Credible nerd says stop using atop, doesn't say why, everyone panics

Veteran sysadmin and tech blogger Rachel Kroll posted a cryptic warning yesterday about a popular Linux system monitoring tool. Maybe it's better to be safe than sorry.

The post is titled: "You might want to stop running atop." No details, no context – just a few paragraphs that have set off alarm bells in corners of the Linux world.

Better known online as rachelbythebay, Kroll has a good reputation in the tech industry. She's wrangled servers for Facebook and Lyft, and has been a speaker at events from USEnix to Strange Loop. She's also collected some of her writing in books, which used to be on Amazon, but which you can now get, free of DRM, from the Gumroad store.

Unsurprisingly, this post has caused some excitement on techie forums such as Lobsters and Hacker News. We feel that the best summary is this one from Duncan Bayne:

Atop is a system monitoring tool for Linux and FreeBSD, and most distros include it in their repositories. It's been around for years and the last release, version 2.11.0, was out in June last year. Even Red Hat has recommended it in the past.

Atop is in the family of the well-known top command. "TOP" stands for "table of processes" – at least colloquially – and it's a sort of task manager for the Unix shell. It shows you a live, constantly updating list of the most active processes running on your computer, which you can sort by various criteria, such as CPU or memory usage. Pretty much all Unix-like OSes include the top command, and there are a bunch of similar ones, including the popular htop by Hisham Muhammad, co-creator of Reg FOSS desk favorite GoboLinux, and btop++, which we recently used to demonstrate the tiny resource usage of Pi-hole.

Atop is slightly different, and we suspect that is critical here. While most top-style programs are live tools that show resource usage right now, atop also has a component that can run in the background, logging performance information to a file. This is useful for troublesome machines where you can't see what was happening just before they became unresponsive. After a reboot, you can replay atop's activity record and see what the box was doing before things went wrong.

It's possible that an exploit or vulnerability has been found in the atop program somewhere. Since there hasn't been a new version in nine months, it's probably been there for a while, maybe years, but has only just been found. It may also be that Kroll is unable to share details due to contractual obligations. Thus, this vaguely worded warning is all that she's able to say.

The Register has attempted to contact both Kroll as well as atop author Gerlof Langeveld. He definitely knows his stuff. We attended his seriously in-depth talk on Linux monitoring at the Open Source Summit in Bilbao a couple of years ago. We even understood some of it.

If either of them gets back to us, we will update this story. But in the meantime, as atop is purely a monitoring tool, it really shouldn't break anything if you just uninstall it for safety's sake. We think that there might be a new version announced any day now, which will be included in all fashionable Linux distributions and other open source Unix-like OSes, very soon. You can always reinstall it once it's been updated. ®