Linux Terminology – What Does Process Accounting Mean

containerlinuxterminology

I'm working with Docker in action's book, and I have seen the term "process accounting" several times. I am in a containerization of the application context.
I would like to know more about this concept of process accounting. Google found me some finance accounting articles; I am looking for the meaning related to computer systems.

Would you please provide some explanation about this concept?

Best Answer

The Linux kernel has a built-in process accounting facility. It allows system administrators to collect detailed information in a log file each time a program is executed on a Linux system. Then the administrator can analyze the data in these log files and find a conclusion. To shed more light on this term, let me give few examples:

The administrator can collect information about who has been playing games on a Linux computer and for how long.
One of the earliest uses of process accounting was to calculate the CPU time absorbed by users at computer installations and then bill users accordingly.
Another example is when process accounting can be turned on for a week to record the names of all the commands executed in a log file. The administrator can then parse the log file to find out which command was run most often.
The most typical application of process accounting is as a supplement to system security measures. In the case of a break-in on a company server, the log files created by the process accounting facility are useful for collecting forensic evidence.

Turning on process accounting requires significant disk space. For example, on a Pentium III system with Red Hat 7.2, each time a program is executed, 64 bytes of data are written to the process accounting log file.

Process accounting commands are as follows:

**Command Name**    **Purpose**
accton              Enables or disables process accounting
acctentries         Counts the number of accounting entries in the log file
accttrim            Truncates the accounting file specified
dumpacct            Dumps the contents of the log file
dump-acct           Similar to dumpacct
handleacct.sh       Script to compress and backup logs and delete the oldest
lastcomm            Prints commands executed on the system, most recent first
sa                  Summarize accounting information

More information about installation and utilization of process accounting can be found in this Linux Journal article.

computer architectures

One thing you'll notice as you continue to study computer architectures is that the same concepts are used over and over again. The notion of hostnames is nested too.

                                   .---> <-----.
                                   |           |
                               .------.    .------.
                 ^------------>| .com |    | .net |
                 |             '------'    '------'
                 |                 ^
                 |                 |
             .--------.    .---------------.
             | google |    | stackexchange |
             '--------'    '---------------'
                  ^                ^
                  |                |
               .-----.          .------.
               | www |          | unix |
               '-----'          '------'

Or in programming, class inheritance (Ruby):

class Mammal  
  def breathe  
    puts "inhale and exhale"  
  end  
end  


class Cat < Mammal  
  def speak  
    puts "Meow"  
  end  
end  

jake = Cat.new  
jake.breathe  
jake.speak

Linux Memory Terminology – Meaning of HardwareCorrupted, DirectMap4k, DirectMap2M in /proc/meminfo

HardwareCorrupted show the amount of memory in "poisoned pages", i.e. memory which has failed (as flagged by ECC typically). ECC stands for "Error Correcting Code". ECC memory is capable of correcting small errors and detecting larger ones; on typical PCs with non-ECC memory, memory errors go undetected. If an uncorrectable error is detected using ECC (in memory or cache, depending on the system's hardware support), then the Linux kernel marks the corresponding page as poisoned.

DirectMap is shown on x86, Book3s PowerPC, and S/390, and gives an indication of the TLB load, not memory use: it counts the number of pages mapped using the various supported page sizes on each platform (corresponding to different page table levels): 4KiB, 64KiB, 1MiB, 2MiB, 4MiB, 1GiB, or 2GiB pages. The TLB, or "Translation Lookaside Buffer", is a cache used to store mappings between virtual addresses (as seen by software running on your computer) and physical pages in memory (as seen by the hardware); the calculations and memory fetches involved to go from virtual to physical addresses are expensive, so caches are used to avoid needing them too often. But the TLB is small, so accessing a variety of different addresses (too many to stay in the cache) incurs a performance penalty. This penalty can be reduced by using larger pages; on the x86 architecture the traditional page size is 4KiB, but larger pages can be used when possible, and their sizes can be 2MiB, 4MiB or 1GiB.

For more detail you can look up the Wikipedia links I've included, and follow the references from there.

Best Answer

Related Solutions

What does the jargon filesystem mean

computer architectures

Linux Memory Terminology – Meaning of HardwareCorrupted, DirectMap4k, DirectMap2M in /proc/meminfo

Related Question