Understanding your
(Red Hat Enterprise Linux) daemons
by Len DiMaggio
A Unix daemon is a program that runs in the “background,” enabling you to do other work in the “foreground,” and is independent of control from a terminal. Daemons can either be started by a process, such as a system startup script, where there is no controlling terminal, or by a user at a terminal without “tying up” that terminal as the daemon runs. But which daemons can you safely play with? Which should you leave running?
An introduction to daemons
The real-world (i.e., non-computer) definition of “daemon” is either a spirit (an evil one) or an inner or private voice. It’s interesting to note that each of the real-world definitions actually does apply to Unix daemon programs. Like mythological daemons, Unix daemon programs skulk around unseen in the background just as a daemon would. And daemons act like an inner voice in that they can run continuously and, like a conscience, can always be accessed. The word “daemon” is one of those cases of chicken and egg computer acronyms in search of a definition and supposedly is based on “Disk And Execution MONitor” program.
An introduction to services
The daemons referenced in /etc/init.d are configured to be run as Linux services. Services are programs that are started and stopped through the init scripts in the /etc/init.d directory. Many of these services are launched when the system is booted. The /sbin/service utility provides a consistent interface to executing the init scripts. The init scripts provide a consistent interface to managing a service by providing options that start, stop, restart, query status, and perform other actions on services. For example, the httpd service init script provides these options:
/sbin/service httpd Usage: httpd {start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}
You can view the current state of all services with this option to the service utility:
/sbin/service –status-all acpid (pid 2481) is running... anacron (pid 2647) is running... atd (pid 2657) is running... auditd (pid 2189) is running... ....
Runlevel information for these services, that is, the settings for which system runlevel the service will be started at boot time, can be queried and modified with the chkconfig utility. For example, to query the current settings for the syslog service:
/sbin/chkconfig --list syslog syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
This shows that that syslog service will be automatically started at boot-time for runlevels 2, 3, 4, and 5. To set the service to not start for runlevels 3 and 4 (not a good idea, by the way), you would use these options for the chkconfig utility:
/sbin/chkconfig –levels 34 syslog off
The /usr/bin/system
Let’s look at how these services and daemons appear in output from ps. Here’s a short list:
UID PID PPID C STIME TTY TIME CMD root 1 0 0 23:36 ? 00:00:00 init [5] root 2161 1 0 23:37 ? 00:00:00 auditd root 2177 1 0 23:37 ? 00:00:00 syslogd -m 0 root 2180 1 0 23:37 ? 00:00:00 klogd -x root 2207 1 0 23:37 ? 00:00:00 mcstransd root 2254 1 0 23:37 ? 00:00:00 rpc.statd root 2287 1 0 23:37 ? 00:00:00 rpc.idmapd root 2577 1 0 23:37 ? 00:00:00 crond root 2631 1 0 23:37 ? 00:00:00 /usr/sbin/atd root 2654 1 0 23:37 ? 00:00:00 rhnsd --interval 240
What’s important to note here? (Other than I’m staying up too late at night, that is.) For each of the daemons, the parent process ID (PPID) is 1. This indicates that the daemons were started up during the boot process by init.
A useful tool for viewing the “tree” of processes and their parents is “pstree.” Here’s a fragment of the output from pstree:
init-+ |-NetworkManager---2*[{NetworkManager}] |-NetworkManagerD |-acpid |-atd |-auditd-+-python | `-{auditd} |-avahi-daemon---avahi-daemon |-bonobo-activati---{bonobo-activati} |-crond |-cupsd---cups-polld |-2*[dbus-daemon---{dbus-daemon}] |-dbus-launch |-dhcdbd---dhclient
A closer look at your system’s daemons
So much for background information. Let’s take a look at your system’s daemons and see which ones you can safely play with. Note that for this article, the system used was running the Red Hat Enterprise Linux Beta 2 release, workstation configuration. Based on your specific system, you may see more or fewer daemons, or even some not included here.
We’ve listed web-sites where you can learn more about these daemons, but the best place to start learning is the manpage. O’Reilly also has an excellent alphabetic index of Linux commands and wikipedia.org has entries for most of these daemons. And, don’t forget to look in the README files.
acpid
This is the daemon for the Advanced Configuration and Power Interface (ACPI). ACPI is an open industry standard for system control related actions, most notably plug-and-play hardware recognition and power management, such as startup and shutdown and putting systems into low poser consumption modes.
