<a href="https://colab.research.google.com/github/KenYew/sre-notes/blob/main/linux_internals.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# 💻 Linux Internals
<img src="https://drive.google.com/uc?id=19SBbf-eijcZqvPqigYUKV_A5iNnUC-1q" align="middle" width="500px"/>

---
## 🍿 Kernel Mode versus User Mode

1. In user mode, CPU can access only memory that is marked as user space; attempts to access memory in kernel space result in hardware exception. 
1. In kernel mode, CPU can access both user and kernel memory space. 
1. This ensures that user processes are not able to access the instructions and data structures of the kernel, or perform operations that would adversely affect the operation of the system. 

---
## ⚡️ Processes

### 📖 **Introduction**

<img src="https://drive.google.com/uc?id=1uUcB-YbibkEl-Sazo38PdzXkrO0sApEs" align="middle" width="500px"/>

* An instance of an executing program. 
* When a program is executed, the kernel:
    1. Loads the code of the program into virtual memory
    2. Allocates space for program variables 
    3. Sets up kernel bookkeeping data structures to record info about the process (PID, UID, GID, termination status)
* Process is logically decided into the following segments:
    1. **Text**: instructions of program
    2. **Data**: static variables used by program
    3. **Heap**: area which programs can dynamically allocate extra memory 
    4. Stack: memory that grows and shrinks as functions are called and return. It also allocated storage for local variables and function call linkage info. 

### 🌱 **Process creation and program execution**

1. Parent process executes the `fork()` system call.
1. This duplicates the parent process to create a child process. 
1. Child inherits copies of parent’s data, stack and heap segments (text is shared between both parent and child) 
1. Child process executes the `exec()` system call to execute an entirely new program. 
1. `exec()` destroys existing text, data, stack and heap segments, replacing them with new segments based on source code of program. 

### ❌ **Process termination and termination status**

1. When a child process completed its execution, it will send `SIGCHLD` to its parent. 
1. Parent process sends a `wait()` system call that reads the child’s exit status. 
1. After receiving `wait()` system call, the child’s entry is removed from the process table. 

### **🧟‍♀️ Cause of Zombie Processes**

1. Parent may ignore the SIGCHLD causing finished child processes to still exist in the process table making them zombie processes. 
1. Dead zombie processes have freed up its resources for others (e.g.: CPU, memory) but if a large number of zombie processes exist, the system will run out of PIDs in the process table. 

<img src="https://drive.google.com/uc?id=1lsnq6pZ4zMeo4_O3-rQjRqoTnUy4IpXi" align="middle" width="500px"/>

### 🧟‍♂️ **Zombie process termination**

1. Send a SIGCHLD signal to the parent process of a zombie using: 
    `kill -s SIGCHLD`
2. Parent process sends a `wait()` system call which removes the child zombie process from the process table.
3. If zombie processes are not removed, kill its parent process or restart the service using:
   `kill -9`
4. When parent is killed, all its children will become child process of init process `PID 1`. 
5. Init process sends a `wait()` system call which removes the child zombie processes. 

### 🥇 **Init Process**

1. Mother of all processes with PID 1. All processes are created by init using fork( ). 
2. Its main task is to create and monitor a range of processes required by a running system. 

### 😈 **Daemon Process**

A special-purpose process created and handled by the system with the below special characteristics:
* **Long lived.** It is often started at system boot and remains in existence until system shuts down. 
* **Runs in the background and not interactive in terminal.** It has no controlling terminal that reads input or write outputs. 
* Examples: syslogd - records messages in the system log. httpd - served web pages via HTTP

