, they start over again at the lowest unused number).

   Some of the processes started by init are "daemons": programs that provide services to the operating system, it's users, or network clients. Their names typically end with a "d" (although not always), and are pronounced, for instance, "k"-"event"-"d". Some of them are self-explanatory, while others are not so:

   • pdflush helps handle writing of modified disk blocks back to the filesystem from the cache;
   • kswapd does essentially the same job for virtual memory pages and the swap partition;
   • khubd handles the USB hub (built in on most motherboards);

   The daemons up to but not including syslogd are actually not separate programs, but are part of the kernel itself;

   • syslogd and klogd handle system and kernel logging (of error and status messages);
   • fcron (not running on the system displayed above) handles future job scheduling;
   • lpd is the print spooler daemon;
   • gpm is the general purpose mouse handler;
   • ntpd is the network time protocol daemon, which keeps the system clock synchronized to standard clocks on the Internet.

   The monitor and keyboard directly attached to the PC which runs Linux is the "console". By entering Alt-F1 through Alt-F6, the console "operator" (as distinguished from any user which might telnet to Linux to use the system remotely) can switch between the "virtual consoles". The agetty processes listed above issue a login prompt to each of the virtual consoles; when a user enters a login name, the agetty program exits and passes that name to the login program, which asks for and validates the password, and then starts a shell (in this case bash), which supplies the command prompt. When the user executes the logout command, the login process exits and init starts another agetty.

   The startx command is really a script which in turn runs the xinit program, which in turn runs X. X is the display "server", or driver, which switches the console to graphical mode and controls the display until X-Windows is exited. While X is running, the consoles are unavailable through the Alt-F# keys. X starts the window manager (in this case, wmaker, or WindowMaker), which controls drawing on the graphical display (windows, title bars, buttons, scroll bars, icons, etc.). There are a number of window managers available. Client programs running under the window manager include endeavour2 (a file manager), xclock, mozilla and xterm. And of course, xterm emulates a terminal (telnet) session, and so starts a bash shell under which the pstree command whose output we have been analyzing was run.

3. The corresponding output of the "ps aux" command is

   USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
   root         1  0.0  0.1   1476   516 ?        S    09:50   0:00 init [3]  
   root         2  0.0  0.0      0     0 ?        SN   09:50   0:00 [ksoftirqd/0]
   root         3  0.0  0.0      0     0 ?        S<   09:50   0:00 [events/0]
   root         4  0.0  0.0      0     0 ?        S<   09:50   0:00 [khelper]
   root         5  0.0  0.0      0     0 ?        S<   09:50   0:00 [kthread]
   root         7  0.0  0.0      0     0 ?        S<   09:50   0:00 [kacpid]
   root        82  0.0  0.0      0     0 ?        S<   09:50   0:00 [kblockd/0]
   root        85  0.0  0.0      0     0 ?        S    09:50   0:00 [khubd]
   root       130  0.0  0.0      0     0 ?        S    09:50   0:00 [pdflush]
   root       131  0.0  0.0      0     0 ?        S    09:50   0:00 [pdflush]
   root       132  0.0  0.0      0     0 ?        S    09:50   0:00 [kswapd0]
   root       133  0.0  0.0      0     0 ?        S<   09:50   0:00 [aio/0]
   root       719  0.0  0.0      0     0 ?        S    09:50   0:00 [kseriod]
   root      3233  0.0  0.1   1520   608 ?        SNs  09:50   0:00 syslogd -m 0
   root      3241  0.0  0.2   2352  1452 ?        SNs  09:50   0:00 klogd
   root      3375  0.0  0.7   3664  3664 ?        SNLs 09:50   0:00 /usr/sbin/ntpd
   root      3388  0.0  0.0   1676   504 ?        SNs  09:50   0:00 /usr/sbin/gpm -m /dev/psaux -t ps2 
   root      3412  0.0  0.2   3344  1180 ?        SNs  09:50   0:00 lpd Waiting  
   root      3416  0.0  0.0   1476   480 tty2     Ss+  09:50   0:00 /sbin/agetty -I \033(K tty2 9600
   root      3417  0.0  0.0   1476   480 tty3     Ss+  09:50   0:00 /sbin/agetty -I \033(K tty3 9600
   root      3418  0.0  0.0   1472   480 tty4     Ss+  09:50   0:00 /sbin/agetty -I \033(K tty4 9600
   root      3419  0.0  0.0   1476   484 tty5     Ss+  09:50   0:00 /sbin/agetty -I \033(K tty5 9600
   root      3420  0.0  0.0   1472   480 tty6     Ss+  09:50   0:00 /sbin/agetty -I \033(K tty6 9600
   ken       3566  0.0  0.2   4804  1452 tty1     Ss+  09:50   0:00 -bash
   ken       3575  0.0  0.2   4760  1332 tty1     S+   09:50   0:00 /bin/sh /usr/X11R6/bin/startx
   ken       3588  0.0  0.1   2292   656 tty1     S+   09:50   0:00 xinit /home/ken/.xinitrc --
   root      3589  0.2  2.6  15604 13656 ?        S    09:50   0:08 X :0
   ken       3646  0.0  0.2   4764  1260 tty1     S    09:51   0:00 sh /home/ken/.xinitrc
   ken       3648  0.0  0.2   6896  1120 tty1     S    09:51   0:00 wmaker
   ken       3649  0.0  0.7   8000  3852 tty1     S    09:51   0:00 wmaker --for-real
   ken       3653  0.0  1.1  12480  5928 ?        Ss   09:51   0:00 endeavour2
   ken       3654  0.0  0.4   4648  2476 tty1     S    09:51   0:00 xclock -strftime %a, %b %e - %l:%M %P -g 148x32+0+568 -d
   root      3686  0.0  0.7   3664  3664 ?        SN   09:51   0:00 /usr/sbin/ntpd
   ken       3723  0.0  0.2   4768  1364 ?        Ss   09:56   0:00 /bin/sh /usr/bin/mozilla
   ken       3726  0.0  0.2   4900  1364 ?        S    09:56   0:00 /bin/sh /usr/lib/mozilla-1.7.8/run-mozilla.sh /usr/lib/m
   ken       3731  0.5  9.1 175132 46844 ?        Sl   09:56   0:14 /usr/lib/mozilla-1.7.8/mozilla-bin
   root      3834  0.0  1.0   9712  5324 ?        Rs   10:40   0:00 xterm -sb -sl 5000
   ken       3835  0.0  0.3   4928  1692 /var/dev/pts/0 Ss 10:40   0:00 bash
   ken       3839  0.0  0.1   4352   836 /var/dev/pts/0 R+ 10:40   0:00 ps aux
   

