Exploring the Linux Kernel
How the Kernel Boots
I have more details on another page, but the short version of Linux booting is as follows:
The firmware on the motherboard runs a power-on
self-test and finds the boot loader.
- On older PC platforms, the BIOS found the Master Boot Record (MBR), the first 512-byte block of the first media. That MBR points to a boot loader stored on the disk.
- Modern PC motherboards use UEFI firmware. It must find a specially labeled partition called the EFI System Partition or ESP, which must contain a FAT file system. The firmware runs a specified program within that, which in turn finds andr runs the boot loader.
- On non-PC hardware (e.g., Alpha, UltraSPARC), the boot loader is a mini-OS and operates somewhat like the UEFI firmware.
- The boot loader uncompresses the compressed kernel image and loads it into RAM. More details on the kernel file format appear below.
- The boot loader also uncompresses an initial RAM disk image and loads it into memory, the kernel mounts that up as its root file system for a while.
- The kernel discovers the available hardware, or at least what it needs and knows about initially.
- The real root file system is mounted in read-only mode.
The kernel starts
/sbin/initand now we're under the control of the boot files on the disk rather than what's coded into the kernel itself.
- The root file system is checked and then remounted in read/write mode.
- Some kernel modules (also called device drivers) may be loaded, and they may detect more hardware.
- A collection of scripts is run to get the system into the desired run state.
That's the simple version.
See my details page for much more.
Where Are The Pieces Installed?
While the kernel components can go anywhere you want to
hide them, you will generally find the following files
installed within the
Replace the string
the following with whatever your kernel release is,
the result of running the command
Depending on your distribution, if you have multiple kernels
installed you may see several of each file type with the
release as part of their file names, and then one symbolic
link pointing to the latest one installed through the
The monolithic kernel
This is the monolithic core of the kernel,
the main operating system file.
This file is uncompressed and loaded
into memory by the boot loader.
Typically this is
possibly with several of different releases plus one
symbolic link simply named
to the most recent file.
This is one big file with three components on a PC:
- 512-byte boot block
- Secondary boot loader
- Gzip-compressed kernel
On other hardware platforms this is simply a gzip'ed kernel. The kernel portion itself is a statically-linked ELF executable.
Why the funny name and location?
Unix traditionally boots from a file named
So the Linux developers used
Then the kernel grew too large for the boot loader to handle it, so it was gzip'ed and the "x" changed to "z".
Then disks grew large enough that the BIOS could not find
things beyond the first 1024 cylinders, so a small file
/boot was created within the
first the first partition on the disk.
Directory containing the loadable modules
These are the dynamically loaded kernel modules,
or device drivers.
The modules for a release are stored in a hierarchy beneath
contain information about the modules.
An important one is
which describes dependencies between modules.
For example, the module to support the printer device
/dev/lp0 will require the help of
a module supporting the generic parallel port,
which in turn may require the help of a module supporting
some chipset, and so on.
The initial RAM disk image
While this could be named anything within
it is typically
It is the result of creating a file system with enough
components to provide the kernel with needed device drivers
to find and read the root system on the disks,
and some programs, configuration files, shared libraries,
and device-special files to handle the initial steps
required to detect and initialize hardware and
mount the root file system.
It is the result of creating a
and compressing it with
While you could copy the file to some temporary working area, uncompress and then extract its contents, you can easily read it with this command:
# lsinitrd /boot/initrd-release.img
GRUB boot loader components
You will probably be using version 2 of GRUB, so its
components will be in
Older systems with legacy GRUB will use
System map (kernel symbol table)
This is stored in
If you care about this, then you will want to see some of
modules.* files in
Kernel build configuration
This is supposed to be in
I have found that the files provided by Red Hat are close
but not necessarily exactly what was used to build the
kernel they supply.
If you built your kernel
with the proper choice, this will be available as the
kernel data structure
In that case you are asking the kernel itself to provide
its internal record of how it was built, meaning you will
get the complete truth.
If that apparent file (actually a kernel data structure) isn't there, that feature may have been built as a loadable module. Try loading that module and trying again:
# modprobe ikconfig # zcat /proc/config.gz | less
See more on this below.
These may be available as
You may need these this header file to compile
some C/C++ programs.
The kernel source code itself under
/usr/src/linux is another possible source
for these headers.
How Was My Kernel Built? What Device Drivers Does It Have? What Can It Do?
You need this information. For some reason Red Hat doesn't think you really need to figure it out on your own, I guess you're supposed to call their support line.
There should be a configuration file describing the set of device drivers built into the monolithic kernel and the set built as loadable modules. There will also be some configuration choices made for some of them — for example, for a non-native file system type like NTFS, should it be supported read-only or read-write?
build a Linux kernel,
the configuration you create to define the build itself
ends up as the file
see my page on building Linux kernels
for more details.
If you built your own kernel, you should have kept that
file or a copy.
Many distributions give you the file
with the implication that this is the configuration used to
build the kernel you got.
They might have gotten better about this,
but I was misled by Red Hat enough times when working
with Linux on the Alpha architecture that I
no longer trust their config file to be any
more than a fairly close approximation.
If it's all you have, understand that it may be close
but not completely correct.
To be confident that you are getting the real
ask the kernel to describe itself.
If the kernel was built with the right settings, its build
configuration is available as a kernel data structure that
you can access as
The configuration variables are:
They are set when configuring the build by:
General setup → Kernel .config support → Enable access to .config through /proc/config.gz
To see the list of available device drivers, you could use either of these commands:
$ modprobe -l $ ls -R /lib/modules/$( uname -r )/kernel
That's only somewhat useful, as that just gives you a list
of file names.
