A process is a program in execution in memory. Any program executed creates a process. A program can be a command, a shell script, or any binary executable or any application.
A process has some associated properties:
PID : Process-Id. Every process created in Unix/Linux has an identification number associated to it which is called the process-id. This process id is used by the kernel to identify the process similar to how the inode number is used for file identification. The PID is unique for a process at any given point of time. However, it gets recycled.
PPID : Parent Process Id: Every process has to be created by another process. The process which creates a process is the parent process, and the process being created is the child process. The PID of the parent process is called the parent process id(PPID).
TTY: The terminal to which the process is associated to. TTY now stands for terminal type but originally stood for teletype. It represenst the name of the console or terminal (i.e., combination of monitor and keyboard) that the user logged into. Every command is run from a terminal which is associated to the process. However, not all processes are associated to a terminal. There are some processes which do not belong to any terminal. These are called daemons.
UID: User Id- The user to whom the process belongs to. And the user who is the owner of the process can only kill the process. The root user can kill any process. When a process tries to access files, the accessibility depends on the permissions the process owner has on those files.
Every process in Unix has to be created by some other process. Hence, the ps command is also created by some other process. The 'ps' command is being run from the login shell. The shell is a process running in the memory right from the moment the user logged in. So, for all the commands trigerred from the login shell, the login shell will be the parent process and the process created for the command executed will be the child process. In the same lines, the 'ksh' is the parent process for the child process 'ps'.
The ps command on linux is one of the most basic commands for viewing the processes running on the system. It provides a snapshot of the current processes along with detailed information like user id, cpu usage, memory usage, command name etc. It does not display data in real time like top or htop commands. By default, the ps command only gives us what is running in current terminal.
The basic ps command shows us attributes of a process for current user
> ps PID TTY TIME CMD 15502 pts/0 00:00:00 bash 15916 pts/0 00:00:00 ps
Attributes shown include:
Additional switches give us more information about the process
ps switches
********* simple selection ********* ********* selection by list *********
-A all processes -C by command name
-N negate selection -G by real group ID (supports names)
-a all w/ tty except session leaders -U by real user ID (supports names)
-d all except session leaders -g by session OR by effective group name
-e all processes -p by process ID
T all processes on this terminal -s processes in the sessions given
a all w/ tty, including other users -t by tty
g OBSOLETE -- DO NOT USE -u by effective user ID (supports names)
r only running processes U processes for specified users
x processes w/o controlling ttys t by tty
*********** output format ********** *********** long options ***********
-o,o user-defined -f full --Group --User --pid --cols --ppid
-j,j job control s signal --group --user --sid --rows --info
-O,O preloaded -o v virtual memory --cumulative --format --deselect
-l,l long u user-oriented --sort --tty --forest --version
-F extra full X registers --heading --no-heading --context
********* misc options *********
-V,V show version L list format codes f ASCII art forest
-m,m,-L,-T,H threads S children in sum -y change -l format
-M,Z security data c true command name -c scheduling class
-w,w wide output n numeric WCHAN,UID -H process hierarchy
using ps to get full list of processes
The following ps command will complete list of processes (e) in long or "full" format (f).
> ps -ef UID PID PPID C STIME TTY TIME CMD root 1 0 0 10:33 ? 00:00:01 /usr/lib/systemd/systemd --switched-root --system --deserialize 21 root 2 0 0 10:33 ? 00:00:00 [kthreadd] root 3 2 0 10:33 ? 00:00:00 [ksoftirqd/0] root 7 2 0 10:33 ? 00:00:00 [migration/0] root 8 2 0 10:33 ? 00:00:00 [rcu_bh] root 9 2 0 10:33 ? 00:00:00 [rcu_sched] root 10 2 0 10:33 ? 00:00:00 [watchdog/0] root 12 2 0 10:33 ? 00:00:00 [kdevtmpfs] root 13 2 0 10:33 ? 00:00:00 [netns] root 14 2 0 10:33 ? 00:00:00 [khungtaskd] ...
To filter the processes by the owning user (effective user), use the "-u" option followed by the username. here we show processes owned by user (u) root
> ps -fu root UID PID PPID C STIME TTY TIME CMD root 1 0 0 Jun14 ? 00:00:04 /sbin/init root 2 0 0 Jun14 ? 00:00:00 [kthreadd] root 3 2 0 Jun14 ? 00:00:00 [migration/0] root 4 2 0 Jun14 ? 00:00:00 [ksoftirqd/0] root 5 2 0 Jun14 ? 00:00:00 [migration/0] root 6 2 0 Jun14 ? 00:00:00 [watchdog/0] root 7 2 0 Jun14 ? 00:00:00 [migration/1] ...
