COMPUTER AND NETWORK
SYSTEM ADINISTRATION
CIS 5406-01
Summer 1998 - Lesson 2
Daemons and Services
UNIX
First of all, it's daemon not demon
o demon is an evil spirit
o daemon is an attendant spirit (between human and god)
how to see them? LEARN YOUR LOCAL "ps" COMMAND!
BSD-style: "ps axuw" (SunOS 4.1.x, Linux, AIX)
SysV-style: "ps -elf" (SunOS 5.x, IRIX, AIX, HP-UX)
Daemon characteristics
no controlling terminal
run in background
Coding rules for starting a daemon
make sure that the process is not a process group leader
this can be done by forking a child and killing the parent
create a new session
call setsid()
this creates a new sesssion and a new process group with no
controlling terminal
if a process group leader calls setsid() an error occurs
change the CWD to working location for the daemon
pay attention to file mode creation mask (so any files created
by the daemon will have the correct permissions)
close all uneeded file descriptors (these were inherited from
the parent)
Why have daemons?
modularity - don't want to have to recompile the kernel to
modify ftpd
kernel size - want to keep the kernel small
robustness - don't want the kernel to crash when a lowly
daemon dies (say lpd)
however, the death of the "kernel" daemons and "init" will generally
kill the system
Kernel and user daemons
some daemons execute in kernel mode (pagedaemon and swapper)
the rest execute in user mode beginning with init
BSD swapper (PID 0)
the swapper is a kernel daemon
kernel memory - it functions wholly within the kernel memory
kernel code - the code for the swapper is compiled into the kernel code
kernel mode - it is executed in privileged execution mode
like a system call, the swapper does not get time quanta
function - the swapper moves whole processes between main memory and
secondary storage
high page fault rate - it does this when the system is short of
memory and the pagedaemon can't reclaim enough memory
swapping out
how does the swapper choose a process to swap out?
idle time - first, of the processes which have been idle for
more than 20
seconds, the one with the longest sleep time is chosen
size - second, if no resident processes have been idle for more than
20 seconds, the daemon picks 4 largest processes
of these 4, the one which has been resident (not idle)
the longest amount of time is chosen
swapping in
runnable - when a process becomes runnable it is swapped in
if more than one process is ready to be swapped in, a choice
is made
oldest swapped - in general, the process that has been swapped
out the longest gets in first
SA RELEVANCE:
the swapper is the first process to start after the kernel
is loaded
if the machine crashes immediately after the kernel is loaded
then you may not have your swap space configured correctly
Was the kernel configured correctly?
"mkfile" - if the swap space is on a UFS or NFS partition use
mkfile which does a zero fill and sets sticky bit
OS other than BSD
the swapper is described as a separate kernel process by Bach
It does not appear in the Linux process table
It does appear on AIX, HP-UX, IRIX, for example
it appears in the Solaris process table as sched
(the SysV swapper is sometimes called the scheduler because
it 'schedules' the allocation of memory and thus influences
the CPU scheduler)
BSD pagedaemon (PID 2)
the second process created by the kernel is the pagedaemon
the pagedaemon is a kernel process
originated with BSD systems (demand paging is a BSD feature) which was
adopted by AT&T during System V
Pageout process (PID 2) in Solaris
implements pagedaemon's work
the pagedaemon sleeps until awakened by the kernel
the kernel checks 4 times per second to see if the
system needs memory
if so, the kernel awakens the pagedaemon
the pagedaemon then:
uses a two-handed clock algorithm ("enhanced second chance")
chooses pages for replacement
if page is 'clean' then page is freed
if page is 'dirty' then writes out modified page to disk
it does this asynchronously so that the algorithm can
continue and not block for disk I/O
a page is freed by adding it to the memory free list
SA RELEVANCE:
this is all automatic - not much for the SA to do
init (PID 1)
the first user process
all other processes are children of init
depending on the boot parameters init either:
spawns a single-user shell at the console
begins the multi-user start-up
we'll talk more about this when we discuss Booting the
System
update()
executes sync() every 30 seconds
what does sync() do?
