5.11. Tutorial: combined practices of the different sections

We will begin by examining the general state of our system. We will carry out different steps in a Debian system. It is an unstable Debian system (the unstable version, but more updated); however, the procedures are, mostly, transferable to other distributions such as Fedora/Red Hat (we will mention some of the most important changes). The hardware consists of a Pentium 4 at 2.66 Ghz with 768 MB RAM and various disks, DVD and CD-writer, as well as other peripherals, on which we will obtain information as we proceed step by step.

First we will see how our system booted up the last time:

# uptime 17:38:22 up 2:46, 5 users, load average: 0.05, 0.03, 0.04

This command tells us the time that the system has been up since it last booted, 2 hours and 47 minutes and, in this case, we have 5 users. These will not necessarily correspond to five different users, but they will usually be opened user sessions (for example, through one terminal). The who command provides a list of these users. The load average is the system's average load over the last 1, 5 and 15 minutes.

Let's look at system's boot log (dmesg command), and the lines that were generated when the system booted up (we have removed some lines for the purpose of clarity):

Linux version 2.6.20-1-686 (Debian 2.6.20-2) (waldi@debian.org)
(gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP Sun Apr
 15 21:03:57 UTC 2007
BIOS-provided physical RAM map:
	 BIOS-e820: 0000000000000000 - 000000000009f800 (usable)
	 BIOS-e820: 000000000009f800 - 00000000000a0000 (reserved)
	 BIOS-e820: 00000000000ce000 - 00000000000d0000 (reserved)
	 BIOS-e820: 00000000000dc000 - 0000000000100000 (reserved)
	 BIOS-e820: 0000000000100000 - 000000002f6e0000 (usable)
	 BIOS-e820: 000000002f6e0000 - 000000002f6f0000 (ACPI data)
	 BIOS-e820: 000000002f6f0000 - 000000002f700000 (ACPI NVS)
	 BIOS-e820: 000000002f700000 - 000000002f780000 (usable)
	 BIOS-e820: 000000002f780000 - 0000000030000000 (reserved)
	 BIOS-e820: 00000000ff800000 - 00000000ffc00000 (reserved)
	 BIOS-e820: 00000000fffffc00 - 0000000100000000 (reserved)
0MB HIGHMEM available.
759MB LOWMEM available.

These first lines already indicate some interesting data: the Linux kernel is version 2.6.20-1-686, one version 2.6 revision 20 at revision 1 of Debian and for 686 machines (Intel x86 32 bits architecture). They also indicate that we are booting a Debian system, with this kernel which was compiled with a GNU gcc compiler, version 4.1.2 and the date. There is then a map of the memory zones used (reserved) by the BIOS and then the total memory detected in the machine: 759 MB, to which we would have to add the first 1 MB, making a total of 760 MB.


Kernel command line: BOOT_IMAGE=LinuxNEW ro root=302 lang=es acpi=force

Initializing CPU#0

Console: colour dummy device 80x25

Memory: 766132k/777728k available (1641k kernel code, 10968k reserved, 619k data, 208k init, 0k highmem)

Calibrating delay using timer specific routine.. 5320.63 BogoMIPS (lpj=10641275)

Here, we are told how the machine booted up and which command line has been passed to the kernel (different options may be passed, such as lilo or grub). And we are booting in console mode with 80 x 25 characters (this can be changed). The BogoMIPS are internal measurements of the kernel of the CPU speed. There are architectures in which it is difficult to detect how many MHz the CPU works with and this is why this speed measurement is used. Subsequently, we are given more data on the main memory and what it is being used for at this booting stage.


CPU: Trace cache: 12K uops, L1 D cache: 8K

CPU: L2 cache: 512K

CPU: Hyper-Threading is disabled

Intel machine check architecture supported.

Intel machine check reporting enabled on CPU#0.

CPU0: Intel P4/Xeon Extended MCE MSRs (12) available

CPU0: Intel(R) Pentium(R) 4 CPU 2.66GHz stepping 09

Likewise, we are given various data on the CPU: the size of the first-level cache, the internal CPU cache, L1 divided in a TraceCache of the Pentium 4 (or cache instruction), and the data cache and the unified second-level cache (L2), the type of CPU, its speed and the system's bus.