---
## 🚦 Signals

### 📖 **Introduction**

* An interprocess communication. Signals are sent to a process by the kernel, by another process. 
* Kernel may send a signal to a process when:
    1. User typed the interrupt character (CTRL+C) on the keyboard 
    2. One of the process’s children had terminated 
    3. A timer set to the process has expired
    4. Process attempted to access an invalid memory address 

|Name |Command |
|:--|:--|
| Signal for interprocess communication |	A Kernel notify a process that some condition has occurred.
|kill -l|	List all signals|
|Critical signals|	The signals SIGKILL and SIGSTOP cannot be caught, blocked, or ignored.|
|SIGKILL, SIGTERM|	Send kill signal to a given process. kill -term \$pid, kill -9 \$pid|
|SIGHUP|	Reload or restart a process. kill -HUP $pid|
|SIGHUP|	Terminal warns dependent processes of logout|
|SIGINT|	Users wish to interrupt the process|
|SIGCHILD|	When a child process terminates, instruct OS to cleanup the resource|
|SIGSTOP|	Suspend a process|
|SIGALRM|	|
|SIGUSR1, SIGUSR2|	User defined signals|
|SIGSTOP vs SIGTSTP|	SIGSTOP can’t be ignored by the targetted process, but SIGTSTP can|
|What happens, when pressing Ctrl-C|	Kernal translates the ASCII character(^C) to SIGINT signal|

### 🚨 **SIGTERM 15**

1. SIGTERM signal is safest way to kill the process. 
1. It instructs the process to terminate and gives the programs or services time to wrap things up before be shutdown such as writing to log files or closing opened connections that were created by the process.

### 🚨 **SIGKILL 9**

1. SIGKILL signal is an unsafe way for killing a process because it ends process without saving anything.
1. This signal is sent by a process in order to terminate the receiving process immediately. 
1. This means that the termination is abnormal and not graceful. 
1. This signal is used in cases where a process hangs or is to be terminated immediately. 
1. For example, this signal is used by OS kernel sometimes when the system is shutdown.

### 🚨 **SIGSTOP**

1. Sent by a process in order to halt a program so that it can be debugged. 
1. Suppose if the programs were given the capability of handling this signal and a program accidentally chooses to ignore this signal, then that program cannot be debugged ever.

### 🚨 **SIGCHLD**

When a child process created by a parent process ends, the child:
1. Sends a SIGCHLD signal to the parent process to indicate that the child process has ended
1. Saves the exit status of the child process so that the parent process can identify which child process (by process ID) ended and its exit status.

---
### 🛑 **Interrupts** 

1. An interrupt is an event that alters the normal execution flow of a program and can be generated by hardware devices or even by the CPU itself. 
1. When an interrupt occurs the current flow of execution is suspended and interrupt handler runs. 
1. After the interrupt handler runs the previous execution flow is resumed.

1. Interrupts can be grouped into two categories based on the source of the interrupt. 
    * **Synchronous:** Generated by executing an instruction. Synchronous interrupts, usually named exceptions, handle conditions detected by the processor itself in the course of executing an instruction. Divide by zero or a system call are examples of exceptions.

    * **Asynchronous:** Generated by an external event. Asynchronous interrupts, usually named interrupts, are external events generated by I/O devices. For example a network card generates an interrupts to signal that a packet has arrived.
1. Most interrupts are maskable, which means we can temporarily postpone running the interrupt handler when we disable the interrupt until the time the interrupt is re-enabled. However, there are a few critical interrupts that can not be disabled/postponed.


---
## 🧵 Threads

1. A set of processes that share the same virtual memory.
1. Each process can have multiple threads of execution. 
1. Each thread executes the same program code and shared the same data area and heap. 
1. Threads communicate with each other using global variables they share and interprocess communication (signals). 
1. Makes it easy to share data (global variables) between threads and takes advantage of parallel processing on multiprocessor hardware. 

---
### ❓ What is the difference between processes and threads?

| No. |	Process	| Thread
|:--|:--|:--|
|1.|	Process means any program in execution.	|Thread means a segment of a process.
|2.|	The process takes more time to terminate.|	The thread takes less time to terminate.
|3.|	It takes more time for creation.|	It takes less time for creation.
|4.|	It also takes more time for context switching.|	It takes less time for context switching.
|5.	|The process is less efficient in terms of communication.	|Thread is more efficient in terms of communication.
|6.| 	Multiprogramming holds the concepts of multi-process.	|We don’t need multi programs in action for multiple threads because a single process consists of multiple threads.
|7.|	The process is isolated.	|Threads share memory.
|8.|	The process is called the heavyweight process.|	A Thread is lightweight as each thread in a process shares code, data, and resources.
|9.|	Process switching uses an interface in an operating system.	|Thread switching does not require calling an operating system and causes an interrupt to the kernel.
|10.|	If one process is blocked then it will not affect the execution of other processes| 	If a user-level thread is blocked, then all other user-level threads are blocked. 
|11.|	The process has its own Process Control Block, Stack, and Address Space.|	Thread has Parents’ PCB, its own Thread Control Block, and Stack and common Address space.
|12.|	Changes to the parent process do not affect child processes.	|Since all threads of the same process share address space and other resources so any changes to the main thread may affect the behavior of the other threads of the process.

---
## 🗂 Linux Filesystems

### 📂 **/proc**

<img src="https://drive.google.com/uc?id=19HJsqY20-d2cnK3Hbnm7-CoM01N13Yz8" align="middle" width="500px"/>

**Summary**
1. A virtual file system that provides an interface to kernel data structures in a form that looks like files and directories on a file system. 
    * /proc is said to be virtual because the files and subdirectories within do not reside on disk but are created "on the fly" in memory as processes access them.
2. It is also a set of directories with names of the form `/proc/PID` allowing us to view information about each running process. 
3. Consists of `/proc` files generally in human readable text and parsable by shell scripts. 

**Per-process files via `/proc/PID`**

* Each process on the system is provided a corresponding directory called `/proc/PID` by the kernel. The files and subdirectories within contain information about the process such as:

| File |  Description (process attribute) |
|:--|:--|
|/proc/\$pid/cmdline| Holds the complete command line for the process
|/proc/\$pid/cwd| Symbolic link to the process' current working directory
|/proc/\$pid/environ| Contains the initial environment that was set when the program started
|/proc/\$pid/exe| Symbolic link to the path of the file that was executed
|/proc/\$pid/fd| Subdirectory for listing files that have been opened by the process
|/proc/\$pid/io| Contains I/O statistics for the process
|/proc/\$pid/limits| Displays the process resource limit
|/proc/\$pid/maps| Currently mapped memory regions and access permissions
|/proc/\$pid/mem| Process virtual memory (must `seek()` to valid offset before I/O)
|/proc/\$pid/mounts|Mount points for this process
|/proc/\$pid/root|Symbolic link to root directory
|/proc/\$pid/status|Various information (e.g., process IDs, credentials, memory usage, signals)
|/proc/\$pid/stack| Trace of function calls in the process' kernel stack
|/proc/\$pid/stat| Status information about the process
|/proc/\$pid/task| Directory that contains thread information

**System-wide files via `/proc`**

* Various files and subdirectories under `/proc` provide access to system-wide information.

| File |  Description (process attribute) |
|:--|:--|
|/proc/cmdline| Arguments passed to the Linux kernel during boot time
|/proc/cpuinfo| CPU-related information
|/proc/meminfo| Memory usage statistics
|/proc/filesystems| Listing of filesystems supported by the kernel
|/proc/modules| Kernel modules that are currently loaded
|/proc/partitions| Information about each partition on the system
|/proc/swaps| Information about swap space on the system
|/proc/self| Directory refers to the process accessing the /proc filesystem
|/proc/slabinfo| Information about kernel caches
|/proc/sys| Various files and sub-directories about kernel variables





---
## 📞 System Calls

1. A controlled entry point into the kernel allowing a process to request the kernel to perform some action on the process’s behalf. 
2. System calls changes the processor system from user mode to kernel mode so CPU can access protected kernel memory. 

