Learn how Linux file system works!
Linux System Admin Guide- What is Linux Operating System and how it works
Linux System Admin Guide- What are Directory Tree and Filesystem Hierarchy in Linux
Linux System Admin Guide- Introduction to Linux File Systems for System Admins
Linux System Admin Guide- Overview of Linux Virtual Memory and Disk Buffer Cache
Linux System Admin Guide- Best Practices for Monitoring Linux Systems
Linux System Admin Guide- Best Practices for Performing Linux Boots and Shutdowns
Linux System Admin Guide- Best Practices for Making and Managing Backup Operations
How Linux Operating System Memory Management works
Comprehensive Review of Linux Kernel Operating System Processes
Comprehensive Review of Linux File System Architecture and Management
What are mechanisms behind Linux Kernel task management
How Linux Kernel Sources and Functions work
Comprehensive look at how Linux Data Structures work
Introduction to Linux and Shell programming
Introduction to Linux System Administration
Comprehensive list of all Linux OS distributions
Comprehensive list of all special purpose Linux distributions
Comprehensive list of all secure Linux distributions for cybersecurity professionals
/proc is very special in that it is also a virtual filesystem. It's sometimes referred to as a process information pseudo-file system. It doesn't contain 'real' files but runtime system information (e.g. system memory, devices mounted, hardware configuration, etc). For this reason it can be regarded as a control and information centre for the kernel. In fact, quite a lot of system utilities are simply calls to files in this directory. For example, 'lsmod' is the same as 'cat /proc/modules' while 'lspci' is a synonym for 'cat /proc/pci'. By altering files located in this directory you can even read/change kernel parameters (sysctl) while the system is running.
The most distinctive thing about files in this directory is the fact that all of them have a file size of 0, with the exception of kcore, mtrr and self. A directory listing looks similar to the following:
total 525256 dr-xr-xr-x 3 root root 0 Jan 19 15:00 1 dr-xr-xr-x 3 daemon root 0 Jan 19 15:00 109 dr-xr-xr-x 3 root root 0 Jan 19 15:00 170 dr-xr-xr-x 3 root root 0 Jan 19 15:00 173 dr-xr-xr-x 3 root root 0 Jan 19 15:00 178 dr-xr-xr-x 3 root root 0 Jan 19 15:00 2 dr-xr-xr-x 3 root root 0 Jan 19 15:00 3 dr-xr-xr-x 3 root root 0 Jan 19 15:00 4 dr-xr-xr-x 3 root root 0 Jan 19 15:00 421 dr-xr-xr-x 3 root root 0 Jan 19 15:00 425 dr-xr-xr-x 3 root root 0 Jan 19 15:00 433 dr-xr-xr-x 3 root root 0 Jan 19 15:00 439 dr-xr-xr-x 3 root root 0 Jan 19 15:00 444 dr-xr-xr-x 3 daemon daemon 0 Jan 19 15:00 446 dr-xr-xr-x 3 root root 0 Jan 19 15:00 449 dr-xr-xr-x 3 root root 0 Jan 19 15:00 453 dr-xr-xr-x 3 root root 0 Jan 19 15:00 456 dr-xr-xr-x 3 root root 0 Jan 19 15:00 458 dr-xr-xr-x 3 root root 0 Jan 19 15:00 462 dr-xr-xr-x 3 root root 0 Jan 19 15:00 463 dr-xr-xr-x 3 root root 0 Jan 19 15:00 464 dr-xr-xr-x 3 root root 0 Jan 19 15:00 465 dr-xr-xr-x 3 root root 0 Jan 19 15:00 466 dr-xr-xr-x 3 root root 0 Jan 19 15:00 467 dr-xr-xr-x 3 gdm gdm 0 Jan 19 15:00 472 dr-xr-xr-x 3 root root 0 Jan 19 15:00 483 dr-xr-xr-x 3 root root 0 Jan 19 15:00 5 dr-xr-xr-x 3 root root 0 Jan 19 15:00 6 dr-xr-xr-x 3 root root 0 Jan 19 15:00 7 dr-xr-xr-x 3 root root 0 Jan 19 15:00 8 -r--r--r-- 1 root root 0 Jan 19 15:00 apm dr-xr-xr-x 3 root root 0 Jan 19 15:00 bus -r--r--r-- 1 root root 0 Jan 19 15:00 cmdline -r--r--r-- 1 root root 0 Jan 19 15:00 cpuinfo -r--r--r-- 1 root root 0 Jan 19 15:00 devices -r--r--r-- 1 root root 0 Jan 19 15:00 dma dr-xr-xr-x 3 root root 0 Jan 19 15:00 driver -r--r--r-- 1 root root 0 Jan 19 15:00 execdomains -r--r--r-- 1 root root 0 Jan 19 15:00 fb -r--r--r-- 1 root root 0 Jan 19 15:00 filesystems dr-xr-xr-x 2 root root 0 Jan 19 15:00 fs dr-xr-xr-x 4 root root 0 Jan 19 15:00 ide -r--r--r-- 1 root root 0 Jan 19 15:00 interrupts -r--r--r-- 1 root root 0 Jan 19 15:00 iomem -r--r--r-- 1 root root 0 Jan 19 15:00 ioports dr-xr-xr-x 18 root root 0 Jan 19 15:00 irq -r-------- 1 root root 536809472 Jan 19 15:00 kcore -r-------- 1 root root 0 Jan 19 14:58 kmsg -r--r--r-- 1 root root 0 Jan 19 15:00 ksyms -r--r--r-- 1 root root 0 Jan 19 15:00 loadavg -r--r--r-- 1 root root 0 Jan 19 15:00 locks -r--r--r-- 1 root root 0 Jan 19 15:00 mdstat -r--r--r-- 1 root root 0 Jan 19 15:00 meminfo -r--r--r-- 1 root root 0 Jan 19 15:00 misc -r--r--r-- 1 root root 0 Jan 19 15:00 modules -r--r--r-- 1 root root 0 Jan 19 15:00 mounts -rw-r--r-- 1 root root 137 Jan 19 14:59 mtrr dr-xr-xr-x 3 root root 0 Jan 19 15:00 net dr-xr-xr-x 2 root root 0 Jan 19 15:00 nv -r--r--r-- 1 root root 0 Jan 19 15:00 partitions -r--r--r-- 1 root root 0 Jan 19 15:00 pci dr-xr-xr-x 4 root root 0 Jan 19 15:00 scsi lrwxrwxrwx 1 root root 64 Jan 19 14:58 self -> 483 -rw-r--r-- 1 root root 0 Jan 19 15:00 slabinfo -r--r--r-- 1 root root 0 Jan 19 15:00 stat -r--r--r-- 1 root root 0 Jan 19 15:00 swaps dr-xr-xr-x 10 root root 0 Jan 19 15:00 sys dr-xr-xr-x 2 root root 0 Jan 19 15:00 sysvipc dr-xr-xr-x 4 root root 0 Jan 19 15:00 tty -r--r--r-- 1 root root 0 Jan 19 15:00 uptime -r--r--r-- 1 root root 0 Jan 19 15:00 version
