Where data is stored on a Linux system

Linux kernel is loaded at boot time and stays loaded to manage every aspect of the running system. Some of the key functions of the kernel include process management. The kernel provides access to information about running processes through a pseudo filesystem that is visible under the /proc directory. Hardware devices are made available through special files under the /dev directory, while information about those devices can be found in another pseudo filesystem under the /sys directory. There are a number of regular files in the /proc directory, such as /proc/cmdline, /proc/meminfo and /proc/modules. These files provide information about the running kernel. The /proc/cmdline can be important because it contains all information that was passed to the kernel when it was first started. The /proc/meminfo contains information about the use of memory by the kernel. The /proc/modules holds a list of modules currently loaded into the kernel to add extra functionality. Most files under the /proc directory cannot be modified, even by the root user. Files under the /proc/sys directory can be modified by the root user. Modifying these files will change the behavior of the kernel. Direct modification of these files cause only temporary changes to the kernel. For permanent configuration changes, the kernel uses the /etc/sysctl.conf file. The /proc directory shows numbered directories for each running process on the system, where the name of the directory matches the PID (process ID) for the running process. Each process is assigned a PID in sequential order. When one process starts another process, the process that performs the starting is called the parent process and the process that is started is called the child process. When viewing processes, the parent PID will be labeled PPID. When the system has been running for a long time, it will eventually reach the maximum PID value, which can be viewed and configured through the /proc/sys/kernel/pid_max file. One way of viewing processes is with the ps program. By default, the ps will only show the current processes running in the current shell. If you run ps with the --forest option, then it will show lines indicating the parent and child relationship. To view all processes on the system you can execute either the ps -ef or the ps aux. To view an individual user's processes, execute ps -u username. The top program provides a real-time view of a running system. By default, the output is sorted by the % of CPU time that each process is currently using, with the higher values listed first. One of the advantages of the top program is that it can be left running for monitoring purposes. An administrator that is running the top program can terminate the process or adjust the priority of the process. Another advantage of the top program is that it's able to give you an overall representation of how busy the system currently is.

Another reason administrators like to keep the top program running is the ability to monitor memory usage in real-time. Both top and free program display statistics for how overall memory is being used. The top program also has the ability to show the percent of memory used by each process. free program displays amount of free and used memory in the system. The -m or -g options can be useful to show the output in either megabytes or gigabytes. Without these options, the output is displayed in bytes.

As the kernel and various processes run on the system, they produce output that is sometimes written to various files. This is called logging. Log files can be helpful in trouble-shooting problems and they can be used for determining whether or not unauthorized access has been attempted. Some processes are able to log their own data, other processes rely on another process (a daemon). These logging daemons can vary from one distribution to another. For example, on some distributions, the daemons that run in the background to perform logging are called syslog. Regardless of what the daemon process is named, the log files are almost always placed into the /var/log directory. Older log files are renamed and replaced with newer log files. The file names that appear in the table above may have a numeric or date suffix added to them. With the modern daemons, a date suffix is typically used. For security reasons, most of the log files are readable only by users with root privileges. The /var/log/dmesg contains the kernel messages that were produced during system startup. The /var/log/messages will contain kernel messages and other processes that are produced as the system is running, but those messages will be mixed with other messages that don't belong elsewhere. Although the kernel doesn't have its own log file normally, one can be configured for them typically by modifying either the /etc/syslog.conf or the /etc/rsyslog.conf. In addition, the dmesg can be used to view the kernel ring buffer, which will hold a large number of messages that are generated by the kernel.