Linux Internals

Throughout the course there are sections that were compiled in conjunction with Sebastian Spitzner.

After training Unix and Linux for many years he feels that this method of lecturing is the most approachable way of explaining the lower level information without becoming too entrenched in the "nitty-gritty" details, like knowing the hex addresses in memory where the kernel keeps its various data structures, which is of little practical use.

The US government passed a decree imposing a restraint of trade against AT&T. The company was not permitted to make money from non-telecommunications business.

This is significant, because until 1982 (when the US Government finally broke up the AT&T telecommunications monopoly into smaller companies), AT&T could not sell operating systems, i.e. UNIX, for profit.

This had a great impact on the distribution of Unix as you will see throughout the rest of the History section, as AT&T chose to use the product internally first, and then distributed it to computer research institutions such as Universities.

The Multiplexed Time Sharing and Computing System or MULTICS project was a joint attempt by General Electric (GE), AT&T Bell Labs and the Massachusetts Institute of Technology (MIT) at developing a stable multiuser operating system

The aim is to create an operating system that could support a lot of simultaneous users (thousands!).

Multics stands for Multiplexed Information and Computer service.

The people involved in the project at this time are Ken Thompson, Dennis Ritchie, Joseph Ossanna, Stuart Feldman, Doug McIIroy and Bob Morris.

Although a very simple version of MULTICS could now run on a GE645 computer, it could only support 3 people and therefore the original goals of this operating system had not been met, the research and development is just so expensive and Bell Labs withdraws their sponsorship. This meant that the other interested parties could not afford to carry the project on their own and so they also withdrew.

Dennis Ritchie and Ken Thompson now decide to continue this project on their own.

Ken Thompson Dennis Ritchie wrote a Space Travel Game that was actually a serious scientific astronomical simulation program. However the game was a disaster as the spaceship was hard to maneuver and used a lot of resources to run.

After developing the Space Travel Program they had learnt a lot more. With Canaday involved as well they were able to create the design for a new file system, which they built on PDP-7, called UNICS (Uniplexed Information and Computing Service), and this later became UNIX.

A note to UNIX traditionalists: We use the spelling "Unix" rather than "UNIX" in this course only for the sake of readability.

They attempted using a Fortran program to further develop Unix, but they found that it was not what they were looking for and so they turned to BCPL (Basic Combined Programming Language).

B was developed from BCPL and it was the first high-level language to be used on Unix with a PDP11/20.

Lets draw a diagram of three different machines and then lets take a look at why developing in assembler is not always the best idea:

Figure 1.2. Relationship between hardware, assembler and a compiler

So, if writing a program for a PDP-7 and using assembler, when wanting to move the program to a PDP-11 you would have to rewrite the entire assembler program, this time to suit the machine and hardware type for a PDP-11.

To remedy this, developers invented compilers for application programming tools. In other words if using Pascal to develop, the Pascal compiler for a PDP-7 would translate your program into assembly program and then assembler code for a PDP-7.

If wanting to port that program to a PDP-11, then get the Pascal compiler for a PDP-11 and recompile the original program on the PDP-11. It will then work as above.

This explains why the higher-level languages started being used, such as Pascal, Fortran etcetera. They are there to provide libraries between program and assembler. A compiler would be needed for each specific machine.

These days a compiler automatically generates the assembler code.

Figure 1.3. Dennis Richie and Ken Thompson working on a PDP-11.

So, the first Unix was written in the Assembler program of a PDP-7 machine, as we have now discussed though this is not going to make it easily portable to another type of architecture.

At this stage and because of the success of Unix Bell Labs now chooses to re-sponsor the project.

B is still considered too slow, so the team worked to develop Unix in a faster development program called New B or NB. They could now also afford to upgrade to a later model of the PDP range called a PDP11/45.

The C Programming language was developed in 1972 as a result of Ken Thompson and his team wanting to have a language to write Unix in. Although Ken Thompson worked with C initially eventually they needed more functionality which Dennis Ritchie then added.

It is also at this time that Unix "pipes" are also now developed, and this is seen as a milestone because of the power it added to the system ^[1]

Unix now had its own language and philosophy. Its power was generated by stringing programs together not by any one individual program.

A quote from "A quarter Century of Unix" by P Salus" states:

More and more requests are coming in to AT&T to allow other companies and users to use the Unix system.

At this stage Unix is firmly entrenched at Universities and Colleges and AT&T refusing to supply bug-fixes and support on the system forced users to work together. (The start of Unix User Groups.)

Unix had been sold as a text processing system at AT&T internally and here the developers and users were the same community and therefore got direct feedback for new product and for bugs etcetera, Support was right there in same company, maybe even on the same office floor.

By using research organizations at Universities the bright varsity students got sucked up into this type of company after their studying, this was beneficial to research organizations and they continued to give the system to students.

Unix is still used these days used to teach students computer science.

The US patent office held the rights at this stage.

There are now 500 installations throughout the United States, mainly at Universities.

After 1974 military and commercial enterprises started demanding licenses to use Unix and AT&T decided to close the source and supply only binary distributions.

Berkley UCB did a lot of development on DARPA TCP/IP (bright brains for a good price), and the students also started adding on various other utilities, ultimately deciding to write Unix from scratch. (BSD Unix)

BSD3 utilities are available in System V Unix, when installing the operating system you should be asked if you would like to install the BSD Utilities, they will be installed into the /usr/ucb directory.

Unix, is able to be ported to an IBM 360, an Interdata 7/32 and an Interdata 8/32 proving that Unix is portable to systems other than those manufactured by DEC.

1978 "The C Programming Language" by Ritchie is published.

1978 Bill Joy creates "the "vi" editor a full screen editor, and at the same time he sees the need "to optimize the code for several different types of terminals, he decided to consolidate screen management by using an interpreter to redraw the screen. The interpreter was driven by the terminal's characteristics - termcap was born,". P Sulcas

All other Unixs' branch from these two variants of the Unix code, AT&T Unix and BSD Unix. (See timeline below).

The release of AT&T Version 7 was the start of many of the Unix ports, the 32 bit ports and a product called Xenix, (an SCO and Microsoft joint product, and the fist Unix port that could run on an 8086 chip).

By 1980, AT&T found that the operating system was a viable option for commercial development. Microprocessors were becoming very popular, and many other companies were allowed to license UNIX from AT&T. These companies ported UNIX to their machines. The simplicity and clarity of UNIX tempted many developers to enhance the product with their own improvements, which resulted in several varieties of UNIX.

From 1977 to 1982, Bell Labs combined features from the AT&T versions of UNIX into a single system called UNIX System 3.

Bell Labs then enhanced System 3 into System 4, a system that was only used internally at Bell Labs.

After further enhancements, System V was released and in 1983, AT&T officially announced their support for System V.

1982 Sun developed the Sparc processor, licensed BSD Unix called it SUN OS.

1983/4 Then licensed AT&T System V, made their changes and called that version Solaris. There is a lot of cross coding and an interesting note is that if though if doing the "uname" (uname is a command that supplies details of the current operating system for your interest) command on Solaris the report says SunOS is the operating system.

1985 - Some quotable quotes - "Xenix is the operating system future" and "640 KB memory is enough for anyone"

In 1989, AT&T organized that System V, SUNOS, XENIX, and Berkeley 4xBSD were combined into one product called System V Release 4.0. This new product was created to ensure that there was one version of UNIX that would work on any machine available at that time.

The different versions of UNIX prompted AT&T to form a UNIX International Consortium. The aim of this consortium was to improve the marketing of UNIX, since the market was starting to demand clarity on standardizing the product.

By 1992, UNIX was readily available on an Intel platform, providing mainframe-type processing power on a PC. This made UNIX appealing to the end-user market.

Source code has changed hands a few times:

	Note
	Besides licensing Unix System V to vendors, Novell marketed its own flavor of Unix to the consumer market, called UnixWare. When Novell sold the Unix business to SCO, it transferred the Unix trademark to X/Open Company Ltd. now the Open Group www.opengroup.org SCO inherited UnixWare 2 from Novell and continued selling it under the SCO brand.

Mid 90s FreeBSD bore two spin-offs (known as source code forks) [this happens when certain people decide to take OS development in different direction]. NetBSD and Open BSD all three derivatives are currently maintained today.

There are commercial derivatives of BSD the most popular is BSDi

The only way that you can get a Unix system to do anything is through system calls, which are a part of the kernel.

