5

I recently deleted my active Linux kernel and continued using the system as if nothing drastic happened. Are there any side-effects to deleting the Linux kernel that's currently in use? What about other non-Windows kernels?

Michael Mrozek
  • 93,103
  • 40
  • 240
  • 233
tshepang
  • 65,642

2 Answers2

5

The Linux kernel is completely loaded into RAM on boot. After the system is booted, it never goes back and tries to read anything from that file. The same goes for drivers, once loaded into the kernel.

If you deleted the only kernel image on disk, the only consequence is that the system cannot be successfully rebooted unless you install a replacement kernel image before reboot.

As for other OSes, I imagine it is the same, simply due to the nature of OS kernels. They're intentionally small bits of code that stay running all the time, so there is no incentive to keep going back to disk to "look" at the code again. It's always in memory. (RAM or VM.)

Warren Young
  • 72,032
  • I don't think that "the kernel does not page" is true universally. http://support.microsoft.com/kb/184419 seems to imply that "drivers and system code in the Windows NT Executive" can be pageable. There's also references to VMS and Tenex operating system having pageable kernel code, or perhaps just stack and data. –  Apr 13 '11 at 15:19
  • That's why I specified VM above. Also, Windows was excluded from the discussion by the question, which specified only OSes that don't "lock" live files. – Warren Young Apr 14 '11 at 14:12
  • 1
    Some drivers, if they are modules that are not part of the kernel, can be removed with rmmod. They can't be insmoded back in if they are deleted from /lib/modules. – LawrenceC Dec 27 '11 at 01:39
  • @BruceEdiger, the NT kernel is partially pageable, but the pages are swapped to the pagefile, not discarded and re-read from the kernel executable. – psusi Dec 27 '11 at 15:40
  • Not that it necessarily matters (or does it?) I thought that, historically, deleting the UNIX kernel from the filesystem was catastrophic - in fact, kernel upgrades would fail (or stop the system) for this reason if the admin was not aware of this. I doubt this is true any more though. – Mei Feb 04 '12 at 00:53
2

Well, if you have proper access and ironically, kernel support for /dev/kmem you can overwrite the running kernel in RAM. Completely accomplishable with dd or cat. You'll likely either make the kernel panic or the machine lockup.

There's a kernel option that "netuers" /dev/kmem where it only allows access to certain address ranges (PCI address space among others) that I would imagine is enabled in most distro stock kernels so you likely wouldn't get anywhere doing it on a real system unless you compiled the kernel youself. But... try this out on an instance of Linux running in your browser completely in Javascript: cat /dev/zero > /dev/ram - something similar would happen on a real system.

However, Linux provides a feature (optional) called kexec which will load in another kernel and then execute it, overwriting the currently executing kernel. To do this safely it must be done when no drivers/devices/files are active, i.e. the system must go through its shutdown procedures, unmounting all disks, etc. just as it were shutting down before the "handoff." Can be used to reboot a system without going through the BIOS. You can also totally ignore all these precautions and kexec to a kernel or any code if you like in the middle of a running system - at the risk of corruption similar to powering off without a proper shutdown.

LawrenceC
  • 10,992