Thursday, June 19, 2014

Linux Processes

Process is a running instance of a program. Linux is a multitasking operating system, which means that more than one process can be active at once. Use ps command to find out what processes are running on your system.


1. List Currently Running Processes (ps -ef, ps -aux)

Its a commonly used example with a ps command to list down all the process which are currently running in a machine. The following example shows the options of ps command to get all the processes.

$ ps -ef
root     26551     5  0 Feb10 ?        00:03:41 [pdflush]
root     26570     5  0 Feb10 ?        00:00:20 [pdflush]
root     30344  3382  0 Feb21 ?        00:00:11 sshd: root@pts/14
root     30365 30344  0 Feb21 pts/14   00:00:02 -bash
root     30393  3382  0 Feb21 ?        00:00:10 sshd: root@pts/15
Where:
  • -e to display all the processes.
  • -f to display full format listing.
In case of BSD machines, you can use ‘ps -aux’ will give the details about all the process as shown above.
$ ps -aux

2. List the Process based on the UID and Commands (ps -u, ps -C)

Use -u option to displays the process that belongs to a specific username. When you have multiple username, separate them using a comma. The example below displays all the process that are owned by user wwwrun, or postfix.

$ ps -f -u wwwrun,postfix
UID        PID  PPID  C STIME TTY          TIME CMD
postfix   7457  7435  0 Mar09 ?        00:00:00 qmgr -l -t fifo -u
wwwrun    7495  7491  0 Mar09 ?        00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun    7496  7491  0 Mar09 ?        00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun    7497  7491  0 Mar09 ?        00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun    7498  7491  0 Mar09 ?        00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun    7499  7491  0 Mar09 ?        00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun   10078  7491  0 Mar09 ?        00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun   10082  7491  0 Mar09 ?        00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
postfix  15677  7435  0 22:23 ?        00:00:00 pickup -l -t fifo -u
 
Often ps is used with grep like “ps -aux | grep command” to get the list of process with the given command.But ps command itself has an option to achieve the same. The following example shows that all the processes which has tatad.pl in its command execution.

$ ps -f -C tatad.pl
UID        PID  PPID  C STIME TTY          TIME CMD
root      9576     1  0 Mar09 ?        00:00:00 /opt/tata/perl/bin/perl /opt/tata/bin/tatad.pl
root      9577  9576  0 Mar09 ?        00:00:00 /opt/tata/perl/bin/perl /opt/tata/bin/tatad.pl
root      9579  9576  0 Mar09 ?        00:00:00 /opt/tata/perl/bin/perl /opt/tata/bin/tatad.pl
root      9580  9576  0 Mar09 ?        00:00:00 /opt/tata/perl/bin/perl /opt/tata/bin/tatad.pl
root      9581  9576  0 Mar09 ?        00:00:00 /opt/tata/perl/bin/perl /opt/tata/bin/tatad.pl
root      9582  9576  0 Mar09 ?        00:00:00 /opt/tata/perl/bin/perl /opt/tata/bin/tatad.pl
root     12133  9576  0 Mar09 ?        00:00:00 /opt/tata/perl/bin/perl /opt/tata/bin/tatad.pl
Note: We can create aliases for ps command to list processes based on commands, users or groups.

3. List the processes based on PIDs or PPIDs (ps -p, ps –ppid)

Each process will be assigned with the unique Process ID (PID).
When you launch some application, it might fork number of processes and each sub process will have its own PID. So, each process will have its own process id and parent processid.
For all the processes that a process forks will have the same PPID (parent process identifier). The following method is used to get a list of processes with a particular PPID.
$ ps -f --ppid 9576
UID        PID  PPID  C STIME TTY          TIME CMD
root      9577  9576  0 Mar09 ?        00:00:00 /opt/tata/perl/bin/perl /opt/tata/bin/tatad.pl
root      9579  9576  0 Mar09 ?        00:00:00 /opt/tata/perl/bin/perl /opt/tata/bin/tatad.pl
root      9580  9576  0 Mar09 ?        00:00:00 /opt/tata/perl/bin/perl /opt/tata/bin/tatad.pl
root      9581  9576  0 Mar09 ?        00:00:00 /opt/tata/perl/bin/perl /opt/tata/bin/tatad.pl
root      9582  9576  0 Mar09 ?        00:00:00 /opt/tata/perl/bin/perl /opt/tata/bin/tatad.pl
root     12133  9576  0 Mar09 ?        00:00:00 /opt/tata/perl/bin/perl /opt/tata/bin/tatad.pl
The following example is to list the processes which has given PID.
$ ps -f  -p 25009,7258,2426
UID        PID  PPID  C STIME TTY          TIME CMD
root      2426     4  0 Mar09 ?        00:00:00 [reiserfs/0]
root      7258     1  0 Mar09 ?        00:00:00 /usr/sbin/nscd
postfix  25009  7435  0 00:02 ?        00:00:00 pickup -l -t fifo -u

