Linux processes

A process is a program in execution in memory. Any program executed creates a process. A program can be a command, a shell script, or any binary executable or any application.

A process has some associated properties:

  • PID : Process-Id. Every process created in Unix/Linux has an identification number associated to it which is called the process-id. This process id is used by the kernel to identify the process similar to how the inode number is used for file identification. The PID is unique for a process at any given point of time. However, it gets recycled.

  • PPID : Parent Process Id: Every process has to be created by another process. The process which creates a process is the parent process, and the process being created is the child process. The PID of the parent process is called the parent process id(PPID).

  • TTY: The terminal to which the process is associated to. TTY now stands for terminal type but originally stood for teletype. It represenst the name of the console or terminal (i.e., combination of monitor and keyboard) that the user logged into. Every command is run from a terminal which is associated to the process. However, not all processes are associated to a terminal. There are some processes which do not belong to any terminal. These are called daemons.

  • UID: User Id- The user to whom the process belongs to. And the user who is the owner of the process can only kill the process. The root user can kill any process. When a process tries to access files, the accessibility depends on the permissions the process owner has on those files.


Parent & Child Process

Every process in Unix has to be created by some other process. Hence, the ps command is also created by some other process. The 'ps' command is being run from the login shell. The shell is a process running in the memory right from the moment the user logged in. So, for all the commands trigerred from the login shell, the login shell will be the parent process and the process created for the command executed will be the child process. In the same lines, the 'ksh' is the parent process for the child process 'ps'.


the ps command

The ps command on linux is one of the most basic commands for viewing the processes running on the system. It provides a snapshot of the current processes along with detailed information like user id, cpu usage, memory usage, command name etc. It does not display data in real time like top or htop commands. By default, the ps command only gives us what is running in current terminal.

The basic ps command shows us attributes of a process for current user

> ps
   PID TTY          TIME CMD
 15502 pts/0    00:00:00 bash
 15916 pts/0    00:00:00 ps

Attributes shown include:

  • PID - Process ID; The unique id of the process that spawned the process
  • TTY - terminal; the device number of the controling tty, if any
  • TIME - the amount of CPU (central processing unit) time in minutes and seconds that the process has been running.
  • CMD - the name of the command that launched the process.

Additional switches give us more information about the process

  • PPID - The process ID of the parent to this process (the process that started this process)
  • C - The percentage of CPU time used by this process since it was started
  • UID - user that owns process
  • STIME - The time (and date if before today) that this process was started

ps switches

********* simple selection *********  ********* selection by list *********
-A all processes                      -C by command name
-N negate selection                   -G by real group ID (supports names)
-a all w/ tty except session leaders  -U by real user ID (supports names)
-d all except session leaders         -g by session OR by effective group name
-e all processes                      -p by process ID
T  all processes on this terminal     -s processes in the sessions given
a  all w/ tty, including other users  -t by tty
g  OBSOLETE -- DO NOT USE             -u by effective user ID (supports names)
r  only running processes             U  processes for specified users
x  processes w/o controlling ttys     t  by tty
*********** output format **********  *********** long options ***********
-o,o user-defined  -f full            --Group --User --pid --cols --ppid
-j,j job control   s  signal          --group --user --sid --rows --info
-O,O preloaded -o  v  virtual memory  --cumulative --format --deselect
-l,l long          u  user-oriented   --sort --tty --forest --version
-F   extra full    X  registers       --heading --no-heading --context
                    ********* misc options *********
-V,V  show version      L  list format codes  f  ASCII art forest
-m,m,-L,-T,H  threads   S  children in sum    -y change -l format
-M,Z  security data     c  true command name  -c scheduling class
-w,w  wide output       n  numeric WCHAN,UID  -H process hierarchy

using ps to get full list of processes

The following ps command will complete list of processes (e) in long or "full" format (f).

> ps -ef

UID         PID   PPID  C STIME TTY          TIME CMD
root          1      0  0 10:33 ?        00:00:01 /usr/lib/systemd/systemd --switched-root --system --deserialize 21
root          2      0  0 10:33 ?        00:00:00 [kthreadd]
root          3      2  0 10:33 ?        00:00:00 [ksoftirqd/0]
root          7      2  0 10:33 ?        00:00:00 [migration/0]
root          8      2  0 10:33 ?        00:00:00 [rcu_bh]
root          9      2  0 10:33 ?        00:00:00 [rcu_sched]
root         10      2  0 10:33 ?        00:00:00 [watchdog/0]
root         12      2  0 10:33 ?        00:00:00 [kdevtmpfs]
root         13      2  0 10:33 ?        00:00:00 [netns]
root         14      2  0 10:33 ?        00:00:00 [khungtaskd]
...

To filter the processes by the owning user (effective user), use the "-u" option followed by the username. here we show processes owned by user (u) root

> ps -fu root
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 Jun14 ?        00:00:04 /sbin/init
root         2     0  0 Jun14 ?        00:00:00 [kthreadd]
root         3     2  0 Jun14 ?        00:00:00 [migration/0]
root         4     2  0 Jun14 ?        00:00:00 [ksoftirqd/0]
root         5     2  0 Jun14 ?        00:00:00 [migration/0]
root         6     2  0 Jun14 ?        00:00:00 [watchdog/0]
root         7     2  0 Jun14 ?        00:00:00 [migration/1]
...