   except that the process 3836 executing the pstree command in the previous output has been replaced by the process 3839 executing the ps command whose output appears above.

   The columns are interpreted as follows:

   • USER = the login account under which the process is running;
   • PID = the process ID;
   • %CPU = the CPU time used by the process divided by the time the process has been running;
   • %MEM = the RAM used by the process divided by the total RAM available;
   • VSZ = the total virtual memory size of the process in Kb;
   • RSS = the size in Kb of the resident set (portion currently residing in RAM);
   • TTY = where text output goes (ttyn = virtual console, pts/n = xterm window)
   • STAT = process state

     R = runnable (on the run queue)
     S = sleeping
     T = traced or stopped
     W = paging
     Z = a zombie process, which has terminated but its parent has not cleaned it up properly; init will do this when the parent process exits

   • START = clock time when process started
   • TIME = CPU time used to date
   • COMMAND = process command line

   Note that there is no agetty for tty1; this is the virtual console in which all of the processes in the current interactive login session are running. Also note that both X and xterm run as root, although both were started by ken; X must run as root in order to control the display, and xterm must run as root in order to allocate pseudo-terminals (pts/n).

4. Information about processes running on the system is kept in the /proc directory. This is really a "pseudo-filesystem": it only exists in memory. It provides a filesystem interface to kernel data. Each process has its own directory whose name is /proc/pid (ie., the wmaker process in the example above would be located in the directory /proc/3649). In that directory is (among other things):
   • the command line used to start the process (cat /proc/pid/cmdline);
   • the current working directory of the process (ls /proc/pid/cwd);
   • the environment variables ((cat /proc/pid/environ ; echo) | tr "\000" "\n");
   • the program which is running (ls -l /proc/pid/exe);
   • the files which the process currently has open (ls -l /proc/pid/fd).

   In addition, information about the hardware and operating system can be obtained by using the cat command on:

   • /proc/bus/usb/devices
   • /proc/cmdline
   • /proc/cpuinfo
   • /proc/devices
   • /proc/dma
   • /proc/interrupts
   • /proc/iomem
   • /proc/ioports
   • /proc/meminfo
   • /proc/mounts
   • /proc/scsi/scsi
   • /proc/version
5. kill can be used to send signals to processes (see the signal man page in section 7 for the meanings of the various signals). Many daemons will re-load their configuration files when they receive a SIGHUP.

©2005, Kenneth R. Koehler. All Rights Reserved. This document may be freely reproduced provided that this copyright notice is included.

Please send comments or suggestions to the author.