flushes buffer cache - sync schedules the disk I/O
delayed write - it is needed because UNIX uses delayed write for
its buffer cache
SA RELEVANCE
Don't let users re-boot your UNIX systems
It is better to halt the system using /etc/shutdown or halt
these commands attempt to put the system in a quiescent state
before calling sync()
other OS
see bdflush and update in Linux
see fsflush in Solaris (PID 3)
inetd
even though well-written daemons consume little CPU time
they do take up process table slots
there began to be so many daemons that a super-daemon
was written to manage the class of network daemons
many network servers are mediated by the inetd daemon
they may also be run without the inetd - started at boot time
and run forever
inetd listens for requests for connections and then starts the
appropriate daemon
some examples are: rlogin, telnet, ftp, talk, finger
the inet daemon forks a child to handle the request
the child inetd execs a server (for example, telnetd)
the configuration file that tells the inetd which servers to
manage is /etc/inetd.conf
/etc/services
This file maps TCP and UDP protocol server names to port numbers
view /etc/services file
note that some services support both tcp and udp protocols
you can type: 'telnet xi.cs.fsu.edu smtp' to connect to
the sendmail port
Sun RPC services are mapped to ports by the portmapper daemon
look at inetd.conf
the 1st column is the name of the service
the 2nd column designates the type of socket to
be used with the service (almost always stream or datagram)
the 3rd column designates the communication protocol (tcp
is almost always paired with stream sockets and udp is almost
always paired with datagram sockets)
the 4th column applies only to datagram sockets - if the daemon can
process multiple requests then put 'wait' here so the inetd
doesn't keeping forking new daemons - this only applies to
datagram sockets
the 5th column specifies the username that the daemon should run
under (for example - let's have fingerd run as 'nobody' until
we can find the security hole)
the remaining columns give the pathname and arguments of the
daemons
SA RELEVANCE
when installing new software packages you may have to modify
inetd.conf and/or /etc/services
a hangup signal will get the inetd to re-read its
config file - 'kill -SIGHUP pid'
internet daemons (particularly sendmail) have been the source
of security holes
two methods of adding security are a tcpwrapper and a different
inet daemon
Linux (usually) comes with the "tcpd" wrapper installed
portmap
as mentioned above, maps RPC services to ports (/etc/rpc)
RPC servers register with this daemon
RPC clients get the port number for a service from the
daemon
you can get a lot of information using 'rpcinfo'
for example, rpcinfo -p will list the RPC services on
the local machine
then you can see which other machines on the same local
network provide the same services
try: rpcinfo -b ypbind 1
syslogd
the syslogd is a daemon whose function is to handle logging
requests from:
the kernel
other user processes (daemons)
processes on other machines (across the net)
a process can make a logging request to the syslogd by using
the function syslog()
syslog(priority, message, facility)
priority is level of criticality such as LOG_ALERT or
LOG_WARNING
message is a string containing the message to be sent
facility - source of message: LOG_USER, LOG_KERN,
LOG_AIL
the syslogd determines what to do with logging requests according
to the configuration file /etc/syslog.conf
a look at syslog.conf
example from syslog.conf
*.err;kern.debug;user.none /dev/console
*.err;kern.debug;daemon,auth.notice; /var/adm/messages
auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost)
line 1 says write messages of priority level LOG_ERROR from all
sources to /dev/console (also kernel debug and no user messages)
line 3 ships authorization messages to the LOGHOST (nu)
if you want to log a message you can make the call:
syslog(LOG_ERR,''hi there, etc, etc'',LOG_USER);
Windows NT
You can see the processes running under Windows NT 4.0 via the
Windows NT Task Manager -- Press CTRL-ALT-DEL, select
Task Manager, or just press CTRL-SHIFT-ESC.
You can see/end/modify/switch/create applications,
see/end processes, and view CPU/memory performance.
A nice feature of the Processes display is the
ability to sort on any column by clicking on the
column header (the sort toggles from ascending/descending).
Quite a nice display!
You can also view the lists of services through the Control
panel "Services" icon.