PCI: PCI BIOS revision 2.10 entry at 0xfd994, last bus=3

Setting up standard PCI resources


NET: Registered protocol

IP route cache hash table entries: 32768 (order: 5, 131072 bytes)

TCP: Hash tables configured (established 131072 bind 65536)

checking if image is initramfs... it is

Freeing initrd memory: 1270k freed

fb0: VESA VGA frame buffer device

Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing enabled

serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A

00:09: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A

RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize

PNP: PS/2 Controller [PNP0303:KBC0,PNP0f13:MSE0] at 0x60,0x64 irq 1,12

i8042.c: Detected active multiplexing controller, rev 1.1.

serial: i8042 KBD port at 0x60,0x64 irq 1

serial: i8042 AUX0 port at 0x60,0x64 irq 12

serial: i8042 AUX1 port at 0x60,0x64 irq 12

serial: i8042 AUX2 port at 0x60,0x64 irq 12

serial: i8042 AUX3 port at 0x60,0x64 irq 12

mice: PS/2 mouse device common for all mice

The kernel and devices continue to boot, mentioning the initiation of the network protocols. The terminals, the serial ports ttyS0 (which would be com1) and ttyS01 (com2). It provides information on the RAM disks that are being used, the detection of PS2 devices, keyboard and mouse.


ICH4: IDE controller at PCI slot 0000:00:1f.1

ide0: BM-DMA at 0x1860-0x1867, BIOS settings: hda:DMA, hdb:pio

ide1: BM-DMA at 0x1868-0x186f, BIOS settings: hdc:DMA, hdd:pio

Probing IDE interface ide0...

hda: FUJITSU MHT2030AT, ATA DISK drive

ide0 at 0x1f0-0x1f7,0x3f6 on irq 14

Probing IDE interface ide1...


ide1 at 0x170-0x177,0x376 on irq 15

SCSI subsystem initialized

libata version 2.00 loaded.

hda: max request size: 128KiB

hda: 58605120 sectors (30005 MB) w/2048KiB Cache, CHS=58140/16/63<6>hda: hw_config=600b

, UDMA(100)

hda: cache flushes supported

hda: hda1 hda2 hda3

kjournald starting. Commit interval 5 seconds

EXT3-fs: mounted file system with ordered data mode.

hdc: ATAPI 24X DVD-ROM CD-R/RW drive, 2048kB Cache, UDMA(33)

Uniform CD-ROM driver Revision: 3.20

Addinf 618492 swap on /dev/hda3.

Detection of IDE devices, detecting the IDE chip in the PCI bus and reporting what is driving the devices: hda, and hdc, which are, respectively: a hard disk (Fujitsu), a second hard disk, a Samsung DVD Samsung, and a CD-writer (given that in this case, we have a combo unit). It indicates active partitions. Subsequently, the machine detects the main Linux file system, a journaled ext3, that activates and adds the swap space available in a partition.


usbcore: registered new interface driver usbfs

usbcore: registered new interface driver hub

usbcore: registered new device driver usb

input: PC Speaker as /class/input/input1

USB Universal Host Controller Interface driver v3.0

hub 1-0:1.0: USB hub found

hub 1-0:1.0: 2 ports detected

uhci_hcd 0000:00:1d.1: UHCI Host Controller

uhci_hcd 0000:00:1d.1: new USB bus registered, assigned bus number 2

uhci_hcd 0000:00:1d.1: irq 11, io base 0x00001820

usb usb2: configuration #1 chosen from 1 choice

hub 2-0:1.0: USB hub found

hub 2-0:1.0: 2 ports detected

hub 4-0:1.0: USB hub found

hub 4-0:1.0: 6 ports detected

More detection of devices, USB (and the corresponding modules); in this case, two hub devices (with a total of 8 USB ports) have been detected.


parport: PnPBIOS parport detected.

parport0: PC-style at 0x378 (0x778), irq 7, dma 1 [PCSPP,TRISTATE,COMPAT,EPP,ECP,DMA]

input: ImPS/2 Logitech Wheel Mouse as /class/input/input2

ieee1394: Initialized config rom entry 'ip1394'

eepro100.c:v1.09j-t 9/29/99 Donald Becker

Synaptics Touchpad, model: 1, fw: 5.9, id: 0x2e6eb1, caps: 0x944713/0xc0000

input: SynPS/2 Synaptics TouchPad as /class/input/input3

agpgart: Detected an Intel 845G Chipset

agpgart: Detected 8060K stolen Memory

agpgart: AGP aperture is 128M

eth0: OEM i82557/i82558 10/100 Ethernet, 00:00:F0:84:D3:A9, IRQ 11.

Board assembly 000000-000, Physical connectors present: RJ45

e100: Intel(R) PRO/100 Network Driver, 3.5.17-k2-NAPI

usbcore: registered new interface driver usbkbd

Initializing USB Mass Storage driver...

usbcore: registered new interface driver usb-storage

USB Mass Storage support registered.

lp0: using parport0 (interrupt-driven).

ppdev: user-space parallel port driver

And the final detection of the rest of the devices: Parallel port, mouse model, FireWire port (IEEE1394) network card (Intel), a touchscreen, the AGP video card (i845). More data on the network card, an intel pro 100, registry of usb as mass storage (indicates a USB storage device as an external disk) and detection of parallel port.

