Lesson: How Linux Is Structured

What you'll learn

• What a kernel actually does and why every computer needs one.
• The difference between kernel space and user space, and why that split exists.
• How system calls form the controlled boundary between your programs and the hardware.
• What a process is and how the kernel keeps many of them running at once.
• What people really mean when they say "an operating system."

Skill gained: a correct mental model of how Linux is layered, so the commands you learn later stop feeling like magic.

The lesson

You are about to spend a lot of time on Linux machines. Before you memorize commands, you need a picture of what is happening underneath. This lesson is conceptual, but everything in it is real and you can poke at it on the Jumpbox (10.100.100.254, user ubuntu).

1. What a kernel does

The kernel is the core program of the operating system. It is the first real software that takes control after the machine powers on, and it stays running until you shut down. Its job is to manage the hardware and share it fairly between every program you run.

Concretely, the kernel is responsible for:

• Processes & scheduling — deciding which program runs on the CPU and for how long.
• Memory — giving each program its own slice of RAM and stopping programs from reading each other's memory.
• Devices — talking to disks, network cards, keyboards, screens through drivers.
• Filesystems — turning raw blocks on a disk into files and directories.
• Networking — moving packets in and out of the machine.

On Ubuntu you can see your kernel's version:

ubuntu@Jumpbox:~$ uname -r
6.8.0-generic

uname ("Unix name") prints information about the running kernel. The -r flag asks for the release.

2. Kernel space vs user space

The kernel does powerful, dangerous things — it can touch any byte of RAM and any device. If every program could do that directly, one buggy app could crash the whole machine or read your passwords. So the CPU itself enforces two privilege levels:

• Kernel space — privileged mode. Only the kernel runs here. Full access to hardware.
• User space — restricted mode. Your programs (ls, a web server, your editor) run here. They cannot touch hardware directly.

        +-----------------------------------------+
        |              USER SPACE                 |
        |   bash    nginx    python   your_app    |   <- normal programs
        +-----------------------------------------+
                        |  system calls  |              <- the only door
        +-----------------------------------------+
        |             KERNEL SPACE                |
        |  scheduler  memory mgr  drivers  net    |
        +-----------------------------------------+
        |               HARDWARE                  |
        |    CPU      RAM      disk      NIC       |
        +-----------------------------------------+

A program in user space that wants to do something privileged — like read a file or open a network connection — must ask the kernel. It cannot just do it.

3. System calls: the boundary

A system call (syscall) is a request from a user-space program to the kernel. It is the only official door between the two worlds. When your program calls open() to open a file, that becomes an openat syscall; the CPU switches into kernel mode, the kernel checks your permissions, does the work, and switches back.

You don't usually write syscalls by hand — libraries and language runtimes do it for you — but you can watch them happen with strace:

ubuntu@Jumpbox:~$ strace -e trace=openat cat /etc/hostname
openat(AT_FDCWD, "/etc/hostname", O_RDONLY) = 3
Jumpbox

That single line shows cat asking the kernel to open a file, and getting back 3 — a file descriptor, a small number the program uses to refer to the open file. This "ask the kernel, get a number back" pattern is everywhere in Linux.

4. Processes

A process is a running program — one instance of a program plus its own memory, its open files, and a numeric ID called a PID (process ID). When you type ls, the kernel creates a process, runs it, and cleans it up when it exits.

The kernel runs many processes seemingly at once by giving each a tiny slice of CPU time and switching between them thousands of times a second (a context switch). You only have a few CPU cores, but you can have hundreds of processes.

Try this:

ubuntu@Jumpbox:~$ echo $$        # the PID of your shell
4711
ubuntu@Jumpbox:~$ ps -o pid,ppid,comm
  PID  PPID COMMAND
 4711  4710 bash
 4820  4711 ps

Notice ppid — the parent PID. Every process is started by another process, forming a tree. Your ps command's parent is your shell (bash). This tree all the way up traces back to the very first process the kernel starts at boot (PID 1), which on Ubuntu is systemd. You'll meet systemd properly in Chapter 5.

5. So what is "an operating system"?

The kernel alone is not enough to be useful. An operating system (OS) — like Ubuntu, which runs on every VM in this lab — is the kernel plus the user-space pieces that make it usable:

• A shell (bash) to type commands into.
• Core utilities (ls, cp, grep) — small programs that do one job.
• System libraries (like the C library glibc) that wrap syscalls so programs don't repeat themselves.
• A service manager (systemd) that starts background programs at boot.
• A package manager (apt on Ubuntu) to install and update software.

"Ubuntu" and "Debian" and "Fedora" all use the Linux kernel; what differs is the user-space software bundled around it. That bundle is called a distribution ("distro").

6. Tying it together

When you run cat /etc/hostname on the Jumpbox:

1. Your shell (a user-space process) creates a new process for cat.
2. cat makes an openat syscall — crossing into kernel space.
3. The kernel checks permissions, reads the file from disk via a driver, hands back the bytes.
4. cat makes a write syscall to print to your screen.
5. cat exits; the kernel reaps the process.

Every command you learn from here on is a variation of this dance: user-space programs politely asking the kernel — through syscalls — to do privileged work. Hold onto that picture.

Dig deeper

• The Linux Kernel documentation (kernel.org)
• What is the Linux kernel? (Red Hat)
• syscalls(2) — the Linux system-call list (man7.org)
• strace man page (man7.org)
• Processes and threads (Linux man page: credentials)

Search terms

• kernel space vs user space explained
• what is a system call linux
• linux process tree pid ppid
• strace beginner tutorial
• what is a linux distribution kernel difference

Check yourself

1. Name three things the kernel is responsible for.
2. Why can't a normal program touch the network card directly?
3. What is a system call, and why is it described as a "door"?
4. What does a PID identify, and what is a PPID?
5. What is the difference between "the Linux kernel" and "a Linux distribution"?