This is the API to the kernel, the kernel has approximately 250 system calls that do different things and only binary programs can call these, including the libraries, which are just centralized repositories of binary code

A Unix kernel fulfills 4 main management tasks:

The kernel exists as a physical file on the file system in Linux it is /boot directory and is usually called vmlinux (uncompressed version), vmlinuz (compressed version), or similar filenames commonly with a kernel version number at the end.

For example;

/boot/vmlinuz-2.4.18-22
            

At system boot time RAM only contains the boot loader, consuming a few kilobytes at the beginning of memory.

Figure 1.9. Bootloader in memory

The boot loader loads the kernel binary into memory from the hard disk, and places it at the beginning of memory.

Figure 1.10. Kernel loaded into memory

Once the kernel has been read in the boot loader tells the CPU to execute it by issuing a JMP (Jump) instruction. The kernel now begins to execute

To better understand what the system is doing and how it is doing it is good to visualize what is happening where in memory, remembering that all work on the system is performed in memory (see the section called “Assembler/ compilers / hardware architecture ”).

Memory is divided into two areas, kernel memory and user memory

Figure 1.11. Kernel memory and User Memory

Figure 1.12. Kernel Memory, table and buffer cache allocations

Memory management is dealt with in more detail in Chapter 5.

Let's look at the process of booting up the machine from the time that it is switched on.

The BIOS does a Hardware Check and then proceeds to read the boot information on floppy, hard disk or CD-ROM as defined.

There are two popular boot loaders available, the first is LILO (Linux Loader) and the second is GRUB (Grand Unified Boot loader).

They are both two-stage boot loaders and will generally be installed on the small part of the hard disk that used to be called the masterboot record (MBR) in the old days.

Once the boot information is found (if found on floppy the process for loading the second boot and the kernel is slightly different) the first part of the boot loader is loaded into RAM and then it jumps into that part of RAM and proceeds' to execute the code and loads the second part of the boot loader.

A map of available operating systems is read from the disk and it is at this time that the user is presented with an opportunity to choose the operating system to use, if there is no response from the user, the boot loader will start the default operating system.

Assuming that LILO is the boot loader program that we have installed in this case, it displays Loading Linux on the screen, copies the kernel image and set-up code into memory and then starts to perform the set-up code.

Once Linux is initialized, the BIOS is no longer important to most of the rest of the boot process as Linux initializes the hardware in its own manner.

A runlevel is a software configuration of the system which allows only a selected group of processes to exist. The processes spawned by init for each of these runlevels are defined in the /etc/inittab file. Init can be in one of eight runlevels: 0-6 and S or s. The runlevel is changed by having a privileged user run telinit, which sends appropriate signals to init, telling it which runlevel to change to.

Runlevels 0, 1, and 6 are reserved. Runlevel 0 is used to halt the system, runlevel 6 is used to reboot the system, and runlevel 1 is used to get the system down into single user mode. Runlevel S is not really meant to be used directly, but more for the scripts that are executed when entering runlevel 1. For more information on this, see the manpages for shutdown(8) and inittab(5).

Runlevels 7-9 are also valid, though not really documented. This is because "traditional" Unix variants don't use them. In case you're curious, runlevels S and s are in fact the same. Internally they are aliases for the same runlevel.

After init is invoked as the last step of the kernel boot sequence, it looks for the file /etc/inittab to see if there is an entry of the type initdefault (see inittab(5)). The initdefault entry determines the initial runlevel of the system. If there is no such entry (or no /etc/inittab at all), a runlevel must be entered at the system console.

Runlevel S or s bring the system to single user mode and do not require an /etc/inittab file. In single user mode, a root shell is opened on /dev/console. ONLY When entering single user mode, init reads the console's ioctl(2) states from /etc/ioctl.save. If this file does not exist, init initializes the line at 9600 baud and with CLOCAL settings.

When init leaves single user mode, it stores the console's ioctl settings in this file so it can re-use them for the next single-user session.

When entering a multi-user mode for the first time, init performs the boot and bootwait entries to allow file systems to be mounted before users can log in. Then all entries matching the runlevel are processed.

After it has spawned all of the processes specified in /etc/inittab, init waits for one of its descendant processes to die, a powerfail signal, or until it is signaled by telinit to change the system's runlevel.

When one of the above three conditions occurs, it re-examines the /etc/inittab file.

New entries can be added to this file at any time. However, init still waits for one of the above three conditions to occur. To provide for an instantaneous response, the telinit Q or q command can wake up init to re-examine the /etc/inittab file.

When init is requested to change the runlevel, it sends the warning signal SIGTERM to all processes that are undefined in the new runlevel. It then waits 5 seconds before forcibly terminating these processes via the SIGKILL signal.

Note that init assumes that all these processes (and their descendants) remain in the same process group which init originally created for them. If any process changes its process group affiliation it will not receive these signals. Such processes need to be terminated separately.

/sbin/telinit is linked to /sbin/init. It takes a one-character argument and signals init to perform the appropriate action. The following arguments serve as directives to telinit:

0,1,2,3,4,5 or 6 -- tell init to switch to the specified run level.

a,b,c -- tell init to process only those /etc/inittab file entries having runlevel a,b or c.

Q or q -- tell init to re-examine the /etc/inittab file.

S or s -- tell init to switch to single user mode.

U or u -- tell init to re-execute itself (preserving the state). No re-examining of /etc/inittab file happens. Run level should be one of Ss12345, otherwise request would be silently ignored.

It is possible to pass a number of flags to init from the boot monitor (e.g. LILO).

Init accepts the following flags:

Init listens on a fifo in /dev, /dev/initctl, for messages. Telinit uses this to communicate with init. The interface is not very well documented or finished. Those interested should study the initreq.h file in the src/ subdirectory of the init source code tar archive.

Init reacts to several signals:

Examples of programs for specified run level taken from the /etc/inittab file:

id:3:initdefault:
            

By default the system must boot to run-level 3.

Sysinit:

si::sysinit:/etc/init.d/rcS
            

The run-level specified here is single-user mode and once reached it calls the "sysinit", which runs all the scripts in /etc/init.d/rcS.

As defined in Debian as /etc/init.d/rcS which then runs all the /etc/rcS.d/S* scripts and then symlinks to /etc/init.d/* and /etc/rc.boot/* (depreciated)

A typical /etc/rc3.d/ directory

3:3:wait:/etc/init.d/rc 3 
            

When changing run levels to run level 3 or down from run level 3, use the scripts just once in the directory file /etc/init.d/rc 3. The scripts starting with an S* (Start) are used at bootup time and the scripts starting with a K* (Kill) are used at shutdown time.

Below are some of the files that would be in this directory /etc/rc3.d:

Each time a process terminates, init records the fact and the reason it died in /var/run/utmp and /var/log/wtmp, provided that these files exist. (See full desciption on Processes Chapter 6).

The file /etc/inittab contains the background programs that used to keep the system running. One of these programs is one getty process per serial port.

co:2345:respawn:/sbin/getty ttyS0 CON9600 vt102 respawn
            

Re-run the program if it dies. We want this to happen so that a new login prompt will appear when you log out of the console.

/sbin/getty ttyS0 CON9600 vt102 
            

In this case, we're telling the program called getty to connect to /dev/ttyS0 using the settings for CON9600.

This is a line that exists in /etc/gettydefs. This entry represents a terminal running at 9600bps.

The terminal is a later-model VT102 (later than vt100).

The getty program lives in /sbin and is used by /etc/inittab to call the /etc/gettydefs file as follows:

Define co in gettydefs:

# Serial console 9600, 8, N, 1, CTS/RTS flow control
co# B9600 CS8 -PARENB -ISTRIP CRTSCTS HUPCL # B9600 
SANE CS8 -PARENB -ISTRIP CRTSCTS HUPCL #@S @L login: #co
            

This means that the console is a serial console running at 9600 baud rate, 8 bits, No parity, 1 stop bit and carrier and receive flow control set up.

If the line does not manage to handshake then it refers to the end of line label of where to try next, in the case above it is looking at "co" again.

If you check the man pages you can find out all the labels that you can use in a gettydefs, definition.

As long as you define each label in the inittab correctly and then follow it up with a corresponding entry in the gettydefs file you can redefine any handshake between, terminals, consoles, printers and any other serial devices.

Each configuration line has the syntax:

<label>#<initial_flags>#<final_flags>#<login_prompt>#<next_label>
            

The <label> is referred to on the getty command line.

The <next_label> is the definition used if a RS-232 Break is sent. As the console is always 9600bps, this points back to the original label.

<initial_flags> are the serial line parameters used by getty.

