suppose binary executable program running:
for example: ps -eaf | grep someserver
shows someserver running.
is possible tell if someserver executable on disk ( eg /usr/bin/someserver ) matches program started ?
yes: use soft link /proc/$pid/exe path used load code.
look /proc/$pid/maps. (for /sbin/getty):
00400000-00407000 r-xp 00000000 08:01 3145779 /sbin/getty 00606000-00607000 r--p 00006000 08:01 3145779 /sbin/getty 00607000-00608000 rw-p 00007000 08:01 3145779 /sbin/getty ... lots more ... filter file using path got soft link find lines interesting you.
the last number (3145779) inode of file. when create new file on disk, gets new inode.
to see inode of file, use ls --inode /sbin/getty:
3145779 /sbin/getty since 2 numbers still identical, executable on disk same in ram.
background: linux doesn't load processes ram @ once. instead, executable file memory-mapped ram using virtual memory subsystem. means parts of executable never use never loaded memory. means kernel uses executable on disk "cache".
when overwrite executable on disk, original inode not changed. existing process hangs on it. instead, new inode created , directory node (which contains file name , pointer inode data) updated. why can overwrite files in use on linux.
the original inode cleaned when last process uses dies.
Comments
Post a Comment