We can also see all this information, which we accessed through the dmesg command, dumped in the system's main log, /var/log/messages. In this log, we will find the kernel messages, among others, the messages of the daemons and network or device errors, which communicate their messages to a special daemon called syslogd, which is in charge of writing the messages in this file. If we have recently booted the machine, we will observe that the last lines contain exactly the same information as the dmesg command,

for example, if we look at the final part of the file (which is usually very large):

# tail 200 /var/log/messages

We observe the same lines as before and some more information such as:


shutdown[13325]: shutting down for system reboot

kernel: usb 4-1: USB disconnect, address 3

kernel: nfsd: last server has exited

kernel: nfsd: unexporting all file systems

kernel: Kernel logging (proc) stopped.

kernel: Kernel log daemon terminating.

exiting on signal 15

syslogd 1.4.1#20: restart.

kernel: klogd 1.4.1#20, log source = /proc/kmsg started.

Linux version 2.6.20-1-686 (Debian 2.6.20-2) (waldi@debian.org) (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP Sun Apr 15 21:03:57 UTC 2007

kernel: BIOS-provided physical RAM map:

The first part corresponds to the preceding shutdown of the system, informing us that the kernel has stopped placing information in /proc, that the system is shutting down... At the beginning of the new boot, the Syslogd daemon that generates the log is activated, and the system begins to load, which tells us that the kernel will begin to write information in its system, /proc; we look at the first lines of the dmesg mentioning the version of the kernel that is being loaded and we then find what we have seen with dmesg.

At this point, another useful command for finding out how the load process has taken place is Ismod, which will tell us which modules have been loaded in the kernel (summarised version):

# lsmod
Module Size Used by
nfs 219468              0
nfsd 202192            17
exportfs 5632           1 nfsd
lockd 58216             3 nfs,nfsd
nfs_acl 3616            2 nfs,nfsd
sunrpc 148380          13 nfs,nfsd,lockd,nfs_acl
ppdev 8740              0
lp 11044                0
button 7856             0
ac 5220                 0
battery 9924            0
md_mod 71860            1
dm_snapshot 16580       0
dm_mirror 20340         0
dm_mod 52812            2 dm_snapshot,dm_mirror
i810fb 30268            0
vgastate 8512           1 i810fb
eeprom 7184             0
thermal 13928           0
processor 30536         1 thermal
fan 4772                0
udf 75876               0
ntfs 205364             0
usb_storage 75552       0
hid 22784               0
usbkbd 6752             0
eth1394 18468           0
e100 32648              0
eepro100 30096          0
ohci1394 32656          0
ieee1394 89208          2 eth1394,ohci1394
snd_intel8x0 31420      1
snd_ac97_codec 89412    1 snd_intel8x0
ac97_bus 2432           1 snd_ac97_codec
parport_pc 32772        1
snd 48196               6 snd_intel8x0,snd_ac97_codec,snd_pcm,snd_timer
ehci_hcd 29132          0
ide_cd 36672            0
cdrom 32960             1 ide_cd
soundcore 7616          1 snd
psmouse 35208           0
uhci_hcd 22160          0
parport 33672           3 ppdev,lp,parport_pc
intelfb 34596           0
serio_raw 6724          0
pcspkr 3264             0
pci_hotplug 29312       1 shpchp
usbcore 122312          6 dvb_usb,usb_storage,usbkbd,ehci_hcd,uhci_hcd
intel_agp 22748         1
agpgart 30504           5 i810fb,drm,intelfb,intel_agp
ext3 121032             1
jbd 55368               1 ext3
ide_disk 15744          3
ata_generic 7876        0
ata_piix 15044          0
libata 100052           2 ata_generic,ata_piix
scsi_mod 133100         2 usb_storage,libata
generic 4932            0 [permanent]
piix 9540               0 [permanent]
ide_core 114728         5 usb_storage,ide_cd,ide_disk,generic,piix

We see that we basically have the drivers for the hardware that we have detected and other related elements or those necessary by dependencies.

This gives us, then, an idea of how the kernel and its modules have been loaded. In this process, we may already have observed an error, if the hardware is not properly configured or there are kernel modules that are not properly compiled (they were not compiled for the appropriate kernel version), inexistent etc.

