Dave Burns wrote:
On Wed, Feb 20, 2008 at 10:47 PM, Tomasz Torcz <tomek@xxxxxxxxxxxxx> wrote:
Dnia 20-02-2008, śro o godzinie 10:40 -1000, Dave Burns pisze:
When I do ps -ef, I see a mysterious process:
ps -ef|grep scsi_eh_5
root 31004 11 0 09:29 ? 00:00:00 [scsi_eh_5]
How do I figure out what is really running, what rpm its from, etc.?
What do the brackets [...] indicate?
"ps" prints brackets when process arguments are not available to read.
What gets put inside the brackets?
This is typical for kernel threads.
So [] always means kernel thread, or sometimes? Usually? Kernel thread
until proven innocent?
Not always. I can name an executable binary [foo] so the casual
observer thinks it's a kernel thread, when it's actually a rootkit. The
catch is the ppid. On my box, all my kernel threads have a ppid of 2.
pid 2 is [kthreadd], which is the parent of all real kthreads. This
number could vary between kernels, but the idea is the same, at least on
newer kernels.
scsi_eh_5 is a kernel thread, a SCSI
Error Handler. It is spawned for each SCSI host in computer (there
should be EH thread for each /sys/class/scsi_host/* )
How did you figure this out? What documentation could I consult to
find this answer myself?
Kernel source? I've generally accepted that the price of constant
innovation is that some things change too rapidly to make documenting
them outside of the code worthwhile. Whether or not this example
qualifies is of course debatable.
As long as they're actually kthreads (ppid is the pid of kthreadd), I
generally don't worry about them, as long as they're not chewing up a
lot of CPU. If they *are* chewing up a lot of CPU, that may mean
something is wrong, most likely a driver bug in the case of scsi_eh_*.
The actual answer to the question is less important to me than
learning how to find the answer.
Thanks,
Dave
--
Tomasz Torcz
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
