What is the purpose of each process launched at startup on Ubuntu Server 16.04 x64?

NOTE: I have also included this post in its entirety in my post about htop

I launched a Digital Ocean droplet with Ubuntu Server.

Then I installed htop to look at the currently running processes.

I had no idea what half of them do. Do I even need them?

Here are my research notes on the processes that are run at startup on a fresh Digital Ocean droplet with Ubuntu Server 16.04.1 LTS x64.

Table of Contents

Before

/sbin/init

The /sbin/init program (also called init) coordinates the rest of the boot process and configures the environment for the user.

When the init command starts, it becomes the parent or grandparent of all of the processes that start up automatically on the system.

Is it systemd?

$ dpkg -S /sbin/ init systemd- sysv: /sbin/ init

Yes, it is.

What happens if you kill it?

Nothing.

/lib/systemd/systemd-journald

systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging information that is received from a variety of sources.

In other words:

One of the main changes in journald was to replace simple plain text log files with a special file format optimized for log messages. This file format allows system administrators to access relevant messages more efficiently. It also brings some of the power of database-driven centralized logging implementations to individual systems.

You are supposed to use the journalctl command to query log files.

journalctl _COMM=sshd logs by sshd

logs by sshd journalctl _COMM=sshd -o json-pretty logs by sshd in JSON

logs by sshd in JSON journalctl --since "2015-01-10" --until "2015-01-11 03:00"

journalctl --since 09:00 --until "1 hour ago"

journalctl --since yesterday

journalctl -b logs since boot

logs since boot journalctl -f to follow logs

to follow logs journalctl --disk-usage

journalctl --vacuum-size=1G

Pretty cool.

It looks like it is not possible to remove or disable this service, you can only turn off logging.

/sbin/lvmetad -f

The lvmetad daemon caches LVM metadata, so that LVM commands can read metadata without scanning disks.

Metadata caching can be an advantage because scanning disks is time consuming and may interfere with the normal work of the system and disks.

But what is LVM (Logical Volume Management)?

You can think of LVM as "dynamic partitions", meaning that you can create/resize/delete LVM "partitions" (they're called "Logical Volumes" in LVM-speak) from the command line while your Linux system is running: no need to reboot the system to make the kernel aware of the newly-created or resized partitions.

It sounds like you should keep it if you are using LVM.

$ lvscan $ sudo apt remove lvm2 -y --purge

/lib/systemd/udevd

systemd-udevd listens to kernel uevents. For every event, systemd-udevd executes matching instructions specified in udev rules.

udev is a device manager for the Linux kernel. As the successor of devfsd and hotplug, udev primarily manages device nodes in the /dev directory.

So this service manages /dev .

I am not sure if I need it running on a virtual server.

/lib/systemd/timesyncd

systemd-timesyncd is a system service that may be used to synchronize the local system clock with a remote Network Time Protocol server.

So this replaces ntpd .

$ timedatectl status Local time: Fri 2016 -08 -26 11 :38:21 UTC Universal time: Fri 2016 -08 -26 11 :38:21 UTC RTC time: Fri 2016 -08 -26 11 :38:20 Time zone: Etc/UTC (UTC, +0000) Network time on: yes NTP synchronized: yes RTC in local TZ: no

If we take a look at the open ports on this server:

$ sudo netstat -nlput Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2178/sshd tcp6 0 0 :::22 :::* LISTEN 2178/sshd

Lovely!

Previously on Ubuntu 14.04 it was

$ sudo apt- get install ntp -y $ sudo netstat -nlput Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0 .0 .0 : 22 0.0 .0 .0 :* LISTEN 1380 /sshd tcp6 0 0 ::: 22 :::* LISTEN 1380 /sshd udp 0 0 10.19 .0 .6 : 123 0.0 .0 .0 :* 2377 /ntpd udp 0 0 139.59 .256 .256 : 123 0.0 .0 .0 :* 2377 /ntpd udp 0 0 127.0 .0 .1 : 123 0.0 .0 .0 :* 2377 /ntpd udp 0 0 0.0 .0 .0 : 123 0.0 .0 .0 :* 2377 /ntpd udp6 0 0 fe80:: 601 : 6 aff:fxxx: 123 :::* 2377 /ntpd udp6 0 0 :: 1 : 123 :::* 2377 /ntpd udp6 0 0 ::: 123 :::* 2377 /ntpd

Ugh.

/usr/sbin/atd -f

atd - run jobs queued for later execution. atd runs jobs queued by at.

at and batch read commands from standard input or a specified file which are to be executed at a later time

Unlike cron, which schedules jobs that are repeated periodically, at runs a job at a specific time once.