Many processes are actually forked out of some parent process, and knowing this parent child relationship is often helpful. The -H or '--forest' option will construct an ascii art style tree view of the process hierarchy.
> ps -ef --forest ... root 16026 2 0 19:00 ? 00:00:00 [kworker/0:1] root 1 0 0 May17 ? 00:00:02 /usr/lib/systemd/systemd --system --deserialize 13 root 497 1 0 May17 ? 00:00:01 /usr/lib/systemd/systemd-journald root 509 1 0 May17 ? 00:00:00 /usr/sbin/lvmetad -f root 520 1 0 May17 ? 00:00:00 /usr/lib/systemd/systemd-udevd root 646 1 0 May17 ? 00:00:00 /sbin/auditd -n root 663 1 0 May17 ? 00:00:00 /usr/lib/systemd/systemd-logind
To search the processes by their name or command use the "-C" option followed by the search term.
> ps -C httpd PID TTY TIME CMD 2112 ? 00:00:04 httpd 2619 ? 00:00:00 httpd 2620 ? 00:00:00 httpd 2621 ? 00:00:00 httpd 2622 ? 00:00:00 httpd 2623 ? 00:00:00 httpd 2624 ? 00:00:00 httpd 2625 ? 00:00:00 httpd 2626 ? 00:00:00 httpd
Sort process by cpu or memory usage.
Multiple fields can be specified with the "--sort" option separated by a comma. Additionally the fields can be prefixed with a "-" or "+" symbol indicating descending or ascending sort respectively. There are lots of parameters on which the process list can be sorted. Check the man page for the complete list.
Display the top 5 processes consuming most of the cpu.
> ps aux --sort=-pcpu | head -5 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND andrew 27003 75.2 0.0 112268 1240 pts/1 R+ 22:44 0:03 find / -name lostfile root 27008 3.0 0.0 110344 1132 pts/0 R+ 22:44 0:00 ps aux --sort=-pcpu root 26962 2.0 0.1 99940 4500 ? S 22:44 0:00 sshd: andrew [priv] root 27005 0.5 0.0 98544 3792 ? S 22:44 0:00 sshd: unknown [priv]
The watch command executes a program periodically, showing output fullscreen. By default it will run every 2 seconds. The n switch allows you specify the frequency.
> watch "ps"
> watch -n10 "ps"
use the & character to make a process start in the background, so you can continue to use the shell and do not have to wait until the script is finished. If you forget it, you can stop the current running process with Ctrl-Z and continue it in the background with bg (or in the foreground with fg).
In this example, we submit sevval watch jobs into background processing:
> watch "ls -ails" & > watch "ls -ail" & > watch "ls -ai" & > watch "ls -a" &
use the jobs command to see submitted jobs
> jobs [1] Stopped watch "ls -ails" [2] Stopped watch "ls -ail" [3]- Stopped watch "ls -ai" [4]+ Stopped watch "ls -a"
Use the fg command to bring process to the foreground. The "+" in the jobs command indicates default process you can bring to foreground.
Type fg to bring job #4 to the foreground.
s > fg
Type fg 2 to bring job #2 to the foreground.
> fg 2
Type bg 2 to bring job #2 to the background.
> bg 2
> top
top - 14:35:42 up 18:00, 3 users, load average: 0.00, 0.02, 0.05
Tasks: 106 total, 1 running, 105 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 999936 total, 576608 free, 135928 used, 287400 buff/cache
KiB Swap: 1257468 total, 1257468 free, 0 used. 672400 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 20 0 45772 6112 3808 S 0.0 0.6 0:02.52 /usr/lib/systemd/systemd+
2 root 20 0 0 0 0 S 0.0 0.0 0:00.02 [kthreadd]
3 root 20 0 0 0 0 S 0.0 0.0 0:00.28 [ksoftirqd/0]
7 root rt 0 0 0 0 S 0.0 0.0 0:00.00 [migration/0]
8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [rcu_bh]
9 root 20 0 0 0 0 S 0.0 0.0 0:01.01 [rcu_sched]
10 root rt 0 0 0 0 S 0.0 0.0 0:00.45 [watchdog/0]
12 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kdevtmpfs]
13 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [netns]
14 root 20 0 0 0 0 S 0.0 0.0 0:00.02 [khungtaskd]
...
The CPU(s) row shows: