An introduction to daemons
The real-world
(i.e., non-computer) definition of “daemon” is either a spirit (an evil one) or
an inner or private voice. It’s interesting to note that each of the real-world
definitions actually does apply to Unix daemon programs. Like mythological
daemons, Unix daemon programs skulk around unseen in the background just as a
daemon would. And daemons act like an inner voice in that they can run continuously
and, like a conscience, can always be accessed.
An introduction to services
The daemons
referenced in /etc/init.d are configured to be run as Linux services. Services
are programs that are started and stopped through the init scripts in the
/etc/init.d directory. Many of these services are launched when the system is
booted. The /sbin/service utility provides a consistent interface to executing
the init scripts. The init scripts provide a consistent interface to managing a
service by providing options that start, stop, restart, query status, and perform other actions on service. For
example, the httpd service init script provides these options:
/sbin/service httpd
Usage: httpd {start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}
You can view the
current state of all services with this option to the service utility:
/sbin/service –status-all
acpid (pid 2481) is running...
anacron (pid 2647) is running...
atd (pid 2657) is running...
auditd (pid 2189) is running...
....
Runlevel
information for these services, that is, the settings for which system runlevel
the service will be started at boot time, can be queried and modified with the
chkconfig utility. For example, to query the current settings for the syslog
service:
/sbin/chkconfig --list syslog
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
This shows
that that syslog service will be automatically started at boot-time for
runlevels 2, 3, 4, and 5. To set the service to not start for runlevels 3 and 4
(not a good idea, by the way), you would use these options for the chkconfig
utility:
/sbin/chkconfig –levels 34 syslog off
The
/usr/bin/system-config-services utility provides a GUI interface that enables
you to both query and modify the current state of a service, as well as its
defined run levels.
Let’s look at
how these services and daemons appear in output from ps. Here’s a short list:
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 23:36 ? 00:00:00 init [5]
root 2161 1 0 23:37 ? 00:00:00 auditd
root 2177 1 0 23:37 ? 00:00:00 syslogd -m 0
root 2180 1 0 23:37 ? 00:00:00 klogd -x
root 2207 1 0 23:37 ? 00:00:00 mcstransd
root 2254 1 0 23:37 ? 00:00:00 rpc.statd
root 2287 1 0 23:37 ? 00:00:00 rpc.idmapd
root 2577 1 0 23:37 ? 00:00:00 crond
root 2631 1 0 23:37 ? 00:00:00 /usr/sbin/atd
root 2654 1 0 23:37 ? 00:00:00 rhnsd --interval 240
What’s
important to note here? (Other than I’m staying up too late at night, that is.)
For each of the daemons, the parent process ID (PPID) is 1. This indicates that
the daemons were started up during the boot process by init.
A useful tool
for viewing the “tree” of processes and their parents is “pstree.” Here’s a
fragment of the output from pstree:
init-+
|-NetworkManager---2*[{NetworkManager}]
|-NetworkManagerD
|-acpid
|-atd
|-auditd-+-python
| `-{auditd}
|-avahi-daemon---avahi-daemon
|-bonobo-activati---{bonobo-activati}
|-crond
|-cupsd---cups-polld
|-2*[dbus-daemon---{dbus-daemon}]
|-dbus-launch
|-dhcdbd---dhclient
A closer look at your system’s daemons
So much for
background information. Let’s take a look at your system’s daemons and see
which ones you can safely play with. Note that for this article, the system
used was running the Red Hat Enterprise Linux Beta 2 release, workstation
configuration. Based on your specific system, you may see more or fewer daemons,
or even some not included here.
We’ve listed
web-sites where you can learn more about these daemons, but the best place to
start learning is the manpage.
acpid
This is the
daemon for the Advanced Configuration and Power Interface (ACPI). ACPI is an
open industry standard for system control related actions, most notably
plug-and-play hardware recognition and power management, such as startup and
shutdown and putting systems into low poser consumption modes.