$ echo "touch /tmp/yolo.txt" | at now + 1 minute job 1 at Fri Aug 26 10 : 44 : 00 2016 $ atq 1 Fri Aug 26 10 : 44 : 00 2016 a root $ sleep 60 && ls /tmp/yolo.txt /tmp/yolo.txt

I've actually never used it until now.

sudo apt remove at -y

/usr/lib/snapd/snapd

Snappy Ubuntu Core is a new rendition of Ubuntu with transactional updates - a minimal server image with the same libraries as today’s Ubuntu, but applications are provided through a simpler mechanism.

What?

Developers from multiple Linux distributions and companies today announced collaboration on the “snap” universal Linux package format, enabling a single binary package to work perfectly and securely on any Linux desktop, server, cloud or device.

Apparently it is a simplified deb package and you're supposted to bundle all dependencies in a single snap that you can distribute.

I've never used snappy to deploy or distribute applications on servers.

sudo apt remove snapd -y

/usr/bin/dbus-daemon

In computing, D-Bus or DBus is an inter-process communication (IPC) and remote procedure call (RPC) mechanism that allows communication between multiple computer programs (that is, processes) concurrently running on the same machine

My understanding is that you need it for desktop environments but on a server to run web apps?

sudo apt remove dbus -y

I wonder what time it is and whether it is being synchronized with NTP?

$ timedatectl status Failed to create bus connection : No such file or directory

Oops. Should probably keep this.

/lib/systemd/systemd-logind

systemd-logind is a system service that manages user logins.

/usr/sbin/cron -f

cron - daemon to execute scheduled commands (Vixie Cron)

-f Stay in foreground mode, don't daemonize.

You can schedule tasks to run periodically with cron.

Use crontab -e to edit the configuration for your user or on Ubuntu I tend to use the /etc/cron.hourly , /etc/cron.daily , etc. directories.

You can see the log files with

grep cron /var/log/syslog or

or journalctl _COMM=cron or even

or even journalctl _COMM=cron --since="date" --until="date"

You'll probably want to keep cron.

But if you don't, then you should stop and disable the service:

sudo systemctl stop cron sudo systemctl disable cron

Because otherwise when trying to remove it with apt remove cron it will try to install postfix!

/usr/sbin/rsyslogd -n

Rsyslogd is a system utility providing support for message logging.

In another words, it's what populates log files in /var/log/ like /var/log/auth.log for authentication messages like SSH login attempts.

The configuration files are in /etc/rsyslog.d .

You can also configure rsyslogd to send log files to a remote server and implement centralized logging.

You can use the logger command to log messages to /var/log/syslog in background scripts such as those that are run at boot.

logger Starting doing something logger Done doing something

Right, but we already have systemd-journald running. Do we need rsyslogd as well?

Rsyslog and Journal, the two logging applications present on your system, have several distinctive features that make them suitable for specific use cases. In many situations it is useful to combine their capabilities, for example to create structured messages and store them in a file database. A communication interface needed for this cooperation is provided by input and output modules on the side of Rsyslog and by the Journal's communication socket.

So, maybe? I am going to keep it just in case.

/usr/sbin/acpid

acpid - Advanced Configuration and Power Interface event daemon

acpid is designed to notify user-space programs of ACPI events. acpid should be started during the system boot, and will run as a background process, by default.

In computing, the Advanced Configuration and Power Interface (ACPI) specification provides an open standard that operating systems can use to perform discovery and configuration of computer hardware components, to perform power management by, for example, putting unused components to sleep, and to do status monitoring.

But I'm on a virtual server that I don't intend to suspend/resume.

I am going to remove it for fun and see what happens.

sudo apt remove acpid -y

I was able to successfully reboot the droplet but after halt Digital Ocean thought it was still on so I had to Power Off using the web interface.

So I should probably keep this.

/usr/bin/lxcfs /var/lib/lxcfs/

Lxcfs is a fuse filesystem mainly designed for use by lxc containers. On a Ubuntu 15.04 system, it will be used by default to provide two things: first, a virtualized view of some /proc files; and secondly, filtered access to the host’s cgroup filesystems.

In summary, on a 15.04 host, you can now create a container the usual way, lxc-create ... The resulting container will have “correct” results for uptime, top, etc.

It’s basically a userspace workaround to changes which were deemed unreasonable to do in the kernel. It makes containers feel much more like separate systems than they would without it.

Not using LXC containers? You can remove it with

sudo apt remove lxcfs -y

/usr/lib/accountservice/accounts-daemon

The AccountsService package provides a set of D-Bus interfaces for querying and manipulating user account information and an implementation of these interfaces based on the usermod(8), useradd(8) and userdel(8) commands.