<img src="https://drive.google.com/uc?id=1AsTYDcOG6NhWRrsSjKw7CEauXFV6f0tw" align="middle" width="500px"/>

| Factors for Differentiation	|fork()| exec()
|:--|:--|:--|
|Invoking|	`fork()` creates a new duplicate child process of the process that invoked `fork()`	|`exec()` replaces a process that invokes it with a new process provided in its parameter.
|Process id|	The child process and parent process have unique process id. 	|The new process and the replaced process have the same process id.
|Execution|	The parent and child process start simultaneous execution from the instruction just after `fork()`.	|The currently running process is terminated and the `exec()` start execution of the new process from its entry point.
|Arguments|	No arguments are passed to `fork()` system call.	|Basically, three or more arguments are passed to the `exec()` system call.
|Format|	`Pid=fork();`	|`exec(cont char *filename, char* const argv[], char* const envp[])`

### 🍴 `fork()`

1. The `fork()` system call allows one process, the parent, to create a new process, the child. 
1. This is done by making the new child process an (almost) exact duplicate of the parent: the child obtains copies of the parent’s stack, data, heap, and text segments (Section 6.3). 
1. The term fork derives from the fact that we can envisage the parent process as dividing to yield two copies of itself.

### ⚡ `exec()`

1. The `execve(pathname, argv, envp)` system call loads a new program (pathname, with argument list argv, and environment list envp) into a process’s memory. 
1. The existing program text is discarded, and the stack, data, and heap segments are freshly created for the new program. 
1. This operation is often referred to as execing a new program. Later, we’ll see that several library functions are layered on top of `execve()`, each of which provides a useful variation in the programming interface. 
1. Where we don’t care about these interface variations, we follow the common convention of referring to these calls generically as `exec()`, but be aware that there is no system call or library function with this name.

### ✋ `wait()` 
* The wait system call has two purposes. First, if a child of this process has not yet terminated by calling `exit()`, then `wait()` suspends execution of the process until one of its children has terminated. 
* Second, the termination status of the child is returned in the status argument of `wait()`.

The `wait()` system call waits for one of the children of the calling process to terminate and returns the termination status of that child in the buffer pointed to by status.
The `wait()` system call does the following:

1. If no (previously unwaited-for) child of the calling process has yet terminated, the call blocks until one of the children terminates. If a child has already terminated by the time of the call, `wait()` returns immediately.

2. If status is not NULL, information about how the child terminated is returned in the integer to which status points. We describe the information returned in status in Section 26.1.3.

3. The kernel adds the process CPU times (Section 10.7) and resource usage statistics (Section 36.1) to running totals for all children of this parent process.

4. As its function result, `wait()` returns the process ID of the child that has terminated.

### 🏃 `exit()`
1. The exit(status) library function terminates a process, making all resources (memory, open file descriptors, and so on) used by the process available for subsequent reallocation by the kernel. 
1. The status argument is an integer that determines the termination status for the process. Using the `wait()` system call, the parent can retrieve this status.

---
## 🗃 File Structures

### 🔏 **File Permissions**

<img src="https://drive.google.com/uc?id=1iC_w-744cH91tMcyWTBtjTLvsKgPgpQ0" align="middle" width="400px"/>







---
### 🥎 **Soft Link Files**
1. In Linux, a soft link, also known as a symbolic link, is a special sort of file that points at a different file. 
    * In Windows vocabulary, you could think of it like a shortcut. 
1. Because the connection is a logical one, and not a duplication, soft links can point at entire directories or link to files on remote computers. Hard links cannot do this.

### 🧱 **Hard Link Files**
1. In Linux, a hard link is equivalent to a file stored in the hard drive – and it actually references or points to a spot on a hard drive. 
1. A hard link is a mirror copy of the original file. The distinguishing characteristic of a hard link from a soft link is that deleting the original file doesn't affect a hard link, while it renders a soft link inoperable.



