This chapter deals with more advanced topics. Some sections are self-contained, but most are not. In order to better understand the concepts mentioned in this chapter, it is recommended that you read 'Concepts' first.
Executables and Processes
Written by Marina Miler.
ELF - Executable and Linking format
A short introduction
The executable and Linking format (ELF) specification is published by UNIX System Laboratories in the System V Application binary Interface(ABI). It is a standard file format for executables, shared libraries object code and core dumps. It was chosen to be a portable object file format for the 32-bit Intel Architecture environments for a huge number of operating systems. In 1999. it became the standard binary file format for Unix-like operating systems. The ELF line is meant to streamline software development by supplying developers with a set of binary interface definitions that spread across multiple operating environments. This should decrease the number of different interface implementations, thus decreasing the need for recoding and recompiling code.
Characteristics and division
Elf is very flexible, which means that it does not depands on a special processor or architecture, and exstensible, too. That is why it is adopted by a variety of operating systems on a lot of different platforms.
The main types of object files are executable files, relocatable files and shared object files.
Executable files are files containing a program that is apropriate for execution.
Relocateble files are containing data and the code that are adequate to create an exe or shared object file by linking with other object files.
Shared object files contain code and data adequate for linking in two possible ways. One method is to process the shared object file with other shared object files and relocatable files and that way create another object file. This is the role of the link editor. The other way is that the dynamic linker creates a process image by combining the shared object file with another exe file and other shared objects.
The data file layout consists of an ELF header and file data.The file data may contain a program header table, a section header table and data etered in the program header table or the section header table. The program header table is necessary to execute a program. It tells the system how to establish a process image, which means how to execute a program. Relocatable files are an exeption; they don't need a program header table. The section header table includes information about the file's sections, such as the section name or size, etc. Not every object file has a section layer, just files used while linking must have it.
The spreading of ELF
Many older executable formats (for example a.out, COFF) have been replaced by ELF in a lot of systems such as Linux, Syllable, HP-UX, Solaris, IRIX, DragonFly BSD, etc. (all Unix-like operating systems). There are some non-Unix operating systems that use ELF, too, for example a lot of mobile phones using ELF (some Motorola, Siemens, etc.) and some consoles, such as PlayStation 2, PlayStation 3, Wii, GP2X, and so on.
A process is a program in execution. Processes are identified by their process ID, also called PID. It's a special and unique number that identifies every single process. Every process has its own process descriptors that contains information about a process, such as his PID, parent process, children, state, processor registers, siblings, adress space information and a list of open files. Every user has rights only over the process he launched. This is a good security measure. Linux is almost immune to viruses. Viruses have to infect executable files, but the user has no write acces to vulnerable system files. Anyway, there exist some anti-virus promgrams for Linux, too. Usually they are needed because Linux systems are often used as file servers for Windows machines. In Linux, the processes are organized in a special way. Therefore we have "trees". The PID is displayed next to every process in the tree. Every process also displays the PID of his parent process, called parent process ID.
PS (process status)
By typing ps into the terminal, we'll get a list of processes that we (the current user) started on the terminal we are using in that moment. It shows a list of active processes.The PID is shown in the first column, in the second column we can see the terminal the process is applied to (TTY), the third one displays the CPU time used by the process, and the last column shows the running command (CMD)
PID TTY TIME CMD 16613 tty000 00:00.27 bash
2598 tty001 00:00.35 ps 1435 tty002 00:00.16 bash
The sintax of ps is: ps [options]
There are a lot of ways to customize this command. Here are some examples: $ ps -a -x -u
a - lists information about all processes (of all users) attached to the certain terminal, except of group leaders u - shows the user name or user ID of the user that started the process x - shows the processes without terminal or different from your terminal
$ ps -ef - shows you all information about current running processes $ ps g - selects group leaders, too
For controlling processes, we use 64 different signals. These signals can be sent via different numbers (e.g. 9 means KILL, 19 means STOP) or names (SIGx, x - the signal's title, for example SIGKILL, SIGSTOP). The signals are devided into two groups: standard signals and real-time signals (used for application-defined purposes). The standard signals go from 1 to 32, while the signals from 33 to 64 are real-time signals, also called "higher signals".
KILL and KILLALL
We use kill and killall when a process ignores our request to close up. kill is a program that requires a PID as an argument. The syntax is: kill [PID]. For example:
$ kill 650 - kills the process with the PID 650
The sytax is: kill -[signal] [PID]
$ kill -9 650 - kills the process with the PID 650 or $ kill -sigkill 650
killall is a program that takes a process name as an argument, e.g.
$ killall -9 processname
SIGSTOP is a signal which pauses the process we send it to, but it can continue the execution after receivig the signal SIGCONT (that is also the main difference between SIGSTOP and SIGKILL). It cannot be ignored, neither can it be caught. The syntax is:
kill -SIGSTOP [PID] kill -SIGCONT [PID] For example: $ kill -sigstop 2571 or $ kill -19 2571 $ kill -sigcont 2571 or $ kill -18 2571 kill -s -it uses the symbolic names that are defined in <signal.h>. Because of it the prefix "SIG" is unnecessary and the values can be identified without it.