Each of the numbered directories corresponds to an actual process ID. Looking at the process table, you can match processes with the associated process ID. For example, the process table might indicate the following for the secure shell server:
# ps ax | grep sshd 439 ? S 0:00 /usr/sbin/sshd
Details of this process can be obtained by looking at the associated files in the directory for this process, /proc/460. You might wonder how you can see details of a process that has a file size of 0. It makes more sense if you think of it as a window into the kernel. The file doesn't actually contain any data; it just acts as a pointer to where the actual process information resides. For example, a listing of the files in the /proc/460 directory looks similar to the following:
total 0 -r--r--r-- 1 root root 0 Jan 19 15:02 cmdline lrwxrwxrwx 1 root root 0 Jan 19 15:02 cwd -> / -r-------- 1 root root 0 Jan 19 15:02 environ lrwxrwxrwx 1 root root 0 Jan 19 15:02 exe -> /usr/sbin/sshd dr-x------ 2 root root 0 Jan 19 15:02 fd -r--r--r-- 1 root root 0 Jan 19 15:02 maps -rw------- 1 root root 0 Jan 19 15:02 mem lrwxrwxrwx 1 root root 0 Jan 19 15:02 root -> / -r--r--r-- 1 root root 0 Jan 19 15:02 stat -r--r--r-- 1 root root 0 Jan 19 15:02 statm -r--r--r-- 1 root root 0 Jan 19 15:02 status
The purpose and contents of each of these files is explained below:
Command line arguments.
Current and last cpu in which it was executed.
Link to the current working directory.
Values of environment variables.
Link to the executable of this process.
Directory, which contains all file descriptors.
Memory maps to executables and library files.
Memory held by this process.
Link to the root directory of this process.
Process memory status information.
Process status in human readable form.
Should you wish to know more, the man page for proc describes each of the files associated with a running process ID in far greater detail.
Even though files appear to be of size 0, examining their contents reveals otherwise:
# cat status
Name: sshd State: S (sleeping) Tgid: 439 Pid: 439 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 32 Groups: VmSize: 2788 kB VmLck: 0 kB VmRSS: 1280 kB VmData: 252 kB VmStk: 16 kB VmExe: 268 kB VmLib: 2132 kB SigPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 8000000000001000 SigCgt: 0000000000014005 CapInh: 0000000000000000 CapPrm: 00000000fffffeff CapEff: 00000000fffffeff
The files in the /proc directory act very similar to the process ID subdirectory files. For example, examining the contents of the /proc/interrupts file displays something like the following:
# cat interrupts
CPU0 0: 32657 XT-PIC timer 1: 1063 XT-PIC keyboard 2: 0 XT-PIC cascade 8: 3 XT-PIC rtc 9: 0 XT-PIC cmpci 11: 332 XT-PIC nvidia 14: 5289 XT-PIC ide0 15: 13 XT-PIC ide1 NMI: 0 ERR: 0
Each of the numbers down the left-hand column represents the interrupt that is in use. Examining the contents of the file dynamically gathers the associated data and displays it to the screen. Most of the /proc file system is read-only; however, some files allow kernel variable to be changed. This provides a mechanism to actually tune the kernel without recompiling and rebooting.
The procinfo utility summarizes /proc file system information into a display similar to the following:
Linux 2.4.18 (root@DEB) (gcc 2.95.4 20011002 ) #2 1CPU [DEB.(none)] Memory: Total Used Free Shared Buffers Cached Mem: 513908 107404 406504 0 2832 82180 Swap: 265032 0 265032 Bootup: Sun Jan 19 14:58:27 2003 Load average: 0.29 0.13 0.05 1/30 566 user : 0:00:10.26 2.3% page in : 74545 disk 1: 6459r 796w nice : 0:00:00.00 0.0% page out: 9416 disk 2: 19r 0w system: 0:00:19.55 4.5% swap in : 1 idle : 0:06:48.30 93.2% swap out: 0 uptime: 0:07:18.11 context : 22059 irq 0: 43811 timer irq 9: 0 cmpci irq 1: 1427 keyboard irq 11: 332 nvidia irq 2: 0 cascade  irq 12: 2 irq 6: 2 irq 14: 7251 ide0 irq 8: 3 rtc irq 15: 83 ide1
Advanced power management info.
Directory containing bus specific information.
Kernel command line.
Information about the processor, such as its type, make, model, and performance.
List of device drivers configured into the currently running kernel (block and character).
Shows which DMA channels are being used at the moment.
Various drivers grouped here, currently rtc
Execdomains, related to security.
Frame Buffer devices.
Filesystems configured/supported into/by the kernel.
File system parameters, currently nfs/exports.
This subdirectory contains information about all IDE devices of which the kernel is aware. There is one subdirectory for each IDE controller, the file drivers and a link for each IDE device, pointing to the device directory in the controller-specific subtree. The file drivers contains general information about the drivers used for the IDE devices. More detailed information can be found in the controller-specific subdirectories. These are named ide0, ide1 and so on. Each of these directories contains the files shown here:
IDE channel (0 or 1)
Configuration (only for PCI/IDE bridge)
Mate name (onchip partnered controller)
Type/Chipset of IDE controller
Each device connected to a controller has a separate subdirectory in the controllers directory. The following files listed are contained in these directories:
Capacity of the medium (in 512Byte blocks)
driver and version
physical and logical geometry
device identify block
IDE disk management thresholds
IDE disk management values
Shows which interrupts are in use, and how many of each there have been.
You can, for example, check which interrupts are currently in use and what they are used for by looking in the file /proc/interrupts:
# cat /proc/interrupts
CPU0 0: 8728810 XT-PIC timer 1: 895 XT-PIC keyboard 2: 0 XT-PIC cascade 3: 531695 XT-PIC aha152x 4: 2014133 XT-PIC serial 5: 44401 XT-PIC pcnet_cs 8: 2 XT-PIC rtc 11: 8 XT-PIC i82365 12: 182918 XT-PIC PS/2 Mouse 13: 1 XT-PIC fpu 14: 1232265 XT-PIC ide0 15: 7 XT-PIC ide1 NMI: 0
In 2.4 based kernels a couple of lines were added to this file LOC & ERR (this is the output of an SMP machine):
# cat /proc/interrupts
CPU0 CPU1 0: 1243498 1214548 IO-APIC-edge timer 1: 8949 8958 IO-APIC-edge keyboard 2: 0 0 XT-PIC cascade 5: 11286 10161 IO-APIC-edge soundblaster 8: 1 0 IO-APIC-edge rtc 9: 27422 27407 IO-APIC-edge 3c503 12: 113645 113873 IO-APIC-edge PS/2 Mouse 13: 0 0 XT-PIC fpu 14: 22491 24012 IO-APIC-edge ide0 15: 2183 2415 IO-APIC-edge ide1 17: 30564 30414 IO-APIC-level eth0 18: 177 164 IO-APIC-level bttv NMI: 2457961 2457959 LOC: 2457882 2457881 ERR: 2155
NMI is incremented in this case because every timer interrupt generates a NMI (Non Maskable Interrupt) which is used by the NMI Watchdog to detect lookups.
LOC is the local interrupt counter of the internal APIC of every CPU.
ERR is incremented in the case of errors in the IO-APIC bus (the bus that connects the CPUs in an SMP system. This means that an error has been detected, the IO-APIC automatically retries the transmission, so it should not be a big problem, but you should read the SMP-FAQ.
In this context it could be interesting to note the new irq directory in 2.4. It could be used to set IRQ to CPU affinity, this means that you can "hook" an IRQ to only one CPU, or to exclude a CPU from handling IRQs. The contents of the irq subdir is one subdir for each IRQ, and one file; prof_cpu_mask. For example,
# ls /proc/irq/ 0 10 12 14 16 18 2 4 6 8 prof_cpu_mask 1 11 13 15 17 19 3 5 7 9
# ls /proc/irq/0/ smp_affinity
The contents of the prof_cpu_mask file and each smp_affinity file for each IRQ is the same by default:
# cat /proc/irq/0/smp_affinity ffffffff
It's a bitmask, in which you can specify which CPUs can handle the IRQ, you can set it by doing:
# echo 1 > /proc/irq/prof_cpu_mask
This means that only the first CPU will handle the IRQ, but you can also echo 5 which means that only the first and fourth CPU can handle the IRQ. The way IRQs are routed is handled by the IO-APIC, and its Round Robin between all the CPUs which are allowed to handle it. As usual the kernel has more info than you and does a better job than you, so the defaults are the best choice for almost everyone.
Which I/O ports are in use at the moment.
Masks for irq to cpu affinity.
ISA PnP (Plug&Play) Info.
An image of the physical memory of the system (can be ELF or A.OUT (deprecated in 2.4)). This is exactly the same size as your physical memory, but does not really take up that much memory; it is generated on the fly as programs access it. (Remember: unless you copy it elsewhere, nothing under /proc takes up any disk space at all.)
Messages output by the kernel. These are also routed to syslog.
Kernel symbol table.
The 'load average' of the system; three indicators of how much work the system has done during the last 1, 5 & 15 minutes.
Information about memory usage, both physical and swap. Concatenating this file produces similar results to using 'free' or the first few lines of 'top'.
Miscellaneous pieces of information. This is for information that has no real place within the rest of the proc filesystem.
Kernel modules currently loaded. Typically its output is the same as that given by the 'lsmod' command.
Information regarding mtrrs. (On Intel P6 family processors (Pentium Pro, Pentium II and later) the Memory Type Range Registers (MTRRs) may be used to control processor access to memory ranges. This is most useful when you have a video (VGA) card on a PCI or AGP bus. Enabling write-combining allows bus write transfers to be combined into a larger transfer before bursting over the PCI/AGP bus. This can increase performance of image write operations 2.5 times or more. The Cyrix 6x86, 6x86MX and M II processors have Address Range Registers (ARRs) which provide a similar functionality to MTRRs. For these, the ARRs are used to emulate the MTRRs. The AMD K6-2 (stepping 8 and above) and K6-3 processors have two MTRRs. These are supported. The AMD Athlon family provide 8 Intel style MTRRs. The Centaur C6 (WinChip) has 8 MCRs, allowing write-combining. These are also supported. The VIA Cyrix III and VIA C3 CPUs offer 8 Intel style MTRRs.) For more details regarding mtrr technology see /usr/src/linux/Documentation/mtrr.txt.
Status information about network protocols.
UDP sockets (IPv6).
TCP sockets (IPv6).
Raw device statistics (IPv6).
IP multicast addresses, which this host joined (IPv6).
List of IPv6 interface addresses.
Kernel routing table for IPv6.
Global IPv6 routing tables statistics.
Socket statistics (IPv6).
Snmp data (IPv6).
Kernel ARP table.
network devices with statistics.
the Layer2 multicast groups which a device is listening to (interface index, label, number of references, number of bound addresses).
network device status.