You’ll probably never want to shut down this daemon, unless you are explicitly instructed to do so to debug a hardware problem.
Learn more:
http://www.acpi
anacron
One of the problems with living on a laptop, as so many of us do these days, is that when you set up a cron job to run, you can’t always be sure that your laptop will be running at the time that the job should run. anacron (the name refers to its being an “anachronistic cron”) gets around this problem by scheduling tasks in days. For example, anacron will run a job if the job has not been run in the specified number of days.
When are you safe not running anacron? When your system is running continuously. Should you simply stop cron from running if you have anacron running? No; anacron is able to specify job intervals in days, not hours and seconds.
Learn more:
http://anacron.
apmd
This is the daemon for the Advanced Power Management (APM) BIOS driver. The APM hardware standard and apmd are being replaced by ACPI and acpid. If your hardware supports ACPI, then you don’t need to run apmd.
atd
This is the daemon for the at job processor (at enables you to run tasks at specified times). You can turn off this daemon if you don’t use it.
autofs
This daemon automatically mounts disks and file systems that you define in a configuration file. Using this daemon can be more convenient that explicitly mounting removable disks.
Learn more:
http://freshmea
auditd
The Linux Auditing System provides kernel-resident
Why should you keep auditd running? The information in the log may prove useful in debugging security-relate
Summary Report ====================== Range of time in logs: 11/28/2006 06:07:04.800 - 02/06/2007 21:10:09.957 Selected time for report: 12/31/1969 19:00:00 - 02/06/2007 21:10:09.957 Number of changes in configuration: 285 Number of changes to accounts, groups, or roles: 32 Number of logins: 145 Number of failed logins: 11 Number of users: 2 Number of terminals: 22 Number of host names: 11 Number of executables: 27 Number of files: 91 Number of AVC denials: 688 Number of MAC events: 12 Number of failed syscalls: 404 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of process IDs: 14022 Number of events: 70694
Avahi-daemon and avahi-dnsconfd
The Avahi website defines Avahi as: ‘a system which facilitates service discovery on a local network. This means that you can plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to, or find files being shared…’ Avahi is a Zeroconf implementation.
A common use of the avahi-daemon is with Rhythmbox, so you can see music that is made available to be shared with others. If you’re not sharing music or files on your system, you can turn off this daemon.
Learn more:
http://avahi.or
http://zeroconf
Bluetooth and hidd and pand
The name says it all. Run this service to enable your system to make use of Bluetooth devices. The name of the actual daemon is hcid (Host Controller Interface Daemon).
There’s also a daemon named hidd. This is the Bluetooth Human Interface Device Daemon. It provides keyboard, mouse, and track-ball device support over Bluetooth.
And, there’s pand. This daemon enables your computer to connect to ethernet networks using Bluetooth.
Learn more:
http://www.blue
http://bluez.so
capi
This daemon supports the Common ISDN Application Programming Interface. You’ll run this if you’re connecting to ISDN hardware components. The service runs capiinit.
Learn more:
http://www.capi
conman
No, this isn’t related to late-night infomercials about real estate investing. The conman service (and the conmand daemon) support console management. This supports multiple console devices and simultaneous users. It supports local serial devices and remote terminal servers (via the telnet protocol). If you’re managing multiple servers, you may want to run conman.
Learn more:
http://home.gna
cpuspeed
This daemon adjusts the CPU speed based on the power consumption. Less power is used when the CPU is idle, and more power is available when needed to improve performance. If you’re running on a laptop, you might want to consider running cpuspeed.
Learn more:
http://carlthom
crond
This daemon automates the running of tasks. These jobs are necessary for any Linux or Unix system. Don’t stop or disable this one.
Learn more:
http://www.unix
http://www.linu
CUPS and cups-config-daemon
This daemon is the “Common UNIX Printing Solution.” Like the name implies, it’s a printing system that can handle multiple data formats and printers. If you want to print, leave this daemon running.
Learn more:
http://www.cups
http://www.easy
dhcdbd
This is the DHcp Client D-Bus Daemon. According to The Free DeskTop wiki,
D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a “single instance” application or daemon, and to launch applications and daemons on demand when their services are needed.
Do you want to run this daemon? If you’re running your system on a network (and who isn’t?), especially if you’re moving between networks such as when you move from a wired network to wireless as you move around your office, then you should be running NetworkManager.