---
### 📚 **Inodes**

<img src="https://drive.google.com/uc?id=12w9YXlsEnUu7yq-SWJf4X6U7xBGFMNsL" align="middle" width="600px"/>

1. A data structure storing the properties of a file or directory. 
2. The following information is stored in inode:
    * **File type**: regular file, directory, pipe etc.
    * **Permissions** to that file: read, write, execute
    * **Link count**: The number of hard link relative to an inode
    * **User ID**: owner of file
    * **Group ID**: group owner
    * **Size of file**: or major/minor number in case of some special files
    * **Time stamp**: access time, modification time and (inode) change time
    * **Attributes**: immutable' for example
    * **Access control list**: permissions for special users/groups
    * Link to location of file
    * Other metadata about the file
3. `ls command` is used to list file and directories information. The `-i` option with ls displays the inode number of each file. First column gives the inode number. 

---
### ❓How do you delete a file with special characters?
1. `ls -i` to list the inode number of file with special characters (e.g.: `"ab*`)
```bash
>> 1448239 "ab*
```
1. Then, run `find . -inum 1448239 -exec rm -i {} \`
    * We used the `find` command to specify the Inode number of the file to delete

---
## 🧠 Memory

### 💾 **Virtual memory versus swap space**

<img src="https://drive.google.com/uc?id=15kd6Anqa-CH2qfWfs2pwlI4xLRlWrrVI" align="middle" width="700px"/>

<img src="https://drive.google.com/uc?id=1vL_K7O_vkI2m_Ue3s1SAMmt27vxf8jcP" align="middle" width="750px"/>

---
## ⌨️ Command Line

### ❓**What exactly happens when you type “ls” into the shell?**

**Brief Explanation** 
1. When you run ‘ls’ the shell searches in its path for an executable named ‘ls’ in /bin/ls
1. When it finds it, the shell will forks off a copy of itself using the `fork()` system call. 
1. If the fork succeeds, then in the child process the shell will run ‘exec /bin/ls’ which will replace the copy of the child shell with itself. 
1. Any parameters that are passed to ‘ls’ are done so by exec.

**Detailed Explanation**

*Step 1: `Find executable binary`*
1. The shell reads what you have typed using the `getline()` function and tokenizes the line using the  `strtok()` function.
1. It also checks if the first token of `ls` is a Shell `alias` or not. 
1. If the command is not a built-in (internal) function, the shell will find the `PATH` variable in the directory where it holds the absolute paths for all the executable binary files.
*Step 2: `fork()`*
1. Once it finds the binary for `ls` located at `/bin/ls`, the program is loaded in memory and a system call `fork()` is made. 
1. This creates the child process `ls` and the shell will be the parent process. 
1. `fork()` returns `0` to the child process so it knows it has to act as a child and returns the PID of the child to the parent process (e.g. the shell).

*Step 3: `execve()`*
1. Next, the `ls` process executes the system call `execve()` that provides a new address space with the program to run.
1. Now, `ls` can start running its program. The `ls` utility uses a function to read the directories and files from the disk by consulting the underlying filesystem’s inode entries.

*Step 4: `exit()`*
1. Once the `ls` process has finished executing, it will perform the `exit()` system call with an integer `0` that denotes a normal execution and the kernel will free up its resources.
    * Note: you can use strace `ls` to dig deeper into the system calls

---
# 🛠 Linux Troubleshooting

---
## 💿 Disk Management

### ❓**What to do when a Linux system is running out of available inodes?**

1. If there are free available storage but the error “no space left on device”keeps showing, this is due to inode saturation where there is insufficient space left in the inode table. 
1. Determine where all your inodes are being spent. Often they’re being consumed by millions of small files created by a misconfigured system
1. Run the following command to identify the directory and system that’s using all your inodes: 
`du --inodes -d 3 /  | sort -n | tail`
1. Or start cleaning out unexpected files (e.g.: ton of cache files)
1. Or reformat the disk and assign more of the disk to maintain the inodes table