Firewall chain linkage.
Firewall chain names.
Directory containing the masquerading tables.
Major masquerading table.
raw device statistics.
Kernel routing table.
Directory containing rpc info.
Token ring RIF routing table.
UNIX domain sockets.
Wireless interface data (Wavelan etc).
IP multicast addresses, which this host joined.
Global packet scheduler parameters.
List of PF_NETLINK sockets.
List of multicast virtual interfaces.
List of multicast routing cache.
You can use this information to see which network devices are available in your system and how much traffic was routed over those devices. In addition, each Channel Bond interface has its own directory. For example, the bond0 device will have a directory called /proc/net/bond0/. It will contain information that is specific to that bond, such as the current slaves of the bond, the link status of the slaves, and how many times the slaves link has failed.
The directory /proc/parport contains information about the parallel ports of your system. It has one subdirectory for each port, named after the port number (0,1,2,...).
Any IEEE-1284 device ID information that has been acquired.
list of the device drivers using that port. A + will appear by the name of the device currently using the port (it might not appear against any).
Parallel port's base address, IRQ line and DMA channel.
IRQ that parport is using for that port. This is in a separate file to allow you to alter it by writing a new value in (IRQ number or none).
Table of partitions known to the system
Depreciated info of PCI bus.
Real time clock
If you have a SCSI host adapter in your system, you'll find a subdirectory named after the driver for this adapter in /proc/scsi. You'll also see a list of all recognized SCSI devices in /proc/scsi. The directory named after the driver has one file for each adapter found in the system. These files contain information about the controller, including the used IRQ and the IO address range. The amount of information shown is dependent on the adapter you use.
A symbolic link to the process directory of the program that is looking at /proc. When two processes look at /proc, they get different links. This is mainly a convenience to make it easier for programs to get at their process directory.
The slabinfo file gives information about memory usage at the slab level. Linux uses slab pools for memory management above page level in version 2.2. Commonly used objects have their own slab pool (such as network buffers, directory cache, and so on).
Overall/various statistics about the system, such as the number of page faults since the system was booted.
Swap space utilization
This is not only a source of information, it also allows you to change parameters within the kernel without the need for recompilation or even a system reboot. Take care when attempting this as it can both optimize your system and also crash it. It is advisable to read both documentation and source before actually making adjustments. The entries in /proc may change slightly between kernel versions, so if there is any doubt review the kernel documentation in the directory /usr/src/linux/Documentation. Under some circumstances, you may have no alternative but to reboot the machine once an error occurs. To change a value, simply echo the new value into the file. An example is given below in the section on the file system data. Of course, you need to be 'root' to do any of this. You can create your own boot script to perform this every time your system boots.
Contains file system data. This subdirectory contains specific file system, file handle, inode, dentry and quota information.
Status of the directory cache. Since directory entries are dynamically allocated and deallocated, this file indicates the current status. It holds six values, in which the last two are not used and are always zero. The others are listed below:
File Content nr_dentry Almost always zero nr_unused Number of unused cache entries age_limit in seconds after the entry may be reclaimed, when memory is short want_pages internally
The file dquot-max shows the maximum number of cached disk quota entries.
shows the number of allocated disk quota entries and the number of free disk quota entries. If the number of available cached disk quotas is very low and you have a large number of simultaneous system users, you might want to raise the limit.
The kernel allocates file handles dynamically, but doesn't free them again at this time. The value in file-max denotes the maximum number of file handles that the Linux kernel will allocate. When you get a lot of error messages about running out of file handles, you might want to raise this limit. The default value is 4096. To change it, just write the new number into the file:
# cat /proc/sys/fs/file-max 4096 # echo 8192 > /proc/sys/fs/file-max # cat /proc/sys/fs/file-max 8192
This method of revision is useful for all customizable parameters of the kernel - simply echo the new value to the corresponding file.
The three values in file-nr denote the number of allocated file handles, the number of used file handles, and the maximum number of file handles. When the allocated file handles come close to the maximum, but the number of actually used handles is far behind, you've encountered a peak in your usage of file handles and you don't need to increase the maximum.
As with file handles, the kernel allocates the inode structures dynamically, but can't free them yet.
The value in inode-max denotes the maximum number of inode handlers. This value should be 3 to 4 times larger than the value in file-max, since stdin, stdout, and network sockets also need an inode struct to handle them. If you regularly run out of inodes, you should increase this value.
The file inode-nr contains the first two items from inode-state, so we'll skip to that file...
inode-state contains three actual numbers and four dummy values. The numbers are nr_inodes, nr_free_inodes, and preshrink (in order of appearance).
Denotes the number of inodes the system has allocated. This can be slightly more than inode-max because Linux allocates them one pageful at a time.
Represents the number of free inodes and preshrink is nonzero when nr_inodes is greater than inode-max and the system needs to prune the inode list instead of allocating more.
Again, super block structures are allocated by the kernel, but not freed. The file super-max contains the maximum number of super block handlers, where super-nr shows the number of currently allocated ones. Every mounted file system needs a super block, so if you plan to mount lots of file systems, you may want to increase these numbers.