The dhcdbd daemon provides a D-Bus interface to dhclient, the DHCP client from ISC. This makes it possible for NetworkManager can to query and control dhclient.
Learn more:
http://www.free
gpmd
This daemon enables you to use your mouse in text-based applications such as the Midnight Commander file manager and on the console. You might find this useful if you’re working through situations in the console; otherwise, you’ll be working in the X windowing system and you might never need gpmd.
hald
No, this isn’t related to the evil computer in the film “2001, A Space Odyssey.” In this context, HAL refers to the “Hardware Abstraction Layer.” The HAL daemon collects this information about hardware devices from the kernel and the hardware and makes it available in a consistent manner.
Don’t turn off this daemon. Multiple applications rely on it.
Learn more:
“Desktop and hardware configuration,” by David Zeuthen
hplipd
This daemon supports HP Linux Imaging and Printing (HPLIP) for printing, scanning, and faxing with HP inkjet and laser printers. HPLIP works CUPS by providing a backend to connect to HP devices.
Learn more:
http://hplip.so
hsqldb
This is the daemon for a Java relational database. The daemon gets its name from the Hypersonic SQL project that has been discontinued. hsqldb is used widely in open source projects such as OpenOffice (it’s the database behind the “base” feature) and is often used in demonstration programs, as it can run entirely in memory. It also runs fast. Should you run this daemon? Only if you have a specific program that makes use of it. But, it’s a very useful tool, and if you’re not familiar with it, it’s worth taking a look.
Learn more:
http://hsqldb.o
http://dba.open
httpd
The Apache web server. Used by almost 60% of all websites. If you want to host a website, you run Apache. Need we say more?
Learn more:
http://httpd.ap
ip6tables and iptables
These daemons are firewalls. A firewall, according to Wikipedia, is an “information technology (IT) security device which is configured to permit, deny or proxy data connections set and configured by the organization’s security policy. Firewalls can either be hardware and/or software based.”
iptables functions by maintaining tables of IPv4 packet filter rules in the kernel. It checks incoming and outgoing packets against these rules and blocks packets that don’t meet the rules. ip6tables does the same for IPv6 packets.
Which should you run? Both. Always. It’s a dangerous world on the ‘net.
Learn more:
http://www.netf
http://www.ipv6
irda
IrDA (Infrared Data Association) is an industry standard for inter-device wireless, infrared communications.
Learn more:
http://irda.sou
irqbalance
This daemon distributes hardware interrupts to the CPUs in SMP (symmetric processor: multi-processor
You need not run this daemon on single processor systems, as it only has an effect on multiple-proces
Learn more:
http://www.irqb
kudzu
This is a very useful daemon. At boot time, it detects if hardware devices have been added to or removed from the the system. It’’s worthwhile to run kudzu at boot time, even if you don’t plan on adding or removing hardware often. You might run into a situation where you add a device and just assume that the system will figure out that it’s there. Also, since kudzu only runs at boot time, and does not stay running, there’s no performance hit on the system.
Learn more:
http://fedora.r
lisa
This daemon gets its name from Lan Information Server. lisa provides a function similar to the MS-Windows Network Neighborhood and provides you access to servers, including CIFS (Common Internet File Systems) servers on your network. lisa only needs the TCP/IP stack to function. It sends ICMP echo requests to ranges of IP address that you define in its configuration file and waits for responses.
Learn more:
http://docs.kde
http://docs.kde
http://lisa-hom
lm_sensors
This daemon supports monitoring temperatures, voltages, and cooling fans. In order to make use of this daemon, your system hardware has to include sensors to perform this monitoring. You can only run this daemon if your hardware can support if. You probably don’t want to run this daemon on a workstation. It’s more likely to be used for hi-end, mission critical servers.