When I removed DBus it broke timedatectl , I wonder what removing this service will break.

sudo apt remove accountsservice -y

Time will tell.

/sbin/mdadm

mdadm is a Linux utility used to manage and monitor software RAID devices.

The name is derived from the md (multiple device) device nodes it administers or manages, and it replaced a previous utility mdctl. The original name was "Mirror Disk", but was changed as the functionality increased.

RAID is a method of using multiple hard drives to act as one. There are two purposes of RAID: 1) Expand drive capacity: RAID 0. If you have 2 x 500 GB HDD then total space become 1 TB. 2) Prevent data loss in case of drive failure: For example RAID 1, RAID 5, RAID 6, and RAID 10.

You can remove it with

sudo apt remove mdadm -y

/usr/lib/policykit-1/polkitd --no-debug

polkitd — PolicyKit daemon

polkit - Authorization Framework

My understanding is that this is like fine-grained sudo. You can allow non privilegded users to do certain actions as root. For instance, reboot your computer when you're running Linux on a desktop computer.

But I'm running a server. You can remove it with

sudo apt remove policykit -1 -y

Still wondering if this breaks something.

/usr/sbin/sshd -D

sshd (OpenSSH Daemon) is the daemon program for ssh.

-D When this option is specified, sshd will not detach and does not become a daemon. This allows easy monitoring of sshd.

/sbin/iscsid

iscsid is the daemon (system service) that runs in the background, acting on iSCSI configuration, and managing the connections. From its manpage:

The iscsid implements the control path of iSCSI protocol, plus some management facilities. For example, the daemon could be configured to automatically re-start discovery at startup, based on the contents of persistent iSCSI database.

http://unix.stackexchange.com/questions/216239/iscsi-vs-iscsid-services

I had never heard of iSCSI:

In computing, iSCSI (Listeni/aɪˈskʌzi/ eye-skuz-ee) is an acronym for Internet Small Computer Systems Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities.

By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval.

The protocol allows clients (called initiators) to send SCSI commands (CDBs) to SCSI storage devices (targets) on remote servers. It is a storage area network (SAN) protocol, allowing organizations to consolidate storage into data center storage arrays while providing hosts (such as database and web servers) with the illusion of locally attached disks.

You can remove it with

sudo apt remove open -iscsi -y

/sbin/agetty --noclear tty1 linux

agetty - alternative Linux getty

getty, short for "get tty", is a Unix program running on a host computer that manages physical or virtual terminals (TTYs). When it detects a connection, it prompts for a username and runs the 'login' program to authenticate the user.

Originally, on traditional Unix systems, getty handled connections to serial terminals (often Teletype machines) connected to a host computer. The tty part of the name stands for Teletype, but has come to mean any type of text terminal.

This allows you to log in when you are physically at the server. In Digital Ocean, you can click on Console in the droplet details and you will be able to interact with this terminal in your browser (it's a VNC connection I think).

In the old days, you'd see a bunch of ttys started a system boot (configured in /etc/inittab ), but nowadays they are spun up on demand by systemd.

For fun, I removed this configuration file that launches and generates agetty :

sudo rm /etc/systemd/system/getty.target.wants/getty@tty1.service sudo rm / lib / systemd / system / getty @. service

When I rebooted the server, I could still connect to it via SSH but I was no longer able to log in from the Digital Ocean web console.

sshd: root@pts/0 & -bash & htop

sshd: root@pts/0 means that there has been an SSH session established for the user root at the # 0 pseudoterminal ( pts ). A pseudoterminal emulates a real text terminal.

bash is the shell that I am using.

Why is there a dash at the beginning? Reddit user hirnbrot helpfully explained it:

There's a dash at the beginning because launching it as "-bash" will make it a login shell. A login shell is one whose first character of argument zero is a -, or one started with the --login option. This will then cause it to read a different set of configuration files.

htop is an interactive process viewer tool that is running in the screenshot.

After

sudo apt remove lvm2 -y sudo apt remove at -y sudo apt remove snapd -y sudo apt remove lxcfs -y sudo apt remove mdadm -y sudo apt remove open -iscsi -y sudo apt remove accountsservice -y sudo apt remove policykit -1 -y

Extreme edition:

sudo apt remove dbus -y --purge sudo apt remove rsyslog -y --purge sudo apt remove acpid -y --purge sudo systemctl stop cron && sudo systemctl disable cron sudo rm /etc/systemd/system/getty.target.wants/getty@tty1.service sudo rm / lib / systemd / system / getty @. service

I followed the instructions in my blog post about unattended installation of WordPress on Ubuntu Server and it works.

Here's nginx, PHP7 and MySQL.