<final_flags> are the serial line parameters set by getty before it calls login. You will usually want to set a 9600bps line, SANE terminal handling, eight data bits, no parity and to hang up the modem when the login session is finished.

The <login_prompt> for serial lines is traditionally the name of the machine, followed by the serial port, followed by login: and a space. The macro that inserts the name of the machine and the serial port may vary.

Dialling in from a modem

When using a modem, you will have top investigate and ultimately use the uugetty program. This program does file lock checking.

Modem entries in /etc/gettydefs

38400# B38400 CS8 # B38400 SANE -ISTRIP HUPCL #@S @L @B login: #19200 19200# B19200 CS8 # B19200 SANE -ISTRIP HUPCL #@S @L @B login: #9600 9600# B9600 CS8 # B9600 SANE -ISTRIP HUPCL #@S @L @B login: #2400 2400# B2400 CS8 # B2400 SANE -ISTRIP HUPCL #@S @L @B login: #1200 1200# B1200 CS8 # B1200 SANE -ISTRIP HUPCL #@S @L @B login: #300 300# B300 CS8 # B300 SANE -ISTRIP HUPCL #@S @L @B login: #38400

Add the following line to your /etc/inittab, so that uugetty is run on your serial port (use the information pertaining to your environment):

1:456:respawn:/sbin/uugetty ttyS1 F38400 vt100

The first lines in the preceding extract are typical for the system console. They set many initial and final flags that control how the console behaves.

console# B19200 OPOST ONLCR TAB3 BRKINT IGNPAR ISTRIP IXON IXANY PARENB ECHO ECHOE ECHOK ICANON ISIG CS8 CREAD # B19200 OPOST ONLCR TAB3 BRKINT IGNPAR ISTRIP IXON IXANY PARENB ECHO ECHOE ECHOK ICANON ISIG CS8 CREAD #Console Login: #console

	Note
	This entry would be one line in the /etc/gettydefs file, but because of display and printing issues we have entered linebreaks.

Xconn bound to screen 11
                

setenv DISPLAY remotename:11
                

DISPLAY=remotename:11

export DISPLAY
                

Terminfo (formerly Termcap) is a database of terminal capabilities and more.

For every (well almost) model of terminal it tells application programs what the terminal is capable of doing. It tells what escape sequences (or control characters) to send to the terminal in order to do things such as move the cursor to a new location, erase part of the screen, scroll the screen, change modes, change appearance (colours, brightness, blinking, underlining, reverse video etc.). After about 1980, many terminals supported over a hundred different commands (some of which take numeric parameters).

One way in which terminfo gives the its information to an application program is via the "ncurses" functions that a programmer may put into a C program. Some programs get info directly from a terminfo files without using ncurses.

Included in the terminfo are often a couple of initialisation strings, which may change the appearance of the screen, change what mode the terminal is in, and/or make the terminal emulate another terminal.

However this is not done automatically, one might expect that the getty program should do this but if it did, one could make a change to the set-up at the terminal and this change wouldn't be happen because the init string would automatically cancel it.

To force an intialisation you will use commands given on the command line (or in a shell script such as /etc/profile) to send the init strings - "tset", "tput init", or "setterm -initialise".

Sometimes there is no need to send the init strings since the terminal may set itself up correctly when it is powered on (using options/preferences one has set up and saved in the non-volatile memory of the terminal). Most dumb terminals have an entire setup sequence sort of like the CMOS of a PC, and it is here that you can set the hardware side of the handshake.

For the Debian Distribution of Linux, several commonly used terminals (including the monitor-console) are in the ncurses-term package. These are put into /etc/terminfo/. All of the terminals in the database are in the ncurses-bin package and go into /usr/share/terminfo/.

See the man pages: terminfo(5) or termcap(5) for the format required to create (or modify) the source files.

The data in the source files is compiled with the "tic" program (Also capable of converting between termcap source format and terminfo format).

The installation program which was used to install Linux probably installed the compiled files on your hard disk so you don't need to compile anything unless you modify /etc/termcap (or terminfo.src ).

"tic" will automatically install the resulting compiled files into a terminfo directory ready to be used by application programs.

In order to save disk space, one may delete all of the terminfo database except for the terminals types that you have (or might need in the future). Don't delete any of the termcaps for a "Linux terminal" (the console) or the xterm ones if you use X Window. The terminal type "dumb" may be needed when an application program can't figure out what type of terminal you are using. It would save disk space if install programs only installed the terminfo for the terminals that you have and if you could get a termcap for a newly installed terminal over the Internet in a few seconds.

We have discussed the environment variables prior to this course. The Environment variable TERM should be set to the name of terminal you are using.

This name must be in the Terminfo data base.

Type "set" at the command line to see what TERM is set to (or type: tset -q).

At a console (monitor) TERM is set to "linux" which is the PC monitor emulating a fictitious terminal model named "linux". Since "linux" is close to a vt100 terminal and many text terminals are also, the "linux" designation will sometimes work as a temporary expedient with a text terminal.

If more than one type of terminal may be connected to the same port (/dev/tty...) then TERM needs to be set each time someone connects to the serial port. There is often a query escape sequence so that the computer may ask the terminal what type it is. Another way is to ask the user to type in (or select) the type of terminal s/he is using.

You may need to use tset for this or write a short shell script to handle this.

The .profile login script is executed and contains within it the following statement: eval `tset -s ?vt100`. The user is then asked if they are using a vt100 and either responds yes or types in the actual terminal type they are using. Then tset sends the init string and sets TERM to this terminal name (type).

	Note
	Terminal emulation and the gettydefs file layout always remind me how flexible a Unix derived system actually is. You can change anything you want or need to change to make things work and these sections are a good portrayal of that fact.

There are warnings as well, no system this powerful can be changed with no thought as to how the change may affect other sections of the operating system, as you can see they are linked and intricately so.

There are 6 virtual terminals in Linux, available by using Alt-F1 through Alt-F6.

There are normally 6 terminals available in X also, F7 through F12. If an X session is started from F1 and you also have an active session on F2, you can type Ctrl-Alt-F2 to go from the X session to the virtual console on F2. Also to get back to your X session, you can type Ctrl-Alt-F7.

The above paragraph assumes that your terminals are set up in the standard manner with 6 virtual terminals available, all that spawn the getty program.

Check the /etc/inittab file for the following lines:

1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
            

	Note
	mingetty and fbgetty are used most often on the consoles for Linux (as long as you are not using a real text terminal). (See fbgetty).

Each virtual terminal uses approx 8KB of kernel memory. As per performance tuning examples allocate fewer virtual terminals if this amount of kernel memory is affecting the performance. (see table below, "off" instead of "respawn")

1:2345:respawn:/sbin/mingetty tty1
2:2345:off:/sbin/mingetty tty2
3:2345:off:/sbin/mingetty tty3
4:2345:off:/sbin/mingetty tty4
5:2345:off:/sbin/mingetty tty5
6:2345:off:/sbin/mingetty tty6
            

When the screen goes "insane" say after you read a binary file with the command "cat" e.g. /etc/wtmp.

$ reset
            

As you type the word reset you may not be able to see it on your screen, just continue typing though and enter. (We used to use "J stty sane ^J" for serial terminals in the old days.)

The gettys used for:

So the kernel itself is a process manager, what does that mean to the user running a command in the Applications layer and wanting a result immediately displayed on the terminal screen.

Executing a program in userland or user-mode does not mean that the program can access the kernel in any way. If the program is executed in kernel mode there are no restrictions to the kernel.

We have already discussed how each CPU has its own instruction set to switch from User to Kernel modes and then to return from kernel to user mode.

A user executing a request will only need to access kernel mode if the requested service is a kernel provided service. It accesses the kernel service through something called a system call (mentioned in Fundamentals course)

A user wants to access a regular file or a directory file, the user is issuing a command (Application Layer or Standard Library of Utilities Layer), but in order to get the information required the hard disk is going to have to be accessed, and the hard disk is defined as a block device. Therefore it has a block device file in /dev and has to be accesses through the kernel.

PREVIOUS EXPLANATION (Fundamentals): "The procedures in the Standard Library are called, and these procedures ensure that a trap instruction switches from User mode into Kernel mode and that the kernel then gets the control to perform the work requested of it."

Let's look at some of the relevant system calls (Standard Library of Procedures) that would have to take place: switch()

PREVIOUS EXPLANATION (Fundamentals): "Once the kernel has performed the task, it will return a successful or a failure status and then instigates a return from the trap instruction back into user mode. exit()

In the case of the exit() system call we would hope that the brackets would contain a zero (0) to represent a successful completion of a process.