SIGTERM is a termination signal used to exit a process SIGTERM -15 - termination of a process For example: $ kill -sigterm 2251 or $ kill -15 2251 Unlike SIGKILL, SIGSTOP and SIGCONT it can be caught.
top shows the real-time processor activity and is able to sort tasks by memory usage, runtime, and CPU storage. It can also give us a limited interactive interface we can use to manipulate with processes. It combines the role of kill and ps. The output of top gets refreshed every 5 seconds. The main screen units are the summary area, prompt line, the columns header and the task area.
The sytax is: top [options]
Some options are:
b -batch mode command- it works in the batch mode, which means that only inputs that appear in the prescribed iterations limit will be accepted, if not, you have to kill the process.We can use it to send an arbitrary output from top to another file or program. h -help M -sorts processes by their use of memory n -it classifies the iteration limit needed to end a process. P – sorts processes by their use of CPU time u -it writes out the users processes. If you don't want all processes to be shown you'll have to enter the UID or the user's name when you're asked to. i -shows only processes that are running at the moment q -quit r -it changes the priority of a selected process
$ top -u marina - shows only the processes of the user whose username is marina $ top -u 400 – shows only the process with the UID 400
2.4 The tree structure
The pstree command is a command we use for showing the processes as a tree structure, it is also called "tree diagram".The process init is always at the beginning of the list, because when Linux is started it is always the first process running. As it was already mentioned before, the tree structure shows the parent process of a process and its children (processes that originate from it). If you want to kill the whole section, you just have to kill the parent. Analogous to that, a tree structure is also used to demonstrate the filesystems of Linux. The difference between pstree and ps is that pstree gives you an hierarchical order of the running processes, while ps shows them in the order they were started. The sytax is: pstree [options] [PID or username] For example:
$ pstree -A – uses ASCII characters to display a tree. $ pstree -p shows us the PIDs of the current processes. $ pstree -n sorts processes with the same parents by PID $ pstree | less – is used to get a clearer output. We use it because the output of the pstree command is very long and takes a lot of space.
Every process has his own defined priority. A scheduling priority is not the same thing as niceness. As an opposed from priority, niceness is more like an advice to the scheduler, which can be ignored, too. The lower the nice value, the higher will be the priority. The higher the nice value the lower will be the priority. The lowest nice value is -20, and the highest is 19. Only the privileged user can set the any priority he wants to any value he wants, while the other users are limited to chose a priority between 0 and 19 and only for the process they own. A process with a higher priority gets more process time ("it is more often executed") then the one with a lower priority.
The niceness of a process may be set with the nice command at the time of creation. Later it can be adjusted with the renice command.
We use renice to modify priorities if a process uses to many resources. It requires an absolute priority.
The syntax is: renice priority [[-p] pid ...] [[-g] pgrp ...] [[-u] user ...]
-p -multiple access pid- symbolizes the PID -g – the parameters are interpreted as process group IDs pgrp – symbolizes the process group ID -u - the parameters are interpreted as user IDs or user names user -the process owner
$ renice +5 335 -u marko ivan -p 34 -changes the priority of the process IDs 335 and 34, and all processes of the users marko and ivan.
$ renice +1 -u marko – increases the priority value of all processes owned by a user named marko
$ renice +1 -g students - increases the priority value of all processes owned by a group called students
nice is a command that affects on the setting of priority and imports a priority increasement that it adds or substracts from the current shell priority. It reaches from -20 to 19. Whithout a command it writes out the actual scheduling priority.
The syntax is: nice [option] [command [arguments] ]
For example: $ nice – writes out the actual priority value. $ nice grep -increases the niceness value of the grep command by 10, because it's the default value $ nice -n 6 grep -increases the niceness value of the grep command by 6 and runs it $ nice -n -1 grep - decreases the niceness value of the grep command by -1 and runs it.
Job control applies to the facility to stop or resume the execution of a process by selection. The user uses an interactive interface presented by the system's terminal driver and Bash. In the meantime, it creates a table of all existing jobs, which can be listed with the jobs command. There are two types of processes depending on the current terminal process group ID. Processes whose process group ID is the same as the present terminal process group ID are foreground processes, while the process group ID from background processes is different from the termninals ID. Some other differences between these processes are that the foreground process is able to receive keyboard-generated signals( while background processes are not ) and that only foreground processes have the permittion to read from and write to the terminal. Backgroud processes can't read from and write to the terminal because the terminal sends them a SIGTTIN signal which they can't receive, so the process gets suspended. We use it when a job takes a lot of time, so we move it to the background and execute other commands while the one in the background is running.
bg -continues the suspended job in the background. We add the job specification after bg to point out which job will be continued in the background. If we skip the specification, the current job will be used. The return value will not be zero while it is running when job control is disabled, or while job control is enabled, but the job specification cannot be found or classifies a job started without job control. The syntax is: bg [jobspecification] bg %2 -replaces job 2 to the background fg -continues the job in the forderground and makes it the present job. If we don't add the job specification, the current job will be used. It returns the value of the command in the forderground. The return value can be non-zero if it's run while job control is disabled, or when job control is enabled and the job specification is representing a job that was started without job control or isn't even representing a valid job. The sitax is: fg [jobspecification] For example: fg %2 – replaces job 2 to the foreground
The syntax is: jobs[options] [jobspecification] jobs -x command [arguments] If the job specification is entered, the output is limited on information about the specified job. If it's not entered, it is going to list the status of all jobs.
