•Audit subsystem: This subsystem implements functions related to recording of
4.2.1.2Execution components
The execution components of the kernel can be divided into three components: base kernel, kernel threads, and kernel modules depending on their execution perspective.
Figure 4-4: Kernel execution components
4.2.1.2.1Base kernel
The base kernel includes the code that is executed to provide a service, such as servicing a user’s system call invocation, or servicing an interrupt or exception event. A majority of the compiled kernel code falls under this category.
4.2.1.2.2Kernel threads
In order to perform certain routine tasks such as flushing disk caches, reclaiming memory by swapping out unused page frames, the kernel creates internal processes, or threads.
Threads are scheduled just like regular processes, but they do not have context in user mode. Kernel threads execute specific C kernel functions. Kernel threads reside in kernel space, and only run in the kernel mode. Following are some of the kernel threads:
•keventd is a process context
•kapmd is a special idle task that handles the events related to Advanced Power Management.
•kswapd is a kernel swap daemon responsible for reclaiming pages when memory is running low. The physical page allocator awakens it when the number of free pages for a memory zone falls below a specific threshold.
•pdflush is a kernel thread that periodically flushes “dirty” buffers to disk based on a timer. Multiple pdflush threads may run up to the maximum tunable by
/proc/sys/vm/nr_pdflush_threads.
•kjournald is a process that manages the logging device journal, periodically commits the current state of the file system to disk, and reclaims space in the log by flushing buffers to disk.
•Kernel threads are created with a call to kernel_thread(), and users can list them with the ps axu command. The command shows the kernel threads in square brackets, and can be recognized by their virtual memory size (VSZ) of 0; an example is [kjournald].
25