This handles the kernel support for miscellaneous binary formats. binfmt_misc provides the ability to register additional binary formats to the kernel without compiling an additional module/kernel. Therefore, binfmt_misc needs to know magic numbers at the beginning or the filename extension of the binary. It works by maintaining a linked list of structs that contain a description of a binary format, including a magic with size (or the filename extension), offset and mask, and the interpreter name. On request it invokes the given interpreter with the original program as argument, as binfmt_java and binfmt_em86 and binfmt_mz do. Since binfmt_misc does not define any default binary-formats, you have to register an additional binary-format. There are two general files in binfmt_misc and one file per registered format. The two general files are register and status. To register a new binary format you have to issue the command echo :name:type:offset:magic:mask:interpreter: > /proc/sys/fs/binfmt_misc/register with appropriate name (the name for the /proc-dir entry), offset (defaults to 0, if omitted), magic, mask (which can be omitted, defaults to all 0xff) and last but not least, the interpreter that is to be invoked (for example and testing /bin/echo). Type can be M for usual magic matching or E for filename extension matching (give extension in place of magic). If you do a cat on the file /proc/sys/fs/binfmt_misc/status, you will get the current status (enabled/disabled) of binfmt_misc. Change the status by echoing 0 (disables) or 1 (enables) or -1 (caution: this clears all previously registered binary formats) to status. For example echo 0 > status to disable binfmt_misc (temporarily). Each registered handler has an entry in /proc/sys/fs/binfmt_misc. These files perform the same function as status, but their scope is limited to the actual binary format. By 'cating' this file, you also receive all related information about the interpreter/magic of the binfmt. An example of the usage of binfmt_misc (emulate binfmt_java) follows:
cd /proc/sys/fs/binfmt_misc echo ':Java:M::\xca\xfe\xba\xbe::/usr/local/java/bin/javawrapper:' > register echo ':HTML:E::html::/usr/local/java/bin/appletviewer:' > register echo ':Applet:M::<!--applet::/usr/local/java/bin/appletviewer:' > register echo ':DEXE:M::\x0eDEX::/usr/bin/dosexec:' < register
These four lines add support for Java executables and Java applets (like binfmt_java, additionally recognizing the .html extension with no need to put <!--applet> to every applet file). You have to install the JDK and the shell-script /usr/local/java/bin/javawrapper too. It works around the brokenness of the Java filename handling. To add a Java binary, just create a link to the class-file somewhere in the path.
This directory reflects general kernel behaviors and the contents will be dependent upon your configuration. Here you'll find the most important files, along with descriptions of what they mean and how to use them.
The file contains three values; highwater, lowwater, and frequency. It exists only when BSD-style process accounting is enabled. These values control its behavior. If the free space on the file system where the log lives goes below lowwater percentage, accounting suspends. If it goes above highwater percentage, accounting resumes. Frequency determines how often you check the amount of free space (value is in seconds). Default settings are: 4, 2, and 30. That is, suspend accounting if there is less than 2 percent free; resume it if we have a value of 3 or more percent; consider information about the amount of free space valid for 30 seconds
When the value in this file is 0, ctrl-alt-del is trapped and sent to the init program to handle a graceful restart. However, when the value is greater that zero, Linux's reaction to this key combination will be an immediate reboot, without syncing its dirty buffers. It should be noted that when a program (like dosemu) has the keyboard in raw mode, the ctrl-alt-del is intercepted by the program before it ever reaches the kernel tty layer, and it is up to the program to decide what to do with it.
These files can be controlled to set the NIS domainname and hostname of your box. For the classic darkstar.frop.org a simple: # echo "darkstar" > /proc/sys/kernel/hostname # echo "frop.org" > /proc/sys/kernel/domainname would suffice to set your hostname and NIS domainname. /proc/sys/kernel/osrelease, /proc/sys/kernel/ostype, /proc/sys/kernel/version The names make it pretty obvious what these fields contain: # cat /proc/sys/kernel/osrelease 2.2.12 # cat /proc/sys/kernel/ostype Linux # cat /proc/sys/kernel/version #4 Fri Oct 1 12:41:14 PDT 1999 The files osrelease and ostype should be clear enough. Version needs a little more clarification. The #4 means that this is the 4th kernel built from this source base and the date after it indicates the time the kernel was built. The only way to tune these values is to rebuild the kernel.
The value in this file represents the number of seconds the kernel waits before rebooting on a panic. When you use the software watchdog, the recommended setting is 60. If set to 0, the auto reboot after a kernel panic is disabled, which is the default setting.
The four values in printk denote * console_loglevel, * default_message_loglevel, * minimum_console_level and * default_console_loglevel respectively. These values influence printk() behavior when printing or logging error messages, which come from inside the kernel. See syslog(2) for more information on the different log levels.
Messages with a higher priority than this will be printed to the console.
Messages without an explicit priority will be printed with this priority.
Minimum (highest) value to which the console_loglevel can be set.
Default value for console_loglevel.
This file shows the size of the generic SCSI (sg) buffer. At this point, you can't tune it yet, but you can change it at compile time by editing include/scsi/sg.h and changing the value of SG_BIG_BUFF. If you use a scanner with SANE (Scanner Access Now Easy) you might want to set this to a higher value. Refer to the SANE documentation on this issue.
The location where the modprobe binary is located. The kernel uses this program to load modules on demand.
The files in this directory can be used to tune the operation of the virtual memory (VM) subsystem of the Linux kernel. In addition, one of the files (bdflush) has some influence on disk usage.
This parameter governs the maximum number of dirty buffers in the buffer cache. Dirty means that the contents of the buffer still have to be written to disk (as opposed to a clean buffer, which can just be forgotten about). Setting this to a higher value means that Linux can delay disk writes for a long time, but it also means that it will have to do a lot of I/O at once when memory becomes short. A lower value will spread out disk I/O more evenly.
Ndirty gives the maximum number of dirty buffers that bdflush can write to the disk at one time. A high value will mean delayed, bursty I/O, while a small value can lead to memory shortage when bdflush isn't woken up often enough.
This is the number of buffers that bdflush will add to the list of free buffers when refill_freelist() is called. It is necessary to allocate free buffers beforehand, since the buffers are often different sizes than the memory pages and some bookkeeping needs to be done beforehand. The higher the number, the more memory will be wasted and the less often refill_freelist() will need to run.
When refill_freelist() comes across more than nref_dirt dirty buffers, it will wake up bdflush.
Finally, the age_buffer and age_super parameters govern the maximum time Linux waits before writing out a dirty buffer to disk. The value is expressed in jiffies (clockticks), the number of jiffies per second is 100. Age_buffer is the maximum age for data blocks, while age_super is for filesystems meta data.
The three values in this file control how much memory should be used for buffer memory. The percentage is calculated as a percentage of total system memory.
The values are:
This is the minimum percentage of memory that should be spent on buffer memory.