$ jobs -prints all jobs
Some options are:
-l -shows the usual information + the process IDs -n -shows the information only for jobs that have changed their status from the last users checking of the status -p –shows the ID of the group leader of the job's process -r -limits the outputs of running jobs -s -limits the outputs of stopped jobs -x -the job ID found in arguments or commands is replaced with the apropriate process group ID, then the command is executed and arguments are added to it
% - we use it to identify a job with the job number(it has to be infront of the number) . It replaces the job name.
For example: '%12' -signifies job number 12. /home/marina# kill %2 -we kill job number 2. '%?reg' – signifies any job that consists the string 'reg'. '%-' -signifies the previous job. '%+' -signifies a current job.
command & - starts a job instantly in the background
There are some shortcuts we can use too, while running a job. For example ctrl -c terminates a job and ctrl -z suspends a job.
/proc and /sys File Systems
Written by Marina Miler.
The /proc file system is a virtual file system that contains information about the system that are used by many programs(for example: top) . The word "virtual" indicates that the directory does not occupy any space on the hard drive. The /proc file system also contains a lot of information about your hardware. The /proc/sys subdirectory permits the changing of the parameters within kernel. If you want to change a value, you just have to echo that value into the file. This is possible only if you're root. The /proc directories include a lot of directories whose names are numbers. They are called process directories and they contain information about all processes that are currenty running. If you are not root, you can write out only information about the processes you started. If the process is terminated, its /proc process directory disappears. Every directory includes the same entries. Some of the entries are: status, cwd, environ, root, cmdline, maps, exe.
Status- includes a big number of information about the processes: the executable's name, the PID, PPID, UID, GID, memory usage...
cwd- means "current working directory". It is called that way because it's a soft link to the current working directory.
environ- it includes all evironmental variables that are defined for the process.
root -it is a soft link to the root directory that is used by the process.
cmdline –it is a unformatted file that contains the whole command line used to summon the processes.
maps –when you display the containment of this named pipe, parts the process' address space which are mapped to a file at the moment get visible.
exe -a soft link to the exe file matching the process being run.
ABOUT THE HARDWARE
The /proc file system contains information about the hardware of the machine, too. Some files which contain these information are:
cpuinfo -it contains information about the CPU.
apm -shows the capacity of your battery if you have a laptop.
meminfo -it includes information about the memory usage.
bus -shows information about the peripherals connected to the certain machine.
modules -shows a listing of modules that are used by the kernel in that moment.
acpi – contains some information that can be important for laptops. For example: button – ensures the control of actions with buttons like power, sleep .. battery – writes out the number of batteries in the laptop and their current condition thermal zone – tells you how hot your processor gets fan -shows you the current condition of fans on your machine. Control options may differ from one processor to another.
The subdirectory reports different kernel parameters and authorizes you to change them and write into them if you are root. Some uses of it are:
-prevent IP spoofing -spoofing makes you think that a package is coming from your interface(but it's coming from the outside). You have to use this command: $ echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter
-allow routing You have to use this command: $ echo 1 >/proc/sys/net/ipv4/ip_forward
It is a command that shows the information about all PCI buses and the peripherals connected to them. You have to have Linux kernel 2.1.82 or a newer version if you want to use this command. If you don't have one this vesions the PCI utilities will be available just for root.
The syntax is: lspci [options] Some options are:
-n -displays the vendor and device codes as numbers -v -it orders lspci to display detailed information about all devices.V stands for verbose. -vv -displays a very big number of information about the devices.Vv stands for very verbose. -x - displays a hexadecimal listing of the first 64 bytes of the PCI configuration space .
dmesg means display message and is a command that displays the message buffer of the kernel. It "gets " the data by reading the kernel ring buffer and it can be helpful while troubleshooting to get information about the hardware. The syntax is: dmesg [options] .Without using any options it displays all kernel messages. Using any options with dmesg is very seldom. For example: dmesg | less - it gives us a better overview of the displayed information.
It is a command that displays the information about all USB devices in the system and the peripherals that are connected to them. The sytax is: lsusb [ options ]. Some of the options are:
-v –writes out detailed information about the devices.V stands for verbose. -t- displays the USB device as a tree -d -displays just the devices with the vendor and product ID
THIS DOCUMENTATION IS IN DRAFT STAGE AND NEEDS TO BE DEVELOPED.