You’ll
probably never want to shut down this daemon, unless you are explicitly instructed
to do so to debug a hardware problem.
anacron
One of the
problems with living on a laptop, as so many of us do these days, is that when
you set up a cron job to run, you can’t always be sure that your laptop will be
running at the time that the job should run. anacron (the name refers to its
being an “anachronistic cron”) gets around this problem by scheduling tasks in
days. For example, anacron will run a job if the job has not been run in the
specified number of days.
When are you
safe not running anacron? When your system is running continuously. Should you
simply stop cron from running if you have anacron running? No; anacron is able
to specify job intervals in days, not hours and seconds.
apmd
This is the
daemon for the Advanced Power Management (APM) BIOS driver. The APM hardware
standard and apmd are being replaced by ACPI and acpid. If your hardware
supports ACPI, then you don’t need to run apmd.
atd
This is the
daemon for the at job processor (at enables you to run tasks at specified
times). You can turn off this daemon if you don’t use it.
autofs
This daemon
automatically mounts disks and file systems that you define in a configuration
file. Using this daemon can be more convenient that explicitly mounting
removable disks.
auditd
The Linux
Auditing System provides kernel-resident logging of system calls and user space
tools to collect and view the logs. The auditd daemon writes the logging
records to disk. auditd is configurable to allow control over what information
is written to the logs.
Why should you
keep auditd running? The information in the log may prove useful in debugging
security-related issues. For example, auditd is used to log SELinux events.
There are also utilities such as aureport that enable you to view the audit
log. Here’s an example of a report generated by aureport:
Summary Report
======================
Range of time in logs: 11/28/2006 06:07:04.800 - 02/06/2007 21:10:09.957
Selected time for report: 12/31/1969 19:00:00 - 02/06/2007 21:10:09.957
Number of changes in configuration: 285
Number of changes to accounts, groups, or roles: 32
Number of logins: 145
Number of failed logins: 11
Number of users: 2
Number of terminals: 22
Number of host names: 11
Number of executables: 27
Number of files: 91
Number of AVC denials: 688
Number of MAC events: 12
Number of failed syscalls: 404
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of process IDs: 14022
Number of events: 70694
cpuspeed
This daemon
adjusts the CPU speed based on the power consumption. Less power is used when
the CPU is idle, and more power is available when needed to improve
performance. If you’re running on a laptop, you might want to consider running
cpuspeed.
crond
This daemon
automates the running of tasks. These jobs are necessary for any Linux or Unix
system. Don’t stop or disable this one.
CUPS and cups-config-daemon
This daemon is
the “Common UNIX Printing Solution.” Like the name implies, it’s a printing
system that can handle multiple data formats and printers. If you want to
print, leave this daemon running.
dhcdbd
This is the
DHcp Client D-Bus Daemon.
D-Bus
is a message bus system, a simple way for applications to talk to one another.
In addition to interprocess communication, D-Bus helps coordinate process
lifecycle; it makes it simple and reliable to code a “single instance”
application or daemon, and to launch applications and daemons on demand when
their services are needed.
Do you want to
run this daemon? If you’re running your system on a network (and who isn’t?),
especially if you’re moving between networks such as when you move from a wired
network to wireless as you move around your office, then you should be running
NetworkManager. (We’ll discuss NetworkManager in a bit.)
The dhcdbd
daemon provides a D-Bus interface to dhclient, the DHCP client from ISC. This
makes it possible for NetworkManager can to query and control dhclient.
gpmd
This daemon
enables you to use your mouse in text-based applications such as the Midnight Commander file manager and on the console. You
might find this useful if you’re working through situations in the console;
otherwise, you’ll be working in the X windowing system and you might never need
gpmd.
hald
No, this isn’t
related to the evil computer in the film “2001, A Space Odyssey.” In this
context, HAL refers to the “Hardware Abstraction Layer.” The HAL daemon
collects this information about hardware devices from the kernel and the
hardware and makes it available in a consistent manner.