When Linux is short on memory, and the buffer cache uses more than it has been allotted, the memory management (MM) subsystem will prune the buffer cache more heavily than other memory to compensate.
This is the maximum amount of memory that can be used for buffer memory.
This file contains three values: min, low and high:
When the number of free pages in the system reaches this number, only the kernel can allocate more memory.
If the number of free pages falls below this point, the kernel starts swapping aggressively.
The kernel tries to keep up to this amount of memory free; if memory falls below this point, the kernel starts gently swapping in the hopes that it never has to do really aggressive swapping.
Kswapd is the kernel swap out daemon. That is, kswapd is that piece of the kernel that frees memory when it gets fragmented or full. Since every system is different, you'll probably want some control over this piece of the system.
The file contains three numbers:
The maximum number of pages kswapd tries to free in one round is calculated from this number. Usually this number will be divided by 4 or 8 (see mm/vmscan.c), so it isn't as big as it looks. When you need to increase the bandwidth to/from swap, you'll want to increase this number.
This is the minimum number of times kswapd tries to free a page each time it is called. Basically it's just there to make sure that kswapd frees some pages even when it's being called with minimum priority.
This is probably the greatest influence on system performance. swap_cluster is the number of pages kswapd writes in one turn. You'll want this value to be large so that kswapd does its I/O in large chunks and the disk doesn't have to seek as often, but you don't want it to be too large since that would flood the request queue.
This file contains one value. The following algorithm is used to decide if there's enough memory: if the value of overcommit_memory is positive, then there's always enough memory. This is a useful feature, since programs often malloc() huge amounts of memory 'just in case', while they only use a small part of it. Leaving this value at 0 will lead to the failure of such a huge malloc(), when in fact the system has enough memory for the program to run. On the other hand, enabling this feature can cause you to run out of memory and thrash the system to death, so large and/or important servers will want to set this value to 0.
This file does exactly the same job as buffermem, only this file controls the amount of memory allowed for memory mapping and generic caching of files. You don't want the minimum level to be too low, otherwise your system might thrash when memory is tight or fragmentation is high.
The kernel keeps a number of page tables in a per-processor cache (this helps a lot on SMP systems). The cache size for each processor will be between the low and the high value. On a low-memory, single CPU system, you can safely set these values to 0 so you don't waste memory. It is used on SMP systems so that the system can perform fast pagetable allocations without having to acquire the kernel memory lock. For large systems, the settings are probably fine. For normal systems they won't hurt a bit. For small systems ( less than 16MB ram) it might be advantageous to set both values to 0.
This file contains no less than 8 variables. All of these values are used by kswapd. The first four variables sc_max_page_age, sc_page_advance, sc_page_decline and sc_page_initial_age are used to keep track of Linux's page aging. Page ageing is a bookkeeping method to track which pages of memory are often used, and which pages can be swapped out without consequences.
When a page is swapped in, it starts at sc_page_initial_age (default 3) and when the page is scanned by kswapd, its age is adjusted according to the following scheme.
If the page was used since the last time we scanned, its age is increased by sc_page_advance (default 3). Where the maximum value is given by sc_max_page_age (default 20). Otherwise (meaning it wasn't used) its age is decreased by sc_page_decline (default 1).
When a page reaches age 0, it's ready to be swapped out.
The variables sc_age_cluster_fract, sc_age_cluster_min, sc_pageout_weight and sc_bufferout_weight, can be used to control kswapd's aggressiveness in swapping out pages.
Sc_age_cluster_fract is used to calculate how many pages from a process are to be scanned by kswapd. The formula used is
(sc_age_cluster_fract divided by 1024) times resident set size
So if you want kswapd to scan the whole process, sc_age_cluster_fract needs to have a value of 1024. The minimum number of pages kswapd will scan is represented by sc_age_cluster_min, which is done so that kswapd will also scan small processes. The values of sc_pageout_weight and sc_bufferout_weight are used to control how many tries kswapd will make in order to swap out one page/buffer. These values can be used to fine-tune the ratio between user pages and buffer/cache memory. When you find that your Linux system is swapping out too many process pages in order to satisfy buffer memory demands, you may want to either increase sc_bufferout_weight, or decrease the value of sc_pageout_weight.
Device specific parameters. Currently there is only support for CDROM drives, and for those, there is only one read-only file containing information about the CD-ROM drives attached to the system: >cat /proc/sys/dev/cdrom/info CD-ROM information, Id: cdrom.c 2.55 1999/04/25 drive name: sr0 hdb drive speed: 32 40 drive # of slots: 1 0 Can close tray: 1 1 Can open tray: 1 1 Can lock tray: 1 1 Can change speed: 1 1 Can select disk: 0 1 Can read multisession: 1 1 Can read MCN: 1 1 Reports media changed: 1 1 Can play audio: 1 1 You see two drives, sr0 and hdb, along with a list of their features.
This directory contains four files, which enable or disable debugging for the RPC functions NFS, NFS-daemon, RPC and NLM. The default values are 0. They can be set to one to turn debugging on. (The default value is 0 for each)
The interface to the networking parts of the kernel is located in /proc/sys/net. The following table shows all possible subdirectories. You may see only some of them, depending on your kernel's configuration. Our main focus will be on IP networking since AX15, X.25, and DEC Net are only minor players in the Linux world. Should you wish review the online documentation and the kernel source to get a detailed view of the parameters for those protocols not covered here. In this section we'll discuss the subdirectories listed above. As default values are suitable for most needs, there is no need to change these values.
Network core options
The default setting of the socket receive buffer in bytes.
The maximum receive socket buffer size in bytes.
The default setting (in bytes) of the socket send buffer.
The maximum send socket buffer size in bytes.
These parameters are used to limit the warning messages written to the kernel log from the networking code. They enforce a rate limit to make a denial-of-service attack impossible. A higher message_cost factor, results in fewer messages that will be written. Message_burst controls when messages will be dropped. The default settings limit warning messages to one every five seconds.
Maximum number of packets, queued on the INPUT side, when the interface receives packets faster than kernel can process them.