When you type in a command line to the shell, the shell parses your input in a certain way. Let's take a look at how the shell does this, say you type in a few arbitrary words as follows:

$ one space three four
            

The shell will parse this line into separate fields where each field is separated by an IFS or Internal Field Separator character, which is by default set to whitespace (any combination of spaces and/or tabs.)

Refer to the next diagram.

Figure 4.2. Separate fields are interpreted by the shell

In a simple command line (no pipes) the shell will regard the first field as the name of a command to run.^[2]

All the remaining fields are seen as command line arguments to pass to that command. The shell determines whether it knows the command as a built-in, or an external program on the disk, as found in the first matching directory in the PATH variable.

If the command is a shell built-in, the shell just runs a function within its existing program in memory, with the same name as the built-in command, and passes the arguments from the command line as arguments to the function.

If the command is an external program on the disk (binary or shell script,) the shell will perform an exec() system call, and specify the path to the program and the command line arguments, in the parenthesis of the exec() system call. For example if you type the following command at the shell prompt

$ ls -al
            

the shell will run code similar to the following:

execle("/bin/ls", "ls", "-al", "TERM=linux,LOGNAME=joe, ") 
            

As you can see the shell has simply given you access to the kernels exec() system call.

The creation of a process, through the exec() system call, is always performed through an existing process. The kernel keeps track of which process created another. You can use "ps" to show the kernels process table, or excerpts thereof, to determine a process' process ID (PID) and parent process ID (PPID.)

If you run the following command

linux:/ # ps -f
UID        PID  PPID  C STIME TTY          TIME CMD
root      4421  4411  0 15:49 pts/7    00:00:00 su
root      4422  4421  0 15:49 pts/7    00:00:00 bash
root      4429  4422  0 15:50 pts/7    00:00:00 ps -f

            

You will see all the processes started in your current login session. This is just a small excerpt from the kernels entire process table. Look at the PPID column of the ps command that you ran above. Can you see that the PPID of ps is the same as the PID of your shell process (we'll assume "bash")?

Now make a note of that shell's PPID. Let's try and find its parent (I assuming that you are in your login shell and that you have not started any sub-shells by hand.) Now run the following command:

$ ps -ef | less
F S   UID   PID  PPID  C PRI  NI ADDR SZ WCHAN  TTY          TIME CMD
0 S     0     1     0  0  75   0 -   155 schedu ?        00:00:04 init
0 S     0     2     1  0  75   0 -     0 contex ?        00:00:00 keventd
0 S     0     3     1  0  94  19 -     0 ksofti ?        00:00:00 ksoftirqd_CPU0
0 S     0     4     1  0  85   0 -     0 kswapd ?        00:00:00 kswapd
0 S     0     5     1  0  85   0 -     0 bdflus ?        00:00:00 bdflush
0 S     0     6     1  0  75   0 -     0 schedu ?        00:00:00 kupdated
0 S     0     7     1  0  85   0 -     0 kinode ?        00:00:00 kinoded
0 S     0     8     1  0  85   0 -     0 md_thr ?        00:00:00 mdrecoveryd
0 S     0    11     1  0  75   0 -     0 schedu ?        00:00:00 kreiserfsd
0 S     0   386     1  0  60 -20 -     0 down_i ?        00:00:00 lvm-mpd
0 S     0   899     1  0  75   0 -   390 schedu ?        00:00:00 syslogd
0 S     0   902     1  0  75   0 -   593 syslog ?        00:00:00 klogd
            

Look in the PID column for the same number that you saw in your shell's PPID column. The process that you find will be the parent of your shell. What is it? It is the login program. Using the same methodology as before now find Login's parent. It is "init". Now find "init's" parent. Can you see that "init" has no parent in the process table?

Who or what started "init", the kernel!

Remember that "init" is the first process run by the kernel at bootup: this behaviour is hard-coded in the kernel. It is "init's" job to start up various child processes to get the system to a usable state (Refer to bootup section Refer to init section.)

What constitutes a process or the properties of a process?

A process consists of:

The properties of a process

A process has many status properties maintained by the kernel, some of which are:

When a process is started it inherits most of the properties of its parent, such as the real and effective UID/GID values.

Every process also has an environment associated with it. The environment is simply a list of variables. These are passed to a process by it's parent process, when it makes the exec() system call.

execve(program_file, program_arguements, environment_variables)
                

Although the basic way to run a process is through exec(), the whole process creation effort is a bit more involved. When a C programmer wants to start a process there are a few more system calls that will usually be used together with exec(). To better explain this we will look at a process creation example, namely that of running an "ls" command from the shell.

When you type in "ls -a" the shell does the following:

Figure 4.3. Process Life Cycle

As you hit enter after the "ls -al" command, the shell determines that ls is an external program on the filesystem, namely /bin/ls. It needs to exec() this. What it does first is to issue a fork() system call. It then issues a wait() system call.

The fork() system call performs a type of cloning operation. This gets the kernel to copy an existing process table entry to a next empty slot in the process table.

This effectively creates a template for a new process.

The kernel now assigns a new unique PID to this forked process and updates its PPID to reflect the value of the process that forked it. The forker is called the parent process and the forked process is called the child process.

The parent process, in this case the shell, now issues the exec() system call on behalf of the child. The exec() system call gets the kernel to read the ls program off the filesystem on the hard disk and place it into memory, overwriting the calling process, in this case the child shell template.

The PID and PPID entries of the forked child remain the same, but the name of the child process in the process table entry is now updated to the name of the exceed process, in this case ls.

The child now runs and in the case of "ls -al", produces some output to the terminal. Once the child is finished whatever it has to do it informs the kernel that it has completed by issuing an exit() system call.

The wait() causes the parent to halt execution until the child performs its' exit().

The exiting child now falls into a "zombie"* state. The kernel has de-allocated the process memory, however its process table entry still exists. It is the job of the parent to inform the kernel that it has finished working with the child, and that the kernel can now remove the process table entry from the child (currently in the zombie state)^[3]

The exit() of the child actually causes the return of the wait() system call, which ends the pausing of the parent process, so that it can now continue running.

It is important to note that every process becomes zombie for a brief amount of time when it exits, usually a split second, as a part of its natural life cycle.

Question:

What would happen if shell omitted the wait()?

Answer:

You would get the shell prompt back, the child process would continue to run until completed and if the parent shell still exists it will still receive the exit status from the child process and would still have the task of informing the kernel that the child process is complete. So that the kernel can remove the child's entry from the process table.

To show the state of a process, use the "-l" to the ps command.

Example

$ ps -el
F S   UID   PID  PPID  C PRI  NI ADDR SZ WCHAN  TTY          TIME CMD
0 S     0     1     0  0  75   0 -   155 schedu ?        00:00:04 init
0 S     0     2     1  0  75   0 -     0 contex ?        00:00:00 keventd
0 S     0     3     1  0  94  19 -     0 ksofti ?        00:00:00 ksoftirqd_CPU0
0 S     0     4     1  0  85   0 -     0 kswapd ?        00:00:00 kswapd
0 S     0     5     1  0  85   0 -     0 bdflus ?        00:00:00 bdflush
0 S     0     6     1  0  75   0 -     0 schedu ?        00:00:00 kupdated
0 S     0     7     1  0  85   0 -     0 kinode ?        00:00:00 kinoded
0 S     0     8     1  0  85   0 -     0 md_thr ?        00:00:00 mdrecoveryd
0 S     0    11     1  0  75   0 -     0 schedu ?        00:00:00 kreiserfsd
0 S     0   386     1  0  60 -20 -     0 down_i ?        00:00:00 lvm-mpd
0 S     0   899     1  0  75   0 -   390 schedu ?        00:00:00 syslogd
            

Look for the column heading "S" (it is the second column)

The scheduler is a service provided by the kernel to manage processes and the fair distribution of CPU time between them.

The scheduler is implemented as a set of functions in the kernel. On Unix System V**, the scheduler is represented in the process table as a process named sched, with a PID of 0. Linux does not indicate the scheduler in this way. Even on system V this serves no practical purpose as not even the root user can manipulate the scheduler by sending it signals with the kill command.^[4]

The kernel classifies processes as being in one of two possible queues at any given time: the sleep queue and the run queue.

Figure 4.4. The Scheduler

Run Queue

Processes in the run queue compete for access to the CPU. If you have more processes that want to execute instructions than you have processors in your system, then it becomes obvious that you have to share this finite resource between these processes.

The processes in the run queue compete for the processor(s). It is the schedulers' job to allocate a time slice to each process, and to let each process run on the processor for a certain amount of time in turn.