Many processes are actually forked out of some parent process, and knowing this parent child relationship is often helpful. The -H or '--forest' option will construct an ascii art style tree view of the process hierarchy.

> ps -ef --forest 
...
root      16026      2  0 19:00 ?        00:00:00   [kworker/0:1]
root          1      0  0 May17 ?        00:00:02 /usr/lib/systemd/systemd --system --deserialize 13
root        497      1  0 May17 ?        00:00:01   /usr/lib/systemd/systemd-journald
root        509      1  0 May17 ?        00:00:00   /usr/sbin/lvmetad -f
root        520      1  0 May17 ?        00:00:00   /usr/lib/systemd/systemd-udevd
root        646      1  0 May17 ?        00:00:00   /sbin/auditd -n
root        663      1  0 May17 ?        00:00:00   /usr/lib/systemd/systemd-logind

To search the processes by their name or command use the "-C" option followed by the search term.

> ps -C httpd
  PID TTY          TIME CMD
 2112 ?        00:00:04 httpd
 2619 ?        00:00:00 httpd
 2620 ?        00:00:00 httpd
 2621 ?        00:00:00 httpd
 2622 ?        00:00:00 httpd
 2623 ?        00:00:00 httpd
 2624 ?        00:00:00 httpd
 2625 ?        00:00:00 httpd
 2626 ?        00:00:00 httpd

Sort process by cpu or memory usage.

Multiple fields can be specified with the "--sort" option separated by a comma. Additionally the fields can be prefixed with a "-" or "+" symbol indicating descending or ascending sort respectively. There are lots of parameters on which the process list can be sorted. Check the man page for the complete list.

Display the top 5 processes consuming most of the cpu.

> ps aux --sort=-pcpu | head -5
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
andrew   27003 75.2  0.0 112268  1240 pts/1    R+   22:44   0:03 find / -name lostfile
root     27008  3.0  0.0 110344  1132 pts/0    R+   22:44   0:00 ps aux --sort=-pcpu
root     26962  2.0  0.1  99940  4500 ?        S    22:44   0:00 sshd: andrew [priv]
root     27005  0.5  0.0  98544  3792 ?        S    22:44   0:00 sshd: unknown [priv]


watch - execute a program periodically

The watch command executes a program periodically, showing output fullscreen. By default it will run every 2 seconds. The n switch allows you specify the frequency.

> watch "ps"
> watch -n10 "ps"


Background processing

use the & character to make a process start in the background, so you can continue to use the shell and do not have to wait until the script is finished. If you forget it, you can stop the current running process with Ctrl-Z and continue it in the background with bg (or in the foreground with fg).

In this example, we submit sevval watch jobs into background processing:

> watch "ls -ails" &
> watch "ls -ail" &
> watch "ls -ai" &
> watch "ls -a" &

use the jobs command to see submitted jobs

> jobs
[1]   Stopped                 watch "ls -ails"
[2]   Stopped                 watch "ls -ail"
[3]-  Stopped                 watch "ls -ai"
[4]+  Stopped                 watch "ls -a"

Use the fg command to bring process to the foreground. The "+" in the jobs command indicates default process you can bring to foreground.

Type fg to bring job #4 to the foreground.

s
> fg 

Type fg 2 to bring job #2 to the foreground.

> fg 2

Type bg 2 to bring job #2 to the background.

> bg 2


top command

The top command displays processor activity of your Linux box and also displays tasks managed by kernel in real-time. It will show processor and memory are being used and other information like running processes. Default sort order is by CPU usage

> top
top - 14:35:42 up 18:00,  3 users,  load average: 0.00, 0.02, 0.05
Tasks: 106 total,   1 running, 105 sleeping,   0 stopped,   0 zombie
%Cpu(s):  0.0 us,  0.0 sy,  0.0 ni,100.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem :   999936 total,   576608 free,   135928 used,   287400 buff/cache
KiB Swap:  1257468 total,  1257468 free,        0 used.   672400 avail Mem

   PID USER      PR  NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND
     1 root      20   0   45772   6112   3808 S  0.0  0.6   0:02.52 /usr/lib/systemd/systemd+
     2 root      20   0       0      0      0 S  0.0  0.0   0:00.02 [kthreadd]
     3 root      20   0       0      0      0 S  0.0  0.0   0:00.28 [ksoftirqd/0]
     7 root      rt   0       0      0      0 S  0.0  0.0   0:00.00 [migration/0]
     8 root      20   0       0      0      0 S  0.0  0.0   0:00.00 [rcu_bh]
     9 root      20   0       0      0      0 S  0.0  0.0   0:01.01 [rcu_sched]
    10 root      rt   0       0      0      0 S  0.0  0.0   0:00.45 [watchdog/0]
    12 root      20   0       0      0      0 S  0.0  0.0   0:00.00 [kdevtmpfs]
    13 root       0 -20       0      0      0 S  0.0  0.0   0:00.00 [netns]
    14 root      20   0       0      0      0 S  0.0  0.0   0:00.02 [khungtaskd]
	...

The CPU(s) row shows:

  • CPU state percentages based on the interval since the last refresh. Where two labels are shown below, those for more recent kernel versions are shown first.
  • us, user : time running un-niced user processes
  • sy, system : time running kernel processes
  • ni, nice : time running niced user processes
  • wa, -wait : time waiting for I/O completion
  • hi : time spent servicing hardware interrupts
  • si : time spent servicing software interrupts
  • st : time stolen from this vm by the hypervisor