Maximum ancillary buffer size allowed per socket. Ancillary data is a sequence of struct cmsghdr structures with appended data.
Parameters for Unix domain sockets
There are only two files in this subdirectory. They control the delays for deleting and destroying socket descriptors.
IPV4 settings. IP version 4 is still the most used protocol in Unix networking. It will be replaced by IP version 6 in the next couple of years, but for the moment it's the de facto standard for the internet and is used in most networking environments around the world. Because of the importance of this protocol, we'll have a deeper look into the subtree controlling the behavior of the Ipv4 subsystem of the Linux kernel.
Let's start with the entries in /proc/sys/net/ipv4.
Turn on (1) or off (0), if the kernel should ignore all ICMP ECHO requests, or just those to broadcast and multicast addresses.
Please note that if you accept ICMP echo requests with a broadcast/multi\-cast destination address your network may be used as an exploder for denial of service packet flooding attacks to other hosts.
Sets limits for sending ICMP packets to specific targets. A value of zero disables all limiting. Any positive value sets the maximum package rate in hundredth of a second (on Intel systems).
This file contains the number one if the host received its IP configuration by RARP, BOOTP, DHCP or a similar mechanism. Otherwise it is zero.
TTL (Time To Live) for IPv4 interfaces. This is simply the maximum number of hops a packet may travel.
Enable dynamic socket address rewriting on interface address change. This is useful for dialup interface with changing IP addresses.
Enable or disable forwarding of IP packages between interfaces. Changing this value resets all other parameters to their default values. They differ if the kernel is configured as host or router.
Range of ports used by TCP and UDP to choose the local port. Contains two numbers, the first number is the lowest port, the second number the highest local port. Default is 1024-4999. Should be changed to 32768-61000 for high-usage systems.
Global switch to turn path MTU discovery off. It can also be set on a per socket basis by the applications or on a per route basis.
Enable/disable debugging of IP masquerading.
Maximum memory used to reassemble IP fragments. When ipfrag_high_thrash bytes of memory is allocated for this purpose, the fragment handler will toss packets until ipfrag_low_thrash is reached.
Time in seconds to keep an IP fragment in memory.
This file controls the use of the ECN bit in the IPv4 headers, this is a new feature about Explicit Congestion Notification, but some routers and firewalls block traffic that has this bit set, so it could be necessary to echo 0 to /proc/sys/net/ipv4/tcp_ecn, if you want to talk to this sites. For more info you could read RFC2481.
Bug-to-bug compatibility with some broken printers. On retransmit, try to send larger packets to work around bugs in certain TCP stacks. Can be turned off by setting it to zero.
Number of keep alive probes TCP sends out, until it decides that the connection is broken.
How often TCP sends out keep alive messages, when keep alive is enabled. The default is 2 hours.
Number of times initial SYNs for a TCP connection attempt will be retransmitted. Should not be higher than 255. This is only the timeout for outgoing connections, for incoming connections the number of retransmits is defined by tcp_retries1.
Enable select acknowledgments after RFC2018.
Enable timestamps as defined in RFC1323.
Enable the strict RFC793 interpretation of the TCP urgent pointer field. The default is to use the BSD compatible interpretation of the urgent pointer pointing to the first byte after the urgent data. The RFC793 interpretation is to have it point to the last byte of urgent data. Enabling this option may lead to interoperability problems. Disabled by default.
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES. Send out syncookies when the syn backlog queue of a socket overflows. This is to ward off the common 'syn flood attack'. Disabled by default. Note that the concept of a socket backlog is abandoned. This means the peer may not receive reliable error messages from an over loaded server with syncookies enabled.
Enable window scaling as defined in RFC1323.
The length of time in seconds it takes to receive a final FIN before the socket is always closed. This is strictly a violation of the TCP specification, but required to prevent denial-of-service attacks.
Indicates how many keep alive probes are sent per slow timer run. Should not be set too high to prevent bursts.
Length of the per socket backlog queue. Since Linux 2.2 the backlog specified in listen(2) only specifies the length of the backlog queue of already established sockets. When more connection requests arrive Linux starts to drop packets. When syncookies are enabled the packets are still answered and the maximum queue is effectively ignored.
Defines how often an answer to a TCP connection request is retransmitted before giving up.
Defines how often a TCP packet is retransmitted before giving up.
Here you'll find one subdirectory for each interface the system knows about and one directory called all. Changes in the all subdirectory affect all interfaces, whereas changes in the other subdirectories affect only one interface. All directories have the same entries:
This switch decides if the kernel accepts ICMP redirect messages or not. The default is 'yes' if the kernel is configured for a regular host and 'no' for a router configuration.
Should source routed packages be accepted or declined. The default is dependent on the kernel configuration. It's 'yes' for routers and 'no' for hosts.
Accept packets with source address 0.b.c.d with destinations not to this host as local ones. It is supposed that a BOOTP relay daemon will catch and forward such packets. The default is 0.
Enable or disable IP forwarding on this interface.
Log packets with source addresses with no known route to kernel log.
Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE and a multicast routing daemon is required.
Does (1) or does not (0) perform proxy ARP.
Integer value determines if a source validation should be made. 1 means yes, 0 means no. Disabled by default, but local/broadcast address spoofing is always on. If you set this to 1 on a router that is the only connection for a network to the net, it will prevent spoofing attacks against your internal networks (external addresses can still be spoofed), without the need for additional firewall rules.
Accept ICMP redirect messages only for gateways, listed in default gateway list. Enabled by default.
If it is not set the kernel does not assume that different subnets on this device can communicate directly. Default setting is 'yes'.
Determines whether to send ICMP redirects to other hosts.
The directory /proc/sys/net/ipv4/route contains several file to control routing issues.
These parameters are used to limit the warning messages written to the kernel log from the routing code. The higher the error_cost factor is, the fewer messages will be written. Error_burst controls when messages will be dropped. The default settings limit warning messages to one every five seconds.
Writing to this file results in a flush of the routing cache.
Values to control the frequency and behavior of the garbage collection algorithm for the routing cache.