Don’t turn off
this daemon. Multiple applications rely on it.
hplipd
This daemon
supports HP Linux Imaging and Printing (HPLIP) for printing, scanning, and
faxing with HP inkjet and laser printers. HPLIP works CUPS by providing a
backend to connect to HP devices.
hsqldb
This is the
daemon for a Java relational database. The daemon gets its name from the Hypersonic SQL project that has been discontinued.
hsqldb is used widely in open source projects such as OpenOffice (it’s the
database behind the “base” feature) and is often used in demonstration
programs, as it can run entirely in memory. It also runs fast. Should you run
this daemon? Only if you have a specific program that makes use of it. But,
it’s a very useful tool, and if you’re not familiar with it, it’s worth taking
a look.
httpd
The Apache web
server. Used by almost 60% of all websites. If you want to host a website, you
run Apache. Need we say more?
ip6tables and iptables
These daemons
are firewalls. A firewall, is an
“information technology (IT) security device which is configured to permit,
deny or proxy data connections set and configured by the organization’s
security policy. Firewalls can either be hardware and/or software based.”
iptables
functions by maintaining tables of IPv4 packet filter rules in the kernel. It
checks incoming and outgoing packets against these rules and blocks packets
that don’t meet the rules. ip6tables does the same for IPv6 packets.
Which should
you run? Both. Always. It’s a dangerous world on the ‘net.
irda
IrDA (Infrared
Data Association) is an industry standard for inter-device wireless, infrared
communications. Most laptops are configured with an IrDA infrared transceiver.
You only need to run this daemon if you need to communicate via an infrared
connection to other devices.
irqbalance
This daemon
distributes hardware interrupts to the CPUs in SMP (symmetric processor:
multi-processor architecture) systems to increase performance. The daemon
balances savings in power consumption with performance.
You need not
run this daemon on single processor systems, as it only has an effect on
multiple-processor systems. Red Hat Kbase articles1 indicate that irqbalance is
relevant on x86, x86_64, and AMD systems.
mdmonitor and mdmpd
These two
daemons are used with RAID (redundant array of inexpensive/independent disks)
data storage systems. Mdmonitor starts, stops, and reloads the mdadm (multipath
device monitoring and management) software RAID monitoring and management
utilities. You should only run these daemons if you have RAID storage in your
system.
messagebus
This is the
D-BUS system-wide message bus daemon. This daemon broadcasts notifications of
system events and such as changes in the printer queue or the adding and
removing of devices. (Note that this is not the same operation as Kudzu, as it
can take place while the system is running and not only at boot time.)
netplugd and ifplugd
These daemons
configure Ethernet devices when cables are plugged in and deconfigure them when
the cables are removes. Why would you want this to happen? It makes sense for
laptops so that your network connections are only brought up when their cables
are attached.
Note that the
development of netplugd has been discontinued in favor of ifplugd.
NetworkManager and NetworkManagerDispatcher
The
NetworkManager daemon automates switching between network connections. This is
a useful daemon for laptop users who switch between wireless WiFi connections
and Ethernet connections. The NetworkManagerDispatcher daemon automatically
runs scripts (including scripts to force any actions that you want to have
happen such as setting up specific routes) when NetworkManager changes the
network state.
named
This daemon is
the Domain Name Server. You’ll need to run this daemon only if your system is
acting as a DNS server for your network.
nfsd
The nfs daemon
supports the nfs communications protocol for file sharing across TCP/IP
networks. You’ll want to run this daemon if you make use of file systems shared
with nfs.
nscd
This is the
name service cache daemon. It takes care of group and password lookups for running
programs and then caches the lookup results for the next query for services
that can experience slowness in picking up changes such as NIS or LDAP. If
you’re running these services, you may want to run nscd.
ntpd
This is the
Network Time Protocol daemon. This deamon sets and maintains the system time of
day by keeping it in synch with Internet standard time servers. If your system
is connected to the Internet (and who isn’t?) then running ntpd will keep your
system time correct.
pcscd
This is the
PC/SC Smart Card Daemon. pcscd is the daemon for pcsc-lite (middleware for
accessing smart cards) and the (java-based) MuscleCard framework. It enables
communications with smart card readers and smart cards.