The next step for examining the processes in the system, such as the ps (for process status) command, for example (only the system processes are shown, not the user ones):


# ps -ef


Processes information, UID user that has launched the process (or the identifier with which it has been launched), PID and process code assigned by the system are consecutively shown, as the processes launch; the first is always 0, which corresponds to the init process. PPID is the id of the current parent process. STIME, time in which the process was booted, TTY, terminal assigned to the process (if there is one), CMD, command line with which it was launched.


root 1 0 0 14:52 ? 00:00:00 init [2]

root 3 1 0 14:52 ? 00:00:00 [ksoftirqd/0]

root 143 6 0 14:52 ? 00:00:00 [bdflush]

root 145 6 0 14:52 ? 00:00:00 [kswapd0]

root 357 6 0 14:52 ? 00:00:01 [kjournald]

root 477 1 0 14:52 ? 00:00:00 udevd --daemon

root 719 6 0 14:52 ? 00:00:00 [khubd]

Various system daemons, such as the kswapd daemon, which controls the virtual memory swaps. Handling of system buffers (bdflush). Handling of file system journal (kjournald), USB handling (khubd). Or the udev daemon that controls the hot device connection. In general, the daemons are not always identified by a d at the end, and if they have a k at the beginning, they are normally internal threads of the kernel.


root       1567 1 0 14:52 ? 00:00:00 dhclient -e -pf ...

root       1653 1 0 14:52 ? 00:00:00 /sbin/portmap

root        1829 1 0 14:52 ? 00:00:00 /sbin/syslogd

root       1839 1 0 14:52 ? 00:00:00 /sbin/klogd -x

root       1983 1 0 14:52 ? 00:00:09 /usr/sbin/cupsd

root        2178 1 0 14:53 ? 00:00:00 /usr/sbin/inetd

We have dhclient, which indicates that the machine is the client of a DHCP server, for obtaining its IP. Syslogd, a daemon that sends messages to the log. The cups daemon, which, as we have discussed, is related to the printing system. And inetd, which, as we shall see in the section on networks, is a type of "superserver" or intermediary of other daemons related to network services.


root       2154 1 0 14:53 ?             00:00:00 /usr/sbin/rpc.mountd

root       2241 1 0 14:53 ?             00:00:00 /usr/sbin/sshd

root       2257 1 0 14:53 ?             00:00:00 /usr/bin/xfs -daemon

root                   2573 1 0 14:53 ?             00:00:00 /usr/sbin/atd

root       2580 1 0 14:53 ?             00:00:00 /usr/sbin/cron

root       2675 1 0 14:53 ?             00:00:00 /usr/sbin/apache

www-data       2684 2675 0 14:53 ?       00:00:00 /usr/sbin/apache

www-data       2685 2675 0 14:53 ? 00:00:00 /usr/sbin/apache

There is also sshd, a safe remote access server (an improved version that permits services compatible with telnet and FTP). xfs is the fonts server (character types) of X Window. The atd and cron commands can be used for handling programmed tasks at a determined moment. Apache is a web server, which may have various active threads for attending to different requests.


root 2499 2493 0 14:53 ?       00:00:00 /usr/sbin/gdm

root 2502 2499 4 14:53 tty7    00:09:18 /usr/bin/X :0 -dpi 96 ...

root 2848 1 0 14:53 tty2       00:00:00 /sbin/getty 38400 tty2

root 2849 1 0 14:53 tty3       00:00:00 /sbin/getty 38400 tty3

root 3941 2847 0 14:57 tty1    00:00:00 -bash

root 16453 12970 0 18:10 pts/2 00:00:00 ps -ef

gdm is the graphical login of the Gnome desktop system (the entry point where we are asked for the login name and password) and the getty processes are the ones that manage the virtual text terminals (which we can see by pressing Alt+Fx (or Ctrl+Alt+Fx if we are in graphic mode). X is the process of the X Window System graphic server and is essential for executing any desktop environment above this. An open shell (bash), and finally, the process that we have generated when requesting this ps from the command line.

The ps command provides various command line options for adjusting the information that we want on each process, whether it is the time that it has been executing, the percentage of CPU used, memory used etc. (see man of ps). Another very interesting command is top, which does the same as ps but dynamically; in other words, it updates every certain period of time, we can classify the processes by use of CPU or memory and it also provides information on the state of the overall memory.

Other useful commands for resources management are free and vmstat, which provide information on the memory used and the virtual memory system:

Example 5-16. Note

See man of the commands to interpret outputs.

# free      total used free shared buffers cached
Mem: 767736 745232 22504 0 89564 457612
-/+ buffers/cache: 198056 569680
Swap: 618492 1732 616760

# vmstat
procs -----------memory---------- ---swap-- -----io-- --system-- ----cpu----
r b swpd free buff cache si so bi bo in cs us sy id wa
1 0 1732 22444 89584 457640 0 0 68 137 291 418 7 1 85 7

The free command also shows the swap size, approximately 600 MB, which are not currently used intensely as there is sufficient physical memory space; there are still 22 MB free (which indicates a high use of the physical memory and the need to use swap soon). The memory space and swap (as of kernels 2.4) add to each other to comprise the total memory in the system, which in this case, means that there is a total of 1.4 GB available. This may seem a lot, but it will depend on the applications that are being executed.