kb/processes

Linux processes, systemd, and resources

Linux processes and their lifecycle: systemd as PID 1, signals and states, cgroups v2 and namespaces, the OOM killer, page cache, swap, PAM, and capabilities. A close look at how the kernel manages memory and CPU, with practical examples and links to the lessons.

29 статей в категории

§ статьи

bash-strict-modeBash strict mode: set -euo pipefailThree flags at the top of a bash script that turn it from forgiving into fail-on-the-first-error. Without them, bugs pile up silently.
bpf-co-reBPF CO-RE: Compile Once Run EverywhereCO-RE means one compiled eBPF object runs on different kernels thanks to BTF (BPF Type Format). vmlinux.h is a dump of kernel structures. libbpf rewrites offsets at runtime. It replaces BCC, and you no longer need LLVM in production.
cgroupscgroups (v2)cgroups v2 is a hierarchical virtual FS under `/sys/fs/cgroup` that the kernel uses to limit CPU, memory, and I/O for processes. Docker, k8s, and systemd write here.
cgroups-v2-deepcgroups v2: unified hierarchy, PSI, eBPF controlcgroups v2 uses one tree instead of separate per-controller hierarchies. Clean semantics, new fields (memory.high, io.cost). PSI shows resource pressure. eBPF can manage resources. Default in RHEL 9, Ubuntu 22+.
chrony-and-ntpchrony and NTP: clock synchronizationNTP is the clock synchronization protocol (about millisecond accuracy over the internet). On modern Linux the implementation is `chronyd` (default) or `systemd-timesyncd` (lightweight).
file-descriptorsFile descriptors (stdin, stdout, stderr)A file descriptor is an integer a process uses to reach an open file, socket, or pipe. Every process gets 0/1/2 = stdin/stdout/stderr.
heredocHere-doc and here-string: data inside the scriptHere-doc (`<<EOF ... EOF`) feeds multi-line text to a command's stdin with no temp file. Here-string (`<<<`) does the same for a single line.
kernel-modulesKernel modules: LKM, modprobe, signing, DKMSAn LKM is code loaded into the kernel at runtime. modprobe resolves dependencies through depmod. Sign a module for Secure Boot. DKMS rebuilds out-of-tree modules after a kernel upgrade. Lockdown mode blocks unsigned modules.
capabilitiesLinux capabilities: privilege bitsCapabilities split root's power into 40+ independent bits: NET_ADMIN, SYS_PTRACE, and so on. You can grant a process a slice of that power without making it full root.
namespacesLinux namespacesNamespaces are a kernel mechanism that gives a process its own isolated view of a resource (network, mount points, PID, UID, IPC, hostname, time). Every container is built on them.
load-averageLoad averageLoad average is three numbers in `uptime`: exponential averages of the run-queue length (R + D state) over 1, 5, and 15 minutes. It only makes sense in the context of `nproc`.
mmapmmap: files and shared memory`mmap()` maps a file (or an anonymous region) into a process virtual address space. Reads and writes through the pointer become file operations. This is the basis of shared memory.
oom-killerOOM killerOOM killer is the kernel mechanism that picks and terminates a process when the system hits its memory limit. In containers it works per-cgroup.
page-cachePage cache: disk in memoryPage cache is RAM that holds file contents. Every filesystem read and write goes through it. In free it looks like used memory, but the cache is available.
process-and-pidProcess and PIDA process is a running program with its own PID, memory, open descriptors, and UID. Every process forms a tree rooted at init (PID 1).
process-substitutionProcess substitution: <(cmd) and >(cmd)Bash syntax `<(cmd)` substitutes a command as a read-only pseudo-file. `>(cmd)` does it for writing. You get a temporary file you never have to clean up.
seccompseccomp: a system call filterseccomp is a kernel-level syscall filter. A process declares "only these are allowed", and the kernel cuts off the rest. It anchors the Docker and Chrome sandbox.
selinux-apparmorSELinux and AppArmor: Mandatory Access ControlSELinux and AppArmor are MAC: a control layer on top of normal permissions. They stop a process from doing anything outside its profile or type.
shebangShebang: the first line of a scriptA script's first line like `#!/usr/bin/env bash` tells the kernel which interpreter to start. Without a shebang the script runs under the current shell, and a bash-only script breaks on /bin/sh in production.
signalsSignals (SIGTERM, SIGKILL, SIGHUP)A signal is an asynchronous notification to a process from the kernel or another process. TERM asks it to quit, KILL kills it now, HUP reloads config.
sudosudo: run a command as root`sudo` runs a command as another user (usually root) under the rules in `/etc/sudoers`. The standard path for privilege escalation.
swapSwap: when RAM runs outSwap is disk space where the kernel pushes out rarely used memory pages when RAM is needed more. A partition or a file. Tuned by `vm.swappiness` (0-100).
systemd-drop-inssystemd drop-ins: override without editing the originalA drop-in is a `.conf` file in a `<unit>.d/` directory that merges into the unit file. It overrides any directive of a unit **without editing the original file** from the package.
systemd-targetssystemd targets: runlevels the new wayA target is a `.target` unit that describes a desired system state as a set of dependencies. It replaces SystemV runlevels: `multi-user.target` ≈ runlevel 3, `graphical.target` ≈ runlevel 5.
systemd-timerssystemd timers as a cron replacementA systemd timer is a `.timer` unit that runs a paired `.service` on a schedule or after an interval from an event (boot, last run). It replaces cron with logs in [[cmd-journalctl]] and dependencies.
systemd-unit-typessystemd unit typesA unit is a resource managed by systemd. The file extension equals the type: `.service` (daemon), `.socket` (lazy start on a socket), `.timer`, `.mount`, `.path`, `.slice`/`.scope` (cgroups), `.target` (a group).
systemd-resolvedsystemd-resolved: the local DNS stubsystemd-resolved is a DNS stub resolver. It listens on `127.0.0.53:53` and proxies queries to upstream DNS, aggregating data from NetworkManager, DHCP, and VPN. You drive it with `resolvectl`.
systemdsystemd: the init system and service managersystemd is the Linux init system: PID 1 that starts everything else, tracks dependencies, restarts what crashes, and collects the logs.
virtual-memoryVirtual memory: virtual addresses, page tablesEach process sees its own 64-bit virtual address space. The MMU translates virtual addresses to physical ones through page tables. This is the basis of isolation and mmap.

← вернуться ко всем категориям базы знаний