Each time slice is so short (fractions of a second), and each process in the run queue gets to run often every second it appears as though all of these processes are "running at the same time". This is called round robin scheduling.

As you can see, on a uniprocessor system, only one process can ever execute instructions at any one time. Only on a multiprocessor system can true multiprocessing occur, with more than one process (as many as there are CPUs) executing instructions simultaneously.

There are different classes of scheduling besides round-robin. An example would be real-time scheduling, beyond the scope of this course.

Different Unix systems have different scheduling classes and features, and Linux is no exception.

Figure 4.5. Round-Robin Scheduling

Sleep queue

Processes that are waiting for a resource to become available wait on the sleep queue in this way, the process will not take up a slot on the run queue and during the priority calculation.

However once the resource becomes available that resource is reserved by that process, which is then moved back onto the run queue to wait for a turn on the processor.

If we look at this in a different way we will find that every process gets onto the sleep queue, even as a new process the resources still have to be allocated to the process, even if the resource is readily available.

Figure 4.6. Sleep Queue and Run Queue

In the header file include/linux.h a Linux Task can be in one of the following states:

Figure 4.7. Multitasking flow

Each 10 milli-seconds (This may change with the HZ value) an Interrupt comes on IRQ0, which helps us in a multitasking environment.

The interrupt signal to the CPU comes from PIC (Programmable Interrupt Controller), say 8259, which is connected to PIT (Programmable Interval Timer) say 8253, with a clock of 1.19318 MHz.

So Time-slice = 1/HZ.

With each Time-slice we interrupt current process execution (without task switching), and the processor does housekeeping then the previous process continues to run.

Figure 4.8. Time-slicing

Functions can be found under:

IRQ0x00_interrupt, SAVE_ALL [include/asm/hw_irq.h] 
do_IRQ, handle_IRQ_event [arch/i386/kernel/irq.c] 
timer_interrupt, do_timer_interrupt [arch/i386/kernel/time.c] 
do_timer, update_process_times [kernel/timer.c] 
do_softirq [kernel/soft_irq.c] 
RESTORE_ALL, while loop [arch/i386/kernel/entry.S]
            

Description:

Linux and every other Unix variant manages multitasking by using a variable that keeps track of how much CPU time ha been used by the task.

Each time an interrupt is sent to IRQ 0 the variable decreases and when the count is 0 the task has to be switched.

	Note
	The "need_resched" variable is set to 1, then assembler routines control "need_resched" and call the scheduler [kernel/sched.c] if needed at that time.

The scheduler is a piece of code that designates which task is the next to run on the processor.

In classic Unix, when an IRQ comes (from a device), Unix makes "task switching" to interrogate the task that requested the device.

Linux ensures that the work that is not a high priority is postponed and the higher priority work is given the resources first. This tends to have a marked effect on performance of the system.

This is called "Bottom Half" where the IRQ handler re-schedules the lower level priority process to be run later in the scheduling time. Bottom-Half has been around since kernel 1.x but in the more recent versions of the kernel there is a task queue allocated to this job that appears to be more dynamic that the BH. (A tasklet is allocated for multiprocessors).

Task or process Switching is needed in many cases, some examples would be:

The issue of swapping and paging is often misunderstood. Swapping and paging are two totally different things.

Swapping was the first technology used in Unix System V as physical memory fills up with processes there is a problem. What happens when the system runs completely out of RAM? It "grinds to a halt"!

The conservation and correct management of RAM is very important because the CPU can only work with data in RAM, after it has been loaded from the hard disk by the kernel. What happens when the mounting number and size of processes exceeds physical memory? To allow for the situation, and because only one process can ever execute at any one time (on a UniProcessor system), only really that process need to in RAM. However organising that would be extremely resource intensive, as multiple running processes are scheduled to execute on the processor very often (see the section called “Scheduler”)

To address these issues the kernel advertises an abstract memory use to applications by advertising a virtual address space to them that far exceeds physical memory. An application may just request more memory and the kernel may grant it.

A single process may have allocated 100mb of memory even though there may only be 64mb of RAM in the system. The process will not need to access the whole 100mb at the same time this is where virtual memory comes in.

Swap space is a portion of disk space that has been set aside for use by the kernels' virtual memory manager (VMM). The VMM is to memory management what the scheduler is to process management. It is the kernels memory management service for the system.

Some systems are pure swapping systems, some systems are pure paging systems and others are mixed mode systems.

Originally Unix system V was a pure swapping system.

To swap a process means to move that entire process out of main memory and to the swap area on hard disk, whereby all pages of that process are moved at the same time.

This carried the disadvantage of a performance penalty. When a swapped out process becomes active and moves from the sleep queue to the run queue, the kernel has to load an entire process (perhaps many pages of memory) back into RAM from the swap space. With large processes this is understandably slow. Enter paging.

Paging was introduced as a solution to the inefficiency of swapping entire processes in and out of memory at once.

With paging, when the kernel requires more main memory for an active process, only the least recently used pages of processes are moved to the swap space.

Therefore when a process that has paged out memory becomes active, it is likely that it will not need access to the pages of memory that have been paged out to the swap space, and if it does then at least only a few pages need to be transferred between disk and RAM.

Paging was first implemented in system V[?] in 19??

For efficient paging, the kernel needs to keep regular statistics on the memory activity of processes it keeps track of which pages a process has most recently used. These pages are known as the working set.

When the kernel needs memory, it will prefer to keep pages in the working sets of processes in RAM as long as possible and to rather page out the other less recently used pages as they have statistically been proven to be less frequently accessed, and therefore unlikely to be accesses again in the near future.

Current Unix systems use the following methods of memory management:

Virtual memory can mean two different things, in different contexts. Firstly it can refer to only swap memory; secondly it could refer to the combination of both RAM and swap memory.

You can run the lsmod(8) to display the list of currently loaded modules in user memory.

riaan@linux:~> lsmod
Module                  Size  Used by    Not tainted
sr_mod                 14616   0 (autoclean) (unused)
snd-mixer-oss          15576   1 (autoclean)
videodev                6272   0 (autoclean)
isa-pnp                32712   0 (unused)
usbserial              19836   0 (autoclean) (unused)
....	
....
....
ne2k-pci                5248   1
8390                    6608   0 [ne2k-pci]
ide-scsi               11056   0
scsi_mod              100788   2 [sr_mod ide-scsi]
ide-cd                 32416   0
cdrom                  29216   0 [sr_mod ide-cd]
nls_iso8859-1           2844   2 (autoclean)
ntfs                   80300   2 (autoclean)
lvm-mod                64996   0 (autoclean)
reiserfs              217908   1
            

You can use the insmod(8) or modprobe(8) commands to load a module from the /lib/modules directory structure into user memory for use by the parent.

The advantage of using modprobe over insmod to load modules, is that modprobe will consult a dependency file /lib/modules to determine which other drivers need to be loaded before the requested module.

To unload a module from user memory you can use the rmmod(8) or modprobe -r commands. The module may not be in use by the kernel or the attempt at removal will fail.

modinfo(8) displays important information about a module, including its configuration parameters depmod(8) this command analyses all the module binaries under /lib/modules and builds a dependency file in this same directory structure.

If you look at the machine in front of you, it is a finite resource at this time; it consists of a set of interdependent resources or components that have to be shared between users and processes.

Now Linux has a couple of problems to be aware of especially on a busy machine:

You cannot take out your current disk and plug in a faster one for a couple of minutes whilst there is a crisis. So really tuning would then be taking the resources that you have and allocating them by balancing conflicts and establishing compromises.

Some Examples:

Figure 7.1. Let us look again at the sleep queue

If processes are waiting for disk and you have a slow disk, this will eventually cause a disk bottleneck, where there may be nothing on the run queue and the processes are waiting for disk.

Processes on the run queue only need one more resource before they can run and that is the CPU.

All processes perform IO and may have to wait for their request to be satisfied by the hardware. If a process is reading a file for example login reads /etc/passwd as a user logs in, the kernel will be making requests to the disk (to exec(), the open() etcetera). Disks have built in latencies due to rotational delay, movement of the heads and so on.

While the process is waiting for the disk request to complete it cannot use the CPU, the process is then put onto the sleep queue where it will wait for IO, wait for disk. Once the disk is freed up, the process is again placed into the run-queue.

A substantial amount of input to a process can be interactive such as from a keyboard or mouse. Systems with large numbers of interactive jobs will have most of their processes in wait for IO state. Processes can be held up when outputting to the slower devices such as terminals and printers.

When the hardware devices send an interrupt to the CPU, the clock, or a device that is now freed-up, the process running on the CPU is suspended while the interrupt service routine is executed (process to task_sched not to run queue). The clock interrupt routine is also responsible for gathering statistics dealing with process scheduling, updating page management information etcetera. If a system spends a lot of time dealing with these interrupt service calls it is said to be interrupt-bound.

A good rule of thumb is to make sure that there is enough memory, and that you allocate enough swap space on your disk (at least the same amount of memory again), even though using the swap space as additional memory will take more time than being in RAM at least the processes can still run and do not have to stop altogether.

The scheduler is implemented in the 'main kernel file' kernel/sched.c.

The corresponding header file include/linux/sched.h is included (either explicitly or indirectly) by virtually every kernel source file.

The following is an extract from the man pages:

"The fields of task structure relevant to scheduler include: 
p->need_resched: this field is set if schedule() should be invoked at 
the 'next opportunity'. 

p->counter: number of clock ticks left to run in this scheduling slice,
decremented by a timer. When this field becomes lower than or equal to zero, 
it is reset to 0 and p->need_resched is set. This is also sometimes called
'dynamic priority' of a process because it can change by itself.

p->priority: the process' static priority, only changed through 
well-known system calls like nice(2), POSIX.1b sched_setparam(2) or 
.4BSD/SVR4 setpriority(2).

p->rt_priority: real-time priority

p->policy: the scheduling policy, specifies which scheduling class the task belongs to. "

Scheduler Classes:
SCHED_OTHER (traditional UNIX process), 
SCHED_FIFO (POSIX.1b FIFO real-time process) 
SCHED_RR (POSIX round-robin real-time process). 
            

The scheduler's algorithm is simple, despite the great apparent complexity of the schedule() function.

riaan@linux:~> ps -el
  UID   PID  PPID CPU PRI NI   VSZ  RSS MWCHAN STAT  TT       TIME COMMAND
 1001   650   649   0   8  0  1324 1184 wait   SLs   p0    0:00.01 zsh
 1001   664   650   0  76  0  3764 3056 select SL+   p0    0:02.53 ssh -v -C 
 1001  1113  1112   0   8  0  1332 1192 wait   SLs   p1    0:00.03 zsh
                    

nice >nice_value< >command>
                    

nice -10 date
                    

It is the scheduler that must select the most deserving process to run out of all of the runnable processes in the system. A runnable process is one, which is waiting only for a CPU to run on.

Linux uses a reasonably simple priority based scheduling algorithm to choose between the current processes in the system. When it has chosen a new process to run it saves the state of the current process, the processor specific registers and other context being saved in the processes task_struct data structure.

When you are testing the system with the following commands or doing the suggestion exercises you may want to see the machine paging or struggling more, a way of doing this would be to limit the memory that is allowed to be used from your bootup prompt as follows:

Boot: Linux mem=48M
            

Do not use more than the memory that you have as this will cause the kernel to have a crash.

	Note
	If you have a motherboard with an old BIOS or an old kernel it may not be possible to access more than 64MB by default. You would then have to tell the system about the amount of memory e.g. 128MB. For this you can use the boot prompt as above or edit the /etc/lilo.conf file.

Print the accumulated user and system times for the shell and for processes run from the shell. The return status is 0.

Times is a shell-builtin command and therefore the shell has no extra resources required to find the command.

The report shows the amount of time taken for a command to run in real time (stop watch), the amount of time that the process in on the processor using user state and not system calls, the time on the processor and in system mode.

The difference between the user and the system time is the amount of time the process spent waiting.

If we wanted to save time we could avoid the screen altogether and send the output to /dev/null.

For example:

$  times  ls  -lR  / > /dev/null
            

	Note
	If you have run this command previously the time will be influenced by the output still being in the buffer cache.

User time does not change because you are writing to the console driver, but there should be a difference between the user and the system time.

We may need to reduce the real time and we do not want to change the hardware, the buffer cache may increase to handle this but then it will use more memory and that may cause the system to put pages into swap area.

This times command represents time in its reports to the nearest 10th of a second that the process takes to execute.

top provides an ongoing look at processor activity in real time. It displays a listing of the most CPU-intensive tasks on the system, and can provide an interactive interface for manipulating processes.

It can sort the tasks by CPU usage, memory usage.

top [-] [d delay] [p pid] [q] [c] [C] [S] [s] [i] [n iter] [b] 
                

Top reads it's default configuration from two files, /etc/toprc and ~/.toprc.

top displays a variety of information about the processor state.

Several single-key commands are recognized while top is running (check the man pages for full details and explanations).

Some interesting examples are:

Collect, report, or save system activity information. The sar command only reports on local activities.

/var/log/sa/sadd Indicate the daily data file, where the dd parameter is a number representing the day of the month. /proc contains various files with system statistics.

sar [opts] [-o filename] [-f filename] [interval/secs] [count]
            

The sar command writes to standard output the contents of selected cumulative activity counters in the operating system.

sar -o data.file interval count >/dev/null 2>&1 & 
                

vmstat [-n] [delay [ count]] 
vmstat[-V] 
            

vmstat reports information about processes, memory, paging, block IO, traps, and cpu activity.

vmstat does not require special permissions to run. These reports are intended to help identify system bottlenecks. Linux vmstat does not count itself as a running process. All linux blocks are currently 1k, except for CD-ROM blocks which are 2k.

The first report produced gives averages since the last reboot. Additional reports give information on a sampling period of length delay. The process and memory reports are instantaneous in either case.

FIELDS

Report Central Processing Unit (CPU) statistics and input/output statistics for devices and partitions.

iostat [ -c | -d ] [ -k ] [ -t ] [ -V ] [ -x [ device ] ] [ interval [ count ] ] 
            

The iostat command is used for monitoring system input/output device loading by observing the time the devices are active in relation to their average transfer rates.

The iostat command generates reports that can be used to change system configuration to better balance the input/output load between physical disks.

The iostat command generates two types of reports:

1.the CPU Utilization report

2.and the Device Utilization report.

We have discussed the ps command earlier so I am not going to take you through the structure or options of the command. However there are a couple of issues that likely you have not been told about before.

In Linux the ps command that we are going to look at is the one that uses /proc for the required inforamtion that it reports on.

This version of ps accepts several kinds of options, read the man pages for the list. The following table expresses some of the output modifiers that can be used. There are more than this but I thought these were the most useful:

States of a process (some extracts from ps man pages)

Both Linux (and FreeBSD) have a way of displaying the various states of a process at any one time. It seems apparent that the process that would display this information is the "process status" command or ps.

This information can become invaluable to you when analysing your performance or needing to know how far a process is towards completion and what might be holding the process up.

You have a "process state" and a "flag" set for each process:

PROCESS FLAGS ALIGNWARN 001 print alignment warning msgs STARTING 002 being created EXITING 004 getting shut down PTRACED 010 set if ptrace (0) has been called TRACESYS 020 tracing system calls FORKNOEXEC 040 forked but didn't exec SUPERPRIV 100 used super-user privileges DUMPCORE 200 dumped core SIGNALED 400 killed by a signal PROCESS STATE CODES D uninterruptible sleep (usually IO) R runnable (on run queue) S sleeping T traced or stopped Z a defunct ("zombie") process

	Note
	NOTE: For BSD formats and when the "stat" keyword is used, additional letters may be displayed: W has no resident pages < high-priority process N low-priority task L has pages locked into memory (for real-time and custom IO)

It is also possible to find out the current wait states of the processes, in other words what resource or activity are they waiting for, you will need to examine the man pages of your version of Linux very carefully for this, but the command will look similar to the following:

debian:~# ps axo user,pid,stat,f,wchan,command USER PID STAT F WCHAN COMMAND root 1 S 100 select init root 2 SW 040 bdflus [kflushd] root 3 SW 040 kupdat [kupdate] root 4 SW 040 kswapd [kswapd] root 5 SW 040 contex [keventd] root 148 S 040 select /sbin/syslogd root 151 S 140 syslog /sbin/klogd root 175 S 140 select /usr/sbin/inetd root 179 S 140 select /usr/sbin/lpd root 182 S 140 select /usr/sbin/cupsd root 190 S 140 select /usr/sbin/sshd daemon 194 S 040 nanosl /usr/sbin/atd root 197 S 040 nanosl /usr/sbin/cron root 201 S 100 read_c -bash root 202 S 000 read_c /sbin/getty 38400 tty2 root 203 S 000 read_c /sbin/getty 38400 tty3 root 204 S 000 read_c /sbin/getty 38400 tty4 root 205 S 000 read_c /sbin/getty 38400 tty5 root 206 S 000 read_c /sbin/getty 38400 tty6 root 336 S 040 select /sbin/dhclient-2.2.x -q root 337 S 140 select /usr/sbin/sshd root 340 S 100 wait4 -bash root 579 R 100 - ps axo user,pid,stat,f, \ wchan,command

The WCHAN field is actually resolved from the numeric address by inspecting the kernel struct namelist, which is usually stored in a map file:

/boot/System.map-<KERNEL VERSION>

If you tell ps not to resolve the numerics ("n" flag), then you can see the hex values:

debian:~# ps anxo user,pid,stat,f,wchan,command USER PID STAT F WCHAN COMMAND 0 1 S 100 130dd4 init 0 2 SW 040 12a233 [kflushd] 0 3 SW 040 12a298 [kupdate] 0 4 SW 040 12381a [kswapd] 0 5 SW 040 11036b [keventd] 0 148 S 040 130dd4 /sbin/syslogd 0 151 S 140 114d1a /sbin/klogd 0 175 S 140 130dd4 /usr/sbin/inetd 0 179 S 140 130dd4 /usr/sbin/lpd 0 182 S 140 130dd4 /usr/sbin/cupsd 0 190 S 140 130dd4 /usr/sbin/sshd 1 194 S 040 11373c /usr/sbin/atd 0 197 S 040 11373c /usr/sbin/cron 0 201 S 100 1bee13 -bash 0 202 S 000 1bee13 /sbin/getty 38400 tty2 0 203 S 000 1bee13 /sbin/getty 38400 tty3 0 204 S 000 1bee13 /sbin/getty 38400 tty4 0 205 S 000 1bee13 /sbin/getty 38400 tty5 0 206 S 000 1bee13 /sbin/getty 38400 tty6 0 336 S 040 130dd4 /sbin/dhclient-2.2.x -q 0 337 S 140 130dd4 /usr/sbin/sshd 0 340 S 100 119017 -bash 0 580 R 100 - ps anxo user,pid,stat, \ f,wchan,command

As you can see it is possible to find out much more than initially apparent. Read the man pages of ps carefully.

#  cd  /usr/src/linux

#  make config
            

There will now be lots of questions to answer about your system, hardware and software wise.

Please make sure that you are well prepared!

If you were to say that you do not have a SCSI drive and you do have one, it will not be recognised, if you say that you have one and you do not then you are going to waste memory resources.

Make a copy of the kernel file that you have been using in case you have a problem later on, then you can still boot with the original kernel and get the system up at least.

#  mv  /zImage  /zImage.old
            

You should also have your Boot Floppy (see system administration course).

In an article in a Linux news publication a while ago I saw the following questions as being pointed out as most useful or likely:

&quot;&apos;Kernel math emulation&apos; CONFIG_MATH_EMULATION <!-- riaancheck --> 
            

If you don't have a math co-processor, you should answer this question YES. Those who do have a math co-processor should answer NO.

A kernel with math-emulation compiled in it will still use the processor if one is present. The math-emulation simply won't get used in that instance. This will result however in a somewhat larger kernel and a waste of memory.

In connection with hard disk support it was pointed out that this one causes confusion:

'XT harddisk support' CONFIG_BLK_DEV_XD
            

NO. This really doesn't have to do with hard disks -- it has to do with your controller card. AT controller cards are 16-bit cards supported by the standard hard disk driver. XT controller cards are 8-bit cards that are rare in 386 machines.

'TCP/IP networking' CONFIG_INET 
            

YES if you plan to have your system interactive on the net. This includes SLIP and PPP connections. Answer NO if you aren't going to connect to the net right now; you can always compile another kernel later.

'System V IPC' CONFIG_SYSVIPC : 
            

This isn't used for many things, but doesn't use much memory. YES is recommended.

'Use -m486 flag for 486-specific optimizations' CONFIG_M486 : 
            

If you have an i386 system, answer NO. Otherwise you should select YES. This uses a little bit of memory. Adding this flag will not slow a 386 down, other than using extra memory, but will speed up a 486 quite a bit. There are a series of questions, which have to do with different types of SCSI drivers and interfaces. If you have a SCSI controller, then you would want to enable the drivers via the configuration process. For those who don't have a SCSI controller, select NO, and move on to the next step in the configuration.

Network device support mainly has to do with selecting the proper Ethernet device or other network connection. PPP and SLIP are used to connect to TCP/IP networks over the serial port; PLIP is used to connect TCP/IP networks over the parallel port, and the rest are ethernet controllers. Do not select drivers of devices you do not have. This can sometimes cause conflict later when you are booting.

Another important section in the kernel configuration process has to do with the different filesystems. There is an advantage to compiling the kernel to have only the filesystems you need. There are several different filesystems supported by Linux:

'Standard (minix) fs support' CONFIG_MINIX_FS :
            

This is the original Linux filesystem. It is considered to be one of the more stable filesystems, and is still widely used. You probably want this unless you are really desperate for space or will really never use it.

'Extended fs support' CONFIG_EXT_FS :
            

Only select this if you still have filesystems from the 'old days' that will use this precursor of the second extended filesystem. This filesystem is slow and no longer actively maintained. It is there only for backwards compatibility. NO.

'Second extended fs support' CONFIG_EXT2_FS :
            

The ext2 filesystem is the most 'full-featured' of the filesystems. It is a super rewrite of the original extended filesystem, with improved speed as well. This is by far the most popular filesystem. A filesystem debugging package is available for this filesystem that can help you recover from fairly bad filesystem crashes. YES.

'msdos fs support' CONFIG_MSDOS_FS :
            

This filesystem allows for access to the FAT filesystem used by MS-DOS. It is a great advantage for those who need to access floppies or hard disk partitions that use that filesystem. In addition, if you use the UMSDOS filesystem (usually because you installed Linux on an MSDOS partition), you need to include MSDOS filesystem support.

'/proc filesystem support' CONFIG_PROC_FS :
            

The PROC filesystem does not touch your disk. It is used by the kernel to provide data kept within the kernel itself to system programs that need that information. Many standard utilities will not function without this filesystem. YES.

'NFS filesystem support' CONFIG_NFS_FS :
            

The NFS filesystem is necessary for those who have a physical network and need to mount NFS filesystems from other computers. If you are on a TCP/IP network, you probably want this option.

'Kernel profiling support' CONFIG_PROFILE :
            

This is used only by seasoned kernel hackers. You don't need this if you need to read this article...

'Selection (cut and paste for virtual consoles)' :
            

If you want to be able to use your mouse in any of your VC's, then you would select YES. Note that this requires a separate selection program to work. Your mouse will be inactive without this program. This has nothing to do with X-windows.

The last section of the configuration process that needs insight has to do with sound card options. If you want sound card support, then you would definitely select YES.

Full driver? NO
            

Select NO because configure the kernel to handle only a particular sound card.

Disable? NO. 
            

It seemed strange that the driver question would come before a question about disabling the sound drivers altogether. Nonetheless, you should select NO, and answer the questions that follow accordingly, depending on what hardware you have."

Using the depend command from with the /usr/src/linux directory will create the dependencies that you have now set up.

#  cd /usr/src/linux

#  make depend

# make zImage
            

make zImage -- creates a compressed image which also saves memory.

You need to edit the configuration file for LILO in order that you will boot with the new kernel. (This is assuming that you are using LILO as your preferred boot loader program.)

#  vi  /etc/lilo/config
            

OR

#  vi  /etc/lilo.conf
            

boot = /dev/had
 
#This is the path to the NEW kernel image to be booted
image = /zImage
label = linux 

#This is the path to the OLD kernel image to be booted
#if the other should fail to boot
image = /zImage.old
label = linux.old 
            

Now when you boot you will see that it uses by default the new kernel that you just loaded.

Original Unix filesystems were composed of 3 main areas:

Figure 8.2. Generic Unix Filesystem Support

Inode List

The inode list, also known as the inode table, contains data structures that provide information about files.

Figure 8.3. Inode List

The free blocks bitmap contains a one-to-one status map of which data blocks contain data. One bit describes one data file, a one in the bitmap indicates the corresponding datablock is in use and a zero indicates that it is free.

This was originally a BSD extension to UFS, made by UCB in the BSD FAST FILESYSTEM (FFS). What was done for for FFS (the Berkeley "Fast File System") was to have a "free blocks bitmap" for each cylinder group.

Figure 8.4. Free Blocks Bitmap (Extension to Inode List Figure)

To make disk access faster, the filesystem can be divided into block groups, a block group simply contains all the part of the filesystem that a generic Unix filesystem is made of as shown in Figure 5. However, the distributing of multiple superblocks inodes and data block areas around the entire physical disk allows the system to allocate an inode closer to its data blocks.

This means that when a new file is saved, the system will find some free blocks to allocate for data and then try to find a free inode that is in the nearest inode list before the data blocks that were allocated.

In contrast, for example, on a 1GIG filesystem of the traditional Unix type (as in Figure 5), reading a file whose data blocks were near the end of the filesystem, would result in the heads on the disk moving a far distance to the beginning of the filesystem to read the inode for that file. If this filesystem utilised block groups, then the inode for this file would be much closer to the end of the filesystem and to the data blocks, so the heads would have a comparatively shorter distance to travel.

Figure 8.5. Block Groups

Extent based allocation is an efficiency improvement to the way that disk block addresses are referenced in the inode.

Instead of referencing each and every data block number in the inode, contiguous block addresses can simply be referenced as a range of blocks. This saves space for large files that have many data blocks.

For example if a file takes up data blocks 21, 22, 23, 24 and 25, expressing this as a block range in an extent based filesystem would specify 21-25 instead.

To prevent micro-fragmentation of data blocks, of a single file, all around the filesystem, the filesystem driver can pre-allocate data blocks in entire groups at a time.

For instance, if a file is first saved, that consumes 3 blocks, 32 blocks (if this were the pre-allocation size for this specific filesystem) would be allocated for this file in one go. The remaining 29 blocks would not be sued for other files. When this file grows, the new blocks can therefore be allocated contiguously after the first three.

Pre-allocation is handled transparently by the filesystem driver behind the scenes. This means that although fragmentation still occurs as a natural part of a filesystem structure, file data is stored in large ranges of blocks, so that single blocks of a file are never scattered individually around the filesystem.

The blocks pre-allocated in this scheme will not show as allocated in the output of df, and will immediately be sacrificed automatically when disk space runs low.

You can have more than one filesystem on your system, why would you want to do that though?

A filesystem is an area of blocks allocated on the disk. See Figure 1 (Hard Disk Partitions). These are logical divisions on the Linux partition.

A logical decision must be made to ascertain how big each area should be, take into account the number of users you have and the amount of data you will need. As it is fairly difficult to re-allocate space on a working system please put some thought into this.

Figure 8.6. Filesystems

Where:

S=swap space allocated 64MB

Root filesystem allocated 800MB

Development filesystem allocated 300MB

Data Capturing filesystem allocated 1500MB

At the beginning of this course we spoke of mounting different versions or types of filesystems, those that are not of Linux type.

Some of these filesystems would have to have some kernel support built in to the Linux kernel.

Some would have utilities to work with them, even if not mounted and without kernel support being required.

To do this you would work with programs that require user space only.

Figure 8.10. Filesystem Structure

When you create a filesystem of say 800MB the system also creates a superblock, and inode table and then the datablock allocation for that filesystem.

Inodes

Inode numbers start at 1 although 1 is never allocated out, inode number 2 usually points to the root directory file. They are stored as a sequential array at the front of the filesystem and that structure is called the ilist, inode table or inode list.

The amount of inodes required for each filesystem is calculated depending on the data block size of the filesystem. (Generally works at approx 4K per inode).

Each inode is 64 bytes in size and we have already covered in the Fundamentals course the fields contained therein.

The disk inodes are the ones residing on the hard disk and not in the buffer cache and normally defined in ino.h header file.

Inode addressing

The maximum size of an ext2 filesystem is 4 TB, while the maximum file size is currently limited to 2 GB by the Linux kernel.

Disk block addressing is controlled by the inode and the field that expresses the actual datablocks that contains the physical file, the address field is a total of 39 bytes in length.

Although most files are fairly small, the maximum file size in Linux is 2GB, how does the inode cope with addressing that number of disk blocks?

The inode block numbers work in a group of 13:

1. The first 10 point directly to a datablock which contain the actual file data - this is called direct addressing = 10Kb.

2. Then the 11th block points to a datablock that contains 256 pointers, each of those pointers point to a single address block as above. This is called single indirect block addressing = 256Kb.

3. The 12th block points to a datablock that has 256 pointers and each of those pointers point to a datablock with 256 pointers, and each of those pointers to a datablock as per point 1 above. This is called double indirect block addressing = 64Mb.

4. The 13th point has a triple indirect setup where the 256 pointers each point to 256 pointers that each point to 256 pointers that each point to a datablock as per point 1 above = 16GB.

So the max size is actually 16GB, BUT this is limited by the inode sizing not by the structure of the operating system.

Figure 8.11. Datablock addressing in the inode

In memory, inodes are managed in two ways:

1. A doubly linked circular list and,

2. A hash table.

Function iget(struct super_block *sb, int nr) to get the inode, if it is already in memory, then I_count is incremented, if it is not found, must select a "free" inode call superblock function read_inode(0 to fill it, then add it to the list.

(See Iput(), namei())

Inodes and opening a file

System call open()

• request a new file structure via get_empty_filp()

• open_namei() to obtain inode

• modify open() flags. 0:read,1:write

• do_open()

• if a character-oriented device, chrdev_open() is called.

Then, file is successfully opened, the file descriptor is returned.

bdflush version ?.?
0:    60 Max fraction of LRU list to examine for dirty blocks
1:   500 Max number of dirty blocks to write each time bdflush activated
2:    64 Num of clean buffers to be loaded onto free list by refill_freelist
3:   256 Dirty block threshold for activating bdflush in refill_freelist
4:    15 Percentage of cache to scan for free clusters
5:  3000 Time for data buffers to age before flushing
6:   500 Time for non-data (dir, bitmap, etc) buffers to age before flushing
7:  1884 Time buffer cache load average constant
8:     2 LAV ratio.
                

You can use the fsck(8) command as root to check and repair filesystems.

The file system checker or fsck, can peform both physical and non-physical checks on a filesystem. The default is to do a non-physical check on the filesystem structures. The -c option performs a physical, non-destructive check in addition to the normal filesystem check.

The physical check utilises the badblocks program to find all the logical filesystem blocks that are damaged (contain bad sectors), and mark them off in the filesystem so that they are not used for storing datablocks.

The bad blocks will be allocated to inode number 1 on the relevant filesystem. This inode has no corresponding filename in any directory in the filesystem, hence you cannot get hold of it.

You must un-mount a filesystem before you can check it, except the root filesystem, which can never be un-mounted. To check the root filesystem ensure that you are in single user mode (run level 1 or s), this will ensure that there are no processes from multi-user mode writing to the disk when you do the check.

When a file is saved, data blocks are allocated to it for the file data, an inode is allocated to describe that file, and a new directory entry is made in the directory that contains the file. The directory entry consists of a filename and a matching inode number (and depending on the filesystem possibly more information). Setting up the directory entry is the last operation performed in this sequence.

In the event of an improper shutdown, such as a power failure or system hang, it is possible that a file that has been saved will have its data blocks allocated, an inode, but the directory entry will not yet have been written to disk. This is the most common form of filesystem corruption.

To fix this problem, when fsck is run and it finds such files without filenames in the filesystem it has essentially found a lost file it now has to give it a new filename, essentially reconnecting it to the filesystem directory structure. Fsck will create a new filename entry for the lost file in the filesystems' lost+found directory, which is located in the root directory of the filesystem. Fsck will create this directory if it does not exist fsck will name the file after the inode number.

Different Unix systems may have slightly different symantics here. On Linux, fsck will construct the filename of a lost file has a # character followed by the inode number. For example, if fsck finds a lost file in the root filesystem that has the inode number of 2105, then the repaired file will be called "/lost+found/#2105".

Syslogd is started by the normal startup scripts in /etc/rc.d/rc3.d.

Let's review some of what we have learnt form the introduction, the configuration file for syslogd is /etc/syslog.conf. Syslogd is the system daemon or process that does the actual logging.

Time specific messages are recorded into log files as designated by the .conf file.

If you are being notified of login attempts and failures, system errors and possible security problems then you will find that:

"In syslog.conf, there are two fields, the selector and the action. The selector field tells what to log and the action field tells where to log it (i.e., to a certain file, or to a certain host on the network).

The selector has the form: facility.level

The action has the form of a path, e.g., /var/log/messages or /var/log/secure, or /dev/console, or a full host name preceeded by an @ sign: @loghostname.loghost.co.za

The facility and level have many possible combinations. But for security's sake, it is far easier to just log everything. "