4. List Processes in a Hierarchy (ps –forest)

The example below display the process Id and commands in a hierarchy. –forest is an argument to ps command which displays ASCII art of process tree. From this tree, we can identify which is the parent process and the child processes it forked in a recursive manner.
$ ps -e -o pid,args --forest
  468  \_ sshd: root@pts/7
  514  |   \_ -bash
17484  \_ sshd: root@pts/11
17513  |   \_ -bash
24004  |       \_ vi ./790310__11117/journal
15513  \_ sshd: root@pts/1
15522  |   \_ -bash
 4280  \_ sshd: root@pts/5
 4302  |   \_ -bash
Note: You can also use tree and pstree command to displays process in a nice tree structure.

5. List elapsed wall time for processes (ps -o pid,etime=)

If you want the get the elapsed time for the processes which are currently running ps command provides etime which provides the elapsed time since the process was started, in the form [[dd-]hh:]mm:ss.
The below command displays the elapsed time for the process IDs 1 (init) and process id 29675.
For example “10-22:13:29″ in the output represents the process init is running for 10days, 22hours,13 minutes and 29seconds. Since init process starts during the system startup, this time will be same as the output of the ‘uptime’ command.
# ps -p 1,29675 -o pid,etime=
  PID
    1 10-22:13:29
29675  1-02:58:46

6. List all threads for a particular process (ps -L)

You can get a list of threads for the processes. When a process hangs, we might need to identify the list of threads running for a particular process as shown below.
 $ ps -C java -L -o pid,tid,pcpu,state,nlwp,args
  PID   TID %CPU S NLWP COMMAND
16992 16992  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
16992 16993  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
16992 16994  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
16992 16995  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
16992 16996  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
16992 16997  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
16992 16998  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
16992 16999  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
16992 17000  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
16992 17001  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
16992 17002  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
16992 17003  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
16992 17024  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
16992 15753  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
16992 15754  0.0 S   15 ../jre/bin/java -Djava.ext.dirs=../jre/lib/ext:../lib:../auto_lib -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006
-L option is used to display the list of threads for a process which has the command given. And it also displays nlwp, which represents number of light weight processes. In the above example, a total of 15 java threads are running.

7. Finding memory Leak (ps –sort pmem)

A memory leak, technically, is an ever-increasing usage of memory by an application.
With common desktop applications, this may go unnoticed, because a process typically frees any memory it has used when you close the application.
However, In the client/server model, memory leakage is a serious issue, because applications are expected to be available 24×7. Applications must not continue to increase their memory usage indefinitely, because this can cause serious issues. To monitor such memory leaks, we can use the following commands.
$ ps aux --sort pmem

USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  1520  508 ?        S     2005   1:27 init
inst  1309  0.0  0.4 344308 33048 ?      S     2005   1:55 agnt (idle)
inst  2919  0.0  0.4 345580 37368 ?      S     2005  20:02 agnt (idle)
inst 24594  0.0  0.4 345068 36960 ?      S     2005  15:45 agnt (idle)
root 27645  0.0 14.4 1231288 1183976 ?   S     2005   3:01 /TaskServer/bin/./wrapper-linux-x86-32
In the above ps command, –sort option outputs the highest %MEM at bottom. Just note down the PID for the highest %MEM usage. Then use ps command to view all the details about this process id, and monitor the change over time. You had to manually repeat ir or put it as a cron to a file.
$ ps ev --pid=27645
PID TTY STAT TIME MAJFL TRS DRS RSS %MEM COMMAND
27645 ? S 3:01 0 25 1231262 1183976 14.4 /TaskServer/bin/./wrapper-linux-x86-32

$ ps ev --pid=27645
PID TTY STAT TIME MAJFL TRS DRS RSS %MEM COMMAND
27645 ? S 3:01 0 25 1231262 1183976 14.4 /TaskServer/bin/./wrapper-linux-x86-32

 

 

Code Vs Program Vs Process



Lets first understand difference between code, program and process.