Learn more:
http://www.lm-s
http://freshmea
mcstrans
SELinux Context Translation System Daemon. This daemon translates security context informartion into a human readable form. You can probably stop this daemon, but if you do, you’ll see a change in the SELinux information displayed with ls -Z. For example, with the daemon running, you’ll see:
ls -Z -rw-r--r-- jsmith jsmith user_u:object_r:user_home_t bookmarks.html drwxr-xr-x jsmith jsmith user_u:object_r:user_home_t Desktop -r-xr-xr-x jsmith jsmith user_u:object_r:user_home_t hello -r--r--r-- jsmith jsmith user_u:object_r:user_home_t hello.c
And, with it stopped, you’ll see:
ls -Z -rw-r--r-- jsmith jsmith user_u:object_r:user_home_t:s0 bookmarks.html drwxr-xr-x jsmith jsmith user_u:object_r:user_home_t:s0 Desktop -r-xr-xr-x jsmith jsmith user_u:object_r:user_home_t:s0 hello -r--r--r-- jsmith jsmith user_u:object_r:user_home_t:s0 hello.c
Note that with the daemon stopped, the security context value of “s0” is displayed. mctrans translates this to a null display. Other security contexts are translated from alphanumeric values in their names.
Learn more:
http://fedorapr
http://danwalsh
mdmonitor and mdmpd
These two daemons are used with RAID (redundant array of inexpensive/ind
Learn more:
http://www.linu
messagebus
This is the D-BUS system-wide message bus daemon. This daemon broadcasts notifications of system events and such as changes in the printer queue or the adding and removing of devices. (Note that this is not the same operation as Kudzu, as it can take place while the system is running and not only at boot time.)
Learn more:
http://www.free
netplugd and ifplugd
These daemons configure Ethernet devices when cables are plugged in and deconfigure them when the cables are removes. Why would you want this to happen? It makes sense for laptops so that your network connections are only brought up when their cables are attached.
Note that the development of netplugd has been discontinued in favor of ifplugd.
Learn more:
http://0pointer
NetworkManager and NetworkManagerDispatcher
The NetworkManager daemon automates switching between network connections. This is a useful daemon for laptop users who switch between wireless WiFi connections and Ethernet connections. The NetworkManagerD
Learn more:
http://www.gnom
named
This daemon is the Domain Name Server. You’ll need to run this daemon only if your system is acting as a DNS server for your network.
Learn more:
http://www.dns.
nfsd
The nfs daemon supports the nfs communications protocol for file sharing across TCP/IP networks. You’ll want to run this daemon if you make use of file systems shared with nfs.
Learn more:
http://nfs.sour
nscd
This is the name service cache daemon. It takes care of group and password lookups for running programs and then caches the lookup results for the next query for services that can experience slowness in picking up changes such as NIS or LDAP. If you’re running these services, you may want to run nscd.
ntpd
This is the Network Time Protocol daemon. This deamon sets and maintains the system time of day by keeping it in synch with Internet standard time servers. If your system is connected to the Internet (and who isn’t?) then running ntpd will keep your system time correct.
Learn more:
http://www.ntp.
oddjobd
The oddjobd daemon provides the com.redhat.oddj
You should only run this daemon if you are using an application that requires it, such as Conga.
Learn more:
http://people.r
http://sourcewa
openvpn
This daemon supports virtual private networks (VPNs). The daemon startup script says it all:
OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication,
and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP port.
If your system is a node in a VPN, then you’ll probably run OpenVPN.
Learn more:
http://openvpn.
pcscd
This is the PC/SC Smart Card Daemon. pcscd is the daemon for pcsc-lite (middleware for accessing smart cards) and the (java-based) MuscleCard framework. It enables communications with smart card readers and smart cards.
(A smart card is a card that is embedded with either a memory chip or microprocessor and a memory chip. And Muscle is the Movement for the Use of Smart Cards in a Linux Environment.)
Learn more:
http://www.smar
http://pcsclite
http://www.linu
portmap
The portmapper daemon manages RPC (remote procedure call) connections. It converts RPC program numbers into TCP/IP (or UDP/IP) protocol port numbers. The most common use of portmapper is by NFS and NIS.
So, if your system relies on NIS or NFS, don’t turn off the portmap daemon.
Learn more:
http://www.linu
postfix
This daemon is a mail transport agent. Unless your system is a mail relay server, you don’t need to run this daemon.
Learn more:
http://www.post
rdisc
This daemon (the router discovery daemon) discovers routers on the local subnet. It is run at boot time to populate the network routing tables with default routes.
Learn more:
http://www.info
restorecond
This is an SELinux daemon. restorecond watches for file creation (of files listed in /etc/selinux/re
Don’t turn this one off. SELinux needs it.
Learn more:
http://fedorapr
http://danwalsh
rhnsd
This daemon periodically checks for actions that have been scheduled though the Red Hat Network web interface and runs them. This includes actions such as installing, removing, or updating software, rebooting the system, starting a kickstart installation, or installing configuration files.
Learn more:
https://www.red
rpcgssd and rpcidmapd and rpcsvcgssd
The rpcgssd and rpcsvcgssd daemons handle security for RPC. The rpcidmapd maps user names to UID and GID numbers.
If you’re running NFS or NIS, then you should have these daemons running.
Learn more:
http://nfs.sour
readahead_early and readahead_later
The readahead daemon causes the programs used during startup to be loaded into memory before they are needed, to improve startup performance.
saslauthd
This is the SASL authentication server daemon. SASL is the Simple Authentication and Security Layer and allows for adding authentication to connection-base
Learn more:
http://asg.web.
sendmail
This is a SMTP (Simple Mail Transfer Protocol) server. sendmail moves mail from one system to another as a Mail Transport Agent. If you run a mail program such as Thunderbird or Evolution, you don’t need to run sendmail.
Learn more:
http://www.send
setroubleshoot
This is the SELinux Troubleshooting
Learn more:
https://hosted.
smartd
This daemon monitors the SMART (Self-Monitorin
Learn more:
http://sourcefo
spamassassin
This daemon uses the Apache SpamAssassin program to check email for SPAM. It is usually run on a mail deleivery agent (MDA) server. If you use a client program such as Thunderbird or Evolution to access your mail, then you don’t need to run spamassassin.
Learn more:
http://spamassa
sshd
This is the daemon for open ssh. ssh replaces the insecure rsh and rlogin programs and enables encryption for communications between hosts over insecure networks. If you connect with other systems over the public Internet, you want to use ssh and run this daemon.
Learn more:
http://www.ssh.
http://www.open
syslog
syslog is the standard logging system for Linux systems. Don’t turn this one off.
Learn more:
http://www.sysl
winbind
This daemon is part of the Samba suite and enables Windows domain users to function as Unix users on Unix servers. You may want to run this daemon if you’re dealing with a mixed PC and Linux/Unix network.
Learn more:
http://www.samb
http://www.samb
xfs
This damon is the xfs font server. This daemon loads fonts into memory to enable X applications to run faster than if they had to load the fonts from disk. This daemon is worth running to improve application performance.
Learn more:
http://linuxrev
ypbind
This daemon binds NIS clients to an NIS domian. The “yp” refers to “yellow pages,” as the NIS directory of user accounts acts like the telephone book yellow pages. You only want to run this daemon if your system relies on NIS (Network Information Service) for user accounts and system names.
Learn more:
http://www.linu
yum-updatesd
yum-updatesd checks for software updates and can send notifications of these updates via mail, dbus, or syslog messages, or can automatically install the updates. The dbus messages are picked up by the “puplet” (package updater), which notifies the user of the updates and lets the user install them.
Learn more:
http://linux.du
http://www.redh
References
“Which Services Can I Disable?,” Dinkar, Tejas
Linux Services, Devices, and Daemons
Fedora Core 3 Linux Services
Services in Fedora, Mauriat Miranda
Acknowledgments
I’d like to acknowledge the information presented by Mauriet Miranda in his “Services in Fedora” web-site. His work was especially helpful as a starting point for researching this article. Also, I’d like to thank Christopher Smith, James Bowes, and Dan Walsh for their insightful technical information in writing the article.
March 9th, 2007 at 11:18 am
How about adding a “service XXX help” init script command option that would give a description of the service and give examples of what types of servers should have it running, and what types of servers could turn it off. It could just look under /usr/share/doc/services/XXX for a file. each RPM that installs a file in /etc/init.d would drop a corresponding description in /usr/share/doc/services/
Thanks!
-Ben.
March 10th, 2007 at 1:10 am
The article was great…:) It’s difficult to find such type of info about all the services at one place. Finally, RedHat did it. It’s a good tutorial for beginners.
But I am not bale to find about “service httpd condrestart”. What does this condrestart does?
March 10th, 2007 at 2:14 pm
Hi Ashish - thanks for the kind comment - here’s a fragment from the httpd startup script - the “condrestart” is a conditional restart. it only restarts the service if it’s running, unlike restart, which always restarts the service.
=====================================================
restart)
stop
start
;;
condrestart)
if [ -f ${pidfile} ] ; then
stop
start
fi
;;
===============