If you installed the source code (and why not?),
see the text files in:
You can also find information on a specific module this way:
$ modinfo module-name-goes-here
The information you get is up to the developers of that module. So you might get something very useful, with an explanation, a list of load-time optional parameters and what they mean, and so on. Or you might get a cryptic table of hexadecimal addresses and a list of PCI bus addresses and a reminder that you can always read the C source code and figure it out from there.
Loading and Unloading Modules
Let's say you just added an Ethernet card but you don't
know if whether needs the
Based on what you saw on the card and its chips,
or maybe in the output of the
lspci -v command,
you think it's one of the two.
But you don't know which one.
Try loading one of them and examining the end of the kernel ring buffer with this command sequence:
# modprobe 8139cp # dmesg | tail
Let's say that you only saw this output, generated by the module announcing itself as it loaded:
8139cp: 10/100 PCI Ethernet driver v1.3 (Mar 22, 2004)
That doesn't look too promising. So let's unload it, and then load the other:
# rmmod 8139cp # modprobe 8139too # dmesg | tail
Now we see this output at the end of the kernel ring buffer:
8139too Fast Ethernet driver 0.9.28 ACPI: PCI Interrupt Link [APC2] enabled at IRQ 17 8139too 0000:01:09.0: PCI INT A -> Link[APC2] -> GSI 17 (level, high) -> IRQ 17 eth0: RealTek RTL8139 at 0xf8394000, 00:11:95:1e:8e:b6, IRQ 17 eth0: Identified 8139 chip type 'RTL-8100B/8139D'
Hey, that's it!
Now we know which driver to specify in
/etc/modprobe.conf or wherever.
What Is My Kernel Doing Right Now?
See the kernel ring buffer with this command:
It's a ring buffer, so it only keeps the most recent
It's a good idea to save a copy as soon as possible after
/var/log/dmesg is an obvious place to
If your distribution didn't think of this simple
improvement, add it yourself by adding this to the
end of your
echo "Saving the kernel ring buffer in /var/log/dmesg dmesg > /var/log/dmesg
See what kernel modules are currently loaded with this command:
Let's see you see two lines reading like the following among all the output:
ext3 125412 8 nf_conntrack_ftp 12704 1 nf_nat_ftp
This means that the module
has been loaded (it's needed to handle FTP connections
through a Linux firewall), and that module is needed
by another module,
nf_nat_ftp, a module used
to handle FTP connections through
Network Address Translation or NAT.
ext3 has been loaded, as it must to
handle the Linux-native Ext3FS file systems.
No other module needs
ext3, but it could not be
unloaded as the kernel needs it to handle all the file
systems currently in use!
The first number after the module name indicates the size of the module in bytes. The second number indicates that the number of things currently requiring the module. That FTP connection tracking module is needed by one thing, that other module that requires it. The Ext3FS module is needed by 8 things — the number of currently mounted Ext3FS file systems.
Kernel Hardware Detection
/proc file system is really a large collection
of kernel data structures presented in a reasonably
It appears to be a hierarchy of directories and files,
which you can explore with
and investigate in many cases with
What has my kernel detected about the CPU, memory, and partition table?
$ cat /proc/cpuinfo .... details appear here .... $ cat /proc/meminfo .... details appear here .... $ cat /proc/partitions .... details appear here ....
What devices have been connected to the kernel?
Note that the loading of kernel modules may lead to
the detection of more hardware and the automatic
appearance of more device-special files in
$ ls /dev
What devices are on the PCI bus? Let's see that in one line per device, then in moderate detail, then in great detail.
$ lspci .... output appears .... $ lspci -v .... much more output appears .... $ lspci -vv .... more output appears than you probably want to see ....
What about moderate details on the device at PCI bus address 01:08.0?
$ lspci -v -s 01:08.0
What USB devices are connected? Let's see that in one line per device, then in moderate detail, then in great detail.
$ lsusb .... output appears .... $ lsusb -v .... much more output appears .... $ lsusb -vv .... more output appears than you probably want to see ....
What about another way to report on the USB bus?
$ systool -v -b usb
What about SCSI devices, including USB storage devices that appear as generic SCSI devices?
$ systool -v -b scsi
Kernel Data Structures and Kernel Tuning
What is the complete current set of kernel data structures, by their name and value?
$ sysctl -a
The kernel data structure
is accessible as the file
Instead of that
sysctl command, you could have
changed to the directory
displayed its contents with
You can read the current values of these kernel timers, counters, and other fields. You can also change them! This has the effect of flipping a switch or twisting a knob on the running kernel. Now let's say that your enthusiastic modification of kernel values accidentally puts your running kernel into a bizarre state — this is not at all unlikely if you aren't careful. All you have modified is the running kernel in RAM, the kernel file stored on the disk is unchanged. Reboot with a fresh kernel and you're back to the default state.
Read just one specific kernel data structure:
$ sysctl net.ipv4.tcp_fin_timeout -- or -- $ cat /proc/sys/net/ipv4/tcp_fin_timeout
Change that kernel value to 10 (seconds in this case),
you will need to be
root to do this:
# sysctl -w net.ipv4.tcp_fin_timeout=10 -- or -- # echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
Why would you want to mess with kernel values? To tune the running kernel for performance or security. See my page on security tuning suggestions for far more detail.
If you come up with a collection of adjustments that you
find useful, you could either put the relevant
sysctl -w command sequence into
/etc/rc.local or else you could put the relevant