Maximum size of the routing cache. Old entries will be purged once the cache reached has this size.
Delays for flushing the routing cache.
Factors which determine if more ICPM redirects should be sent to a specific host. No redirects will be sent once the load limit or the maximum number of redirects has been reached.
Timeout for redirects. After this period redirects will be sent again, even if this has been stopped, because the load or number limit has been reached.
Network Neighbor handling. It contains settings about how to handle connections with direct neighbors (nodes attached to the same link). As we saw it in the conf directory, there is a default subdirectory which holds the default values, and one directory for each interface. The contents of the directories are identical, with the single exception that the default settings contain additional options to set garbage collection parameters.
In the interface directories you'll find the following entries:
A base value used for computing the random reachable time value as specified in RFC2461.
The time, expressed in jiffies (1/100 sec), between retransmitted Neighbor Solicitation messages. Used for address resolution and to determine if a neighbor is unreachable.
Maximum queue length for a pending arp request - the number of packets which are accepted from other layers while the ARP address is still resolved.
Maximum for random delay of answers to neighbor solicitation messages in jiffies (1/100 sec). Not yet implemented (Linux does not have anycast support yet).
Maximum number of retries for unicast solicitation.
Maximum number of retries for multicast solicitation.
Delay for the first time probe if the neighbor is reachable. (see gc_stale_time)
An ARP/neighbor entry is only replaced with a new one if the old is at least locktime old. This prevents ARP cache thrashing.
Maximum time (real time is random [0..proxytime]) before answering to an ARP request for which we have an proxy ARP entry. In some cases, this is used to prevent network flooding.
Maximum queue length of the delayed proxy arp timer. (see proxy_delay).
Determines the number of requests to send to the user level ARP daemon. Use 0 to turn off.
Determines how often to check for stale ARP entries. After an ARP entry is stale it will be resolved again (which is useful when an IP address migrates to another machine). When ucast_solicit is greater than 0 it first tries to send an ARP packet directly to the known host When that fails and mcast_solicit is greater than 0, an ARP request is broadcasted.
Holds the Appletalk configuration data when Appletalk is loaded. The configurable parameters are:
The amount of time we keep an ARP entry before expiring it. Used to age out old hosts.
The amount of time we will spend trying to resolve an Appletalk address.
The number of times we will retransmit a query before giving up.
Controls the rate at which expires are checked.
Holds the list of active Appletalk sockets on a machine. The fields indicate the DDP type, the local address (in network:node format) the remote address, the size of the transmit pending queue, the size of the received queue (bytes waiting for applications to read) the state and the uid owning the socket.
lists all the interfaces configured for appletalk. It shows the name of the interface, its Appletalk address, the network range on that address (or network number for phase 1 networks), and the status of the interface.
lists each known network route. It lists the target (network) that the route leads to, the router (may be directly connected), the route flags, and the device the route is using.
The IPX protocol has no tunable values in proc/sys/net, it does, however, provide proc/net/ipx. This lists each IPX socket giving the local and remote addresses in Novell format (that is network:node:port). In accordance with the strange Novell tradition, everything but the port is in hex. Not_Connected is displayed for sockets that are not tied to a specific remote address. The Tx and Rx queue sizes indicate the number of bytes pending for transmission and reception. The state indicates the state the socket is in and the uid is the owning uid of the socket.
Lists all IPX interfaces. For each interface it gives the network number, the node number, and indicates if the network is the primary network. It also indicates which device it is bound to (or Internal for internal networks) and the Frame Type if appropriate. Linux supports 802.3, 802.2, 802.2 SNAP and DIX (Blue Book) ethernet framing for IPX.
Table holding a list of IPX routes. For each route it gives the destination network, the router node (or Directly) and the network address of the router (or Connected) for internal networks.
Info of SysVIPC Resources (msg, sem, shm) (2.4)
Information about the available and actually used tty's can be found in the directory /proc/tty. You'll find entries for drivers and line disciplines in this directory.
list of drivers and their usage.
registered line disciplines.
usage statistic and status of single tty lines.
To see which tty's are currently in use, you can simply look into the file /proc/tty/drivers:
# cat /proc/tty/drivers serial /dev/cua 5 64-127 serial:callout serial /dev/ttyS 4 64-127 serial pty_slave /dev/pts 143 0-255 pty:slave pty_master /dev/ptm 135 0-255 pty:master pty_slave /dev/pts 142 0-255 pty:slave pty_master /dev/ptm 134 0-255 pty:master pty_slave /dev/pts 141 0-255 pty:slave pty_master /dev/ptm 133 0-255 pty:master pty_slave /dev/pts 140 0-255 pty:slave pty_master /dev/ptm 132 0-255 pty:master pty_slave /dev/pts 139 0-255 pty:slave pty_master /dev/ptm 131 0-255 pty:master pty_slave /dev/pts 138 0-255 pty:slave pty_master /dev/ptm 130 0-255 pty:master pty_slave /dev/pts 137 0-255 pty:slave pty_master /dev/ptm 129 0-255 pty:master pty_slave /dev/pts 136 0-255 pty:slave pty_master /dev/ptm 128 0-255 pty:master pty_slave /dev/ttyp 3 0-255 pty:slave pty_master /dev/pty 2 0-255 pty:master /dev/vc/0 /dev/vc/0 4 0 system:vtmaster /dev/ptmx /dev/ptmx 5 2 system /dev/console /dev/console 5 1 system:console /dev/tty /dev/tty 5 0 system:/dev/tty unknown /dev/vc/%d 4 1-63 console
Note that while the above files tend to be easily readable text files, they can sometimes be formatted in a way that is not easily digestible. There are many commands that do little more than read the above files and format them for easier understanding. For example, the free program reads /proc/meminfo and converts the amounts given in bytes to kilobytes (and adds a little more information, as well).
The time the system has been up.
The kernel version.
BTTV info of video resources.
We offer private custom tutoring classes both online and in DC, MD and VA for almost all of our courses or bootcamps. Give us a call or email us to discuss your needs.
$50 Limited OfferREGISTER NOW