(A smart card
is a card that is embedded with either a memory chip or microprocessor and a
memory chip. And Muscle is the Movement for the Use of Smart Cards in a Linux
Environment.)
portmap
The portmapper
daemon manages RPC (remote procedure call) connections. It converts RPC program
numbers into TCP/IP (or UDP/IP) protocol port numbers. The most common use of
portmapper is by NFS and NIS.
So, if your
system relies on NIS or NFS, don’t turn off the portmap daemon.
postfix
This daemon is
a mail transport agent. Unless your system is a mail relay server, you don’t
need to run this daemon.
rdisc
This daemon
(the router discovery daemon) discovers routers on the local subnet. It is run
at boot time to populate the network routing tables with default routes.
restorecond
This is an
SELinux daemon. restorecond watches for file creation (of files listed in
/etc/selinux/restorecond.conf) and then ensures that the files have the correct
file context associated with the policy, and then sets the default SELinux file
context.
Don’t turn
this one off. SELinux needs it.
rhnsd
This daemon
periodically checks for actions that have been scheduled though the Red Hat
Network web interface and runs them. This includes actions such as installing,
removing, or updating software, rebooting the system, starting a kickstart
installation, or installing configuration files.
rpcgssd and rpcidmapd and rpcsvcgssd
The rpcgssd
and rpcsvcgssd daemons handle security for RPC. The rpcidmapd maps user names
to UID and GID numbers.
If you’re
running NFS or NIS, then you should have these daemons running.
readahead_early and readahead_later
The readahead
daemon causes the programs used during startup to be loaded into memory before
they are needed, to improve startup performance.
saslauthd
This is the
SASL authentication server daemon. SASL is the Simple Authentication and
Security Layer and allows for adding authentication to connection-based
protocols.
sendmail
This is a SMTP
(Simple Mail Transfer Protocol) server. sendmail moves mail from one system to
another as a Mail Transport Agent. If you run a mail program such as
Thunderbird or Evolution, you don’t need to run sendmail.
setroubleshoot
This is the
SELinux Troubleshooting Daemon. setroubleshooter is one of the great recent
additions to SELinux. setroubleshooter provides real-time feedback to users on
SELInux AVC denials. And it provides this feedback in a easy to follow format.
smartd
This daemon
monitors the SMART (Self-Monitoring, Analysis and Reporting Technology) systems
included in many types of disk drives, such as SCSI-3 type drives. The daemon
will monitor reliability and performs self-tests. You should run this daemon if
your hardware supports it.
spamassassin
This daemon
uses the Apache SpamAssassin program to check email for SPAM. It is usually run
on a mail deleivery agent (MDA) server. If you use a client program such as Thunderbird
or Evolution to access your mail, then you don’t need to run spamassassin.
sshd
This is the
daemon for open ssh. ssh replaces the insecure rsh and rlogin programs and
enables encryption for communications between hosts over insecure networks. If
you connect with other systems over the public Internet, you want to use ssh
and run this daemon.
syslog
syslog is the
standard logging system for Linux systems. Don’t turn this one off.
winbind
This daemon is
part of the Samba suite and enables Windows domain users to function as Unix
users on Unix servers. You may want to run this daemon if you’re dealing with a
mixed PC and Linux/Unix network.
xfs
This damon is
the xfs font server. This daemon loads fonts into memory to enable X
applications to run faster than if they had to load the fonts from disk. This
daemon is worth running to improve application performance.
ypbind
This daemon
binds NIS clients to an NIS domian. The “yp” refers to “yellow pages,” as the
NIS directory of user accounts acts like the telephone book yellow pages. You
only want to run this daemon if your system relies on NIS (Network Information
Service) for user accounts and system names.
yum-updatesd
yum-updatesd
checks for software updates and can send notifications of these updates via
mail, dbus, or syslog messages, or can automatically install the updates. The
dbus messages are picked up by the “puplet” (package updater), which notifies
the user of the updates and lets the user install them.