Code: Following is an example of code :
#include <stdio.h>
#include <unistd.h>

int main(void)
{
    printf("\n Hello World\n");
    sleep(10);

    return 0;
}
 
Lets save the above piece of code in a file named helloWorld.c. So this file becomes code.
Program: Now, when the code is compiled, it produces an executable file. Here is how the above code is compiled :

$ gcc -Wall helloWorld.c -o helloWorld
 
This would produce an executable named helloWorld. This executable is known as a program.

Process: Now, lets run this executable :
$ ./helloWorld 

 Hello World
  • Once run, a process corresponding to this executable(or program) is created. This process will execute all the machine code that was there in the program. This is the reason why a process is known as running instance of a program.
  • To check the details of the newly created process, run the ps command in following way :
$ ps -aef | grep hello*
1000      6163  3017  0 18:15 pts/0    00:00:00 ./helloWorld
To understand the output of ps command, read our article on 7 ps command examples.

2. Parent and Child Process

Every process has a parent process and it may or may not have child processes. Lets take this one by one. Consider the output of ps command on my Ubuntu machine :
1000      3008     1  0 12:50 ?        00:00:23 gnome-terminal
1000      3016  3008  0 12:50 ?        00:00:00 gnome-pty-helper
1000      3017  3008  0 12:50 pts/0    00:00:00 bash
1000      3079  3008  0 12:58 pts/1    00:00:00 bash
1000      3321     1  0 14:29 ?        00:00:12 gedit
root      5143     2  0 17:20 ?        00:00:04 [kworker/1:1]
root      5600     2  0 17:39 ?        00:00:00 [migration/1]
root      5642     2  0 17:39 ?        00:00:00 [kworker/u:69]
root      5643     2  0 17:39 ?        00:00:00 [kworker/u:70]
root      5677     2  0 17:39 ?        00:00:00 [kworker/0:2]
root      5680     2  0 17:39 ?        00:00:00 [hci0]
root      5956   916  0 17:39 ?        00:00:00 /sbin/dhclient -d -sf /usr/lib/NetworkManager/nm-dhcp-client.action -pf /run/sendsigs.
root      6181     2  0 18:35 ?        00:00:00 [kworker/1:0]
root      6190     2  0 18:40 ?        00:00:00 [kworker/1:2]
1000      6191  3079  0 18:43 pts/1    00:00:00 ps -aef
 
  • Integers in second and third column of the above output represent process ID and parent process ID. 
  • Observe the figures highlighted in bold. When I executed the command ‘ps -aef’, a process was created, its process ID is 6191. Now, look at its parents process ID, it is 3079. If you look towards the beginning of the output you will see that ID 3079 is the process ID of bash process.
  •  This confirms that bash shell is the parent for any command that you run through it.
  • Similarly, even for processes that are not created through shell, there is some parent process. Just run ‘ps -aef’ command on your Linux machine and observe the PPID (parent process ID)column.
  •  You will not see any empty entry in it. This confirms that every process has a parent process.
  • Now, lets come to child processes. Whenever a process creates another process, the former is called parent while latter is called child process. Technically, a child process is created by calling fork() function from within the code. Usually when you run a command from shell, the fork() is followed by exec() series of functions.
  • We discussed that every process has a parent process, this can bring a question that what will happen to a child process whose parent process is killed? Well, this is a good question but lets come back to it sometime later.

3. The init Process

  • When Linux system is booted, First thing that gets loaded into memory is vmlinuz. 
  • It is the compressed Linux kernel executable. This results in the creation of init process. 
  • This is the first process that gets created. Init process has PID of one, and is the super parent of all the processes in a Linux session. If you consider Linux process structure as a tree then init is the starting node of that tree.
  • To confirm that init is the first process, you can run the pstree command on your Linux box. This command displays the tree of processes for a Linux session.
Here is a sample output :
init-+-NetworkManager-+-dhclient
     |                |-dnsmasq
     |                `-3*[{NetworkManager}]
     |-accounts-daemon---2*[{accounts-daemon}]
     |-acpid
     |-at-spi-bus-laun-+-dbus-daemon
     |                 `-3*[{at-spi-bus-laun}]
     |-at-spi2-registr---{at-spi2-registr}
     |-avahi-daemon---avahi-daemon
     |-bamfdaemon---3*[{bamfdaemon}]
     |-bluetoothd
     |-colord---{colord}
     |-console-kit-dae---64*[{console-kit-dae}]
     |-cron
     |-cups-browsed
     |-cupsd
     |-2*[dbus-daemon]
     |-dbus-launch
     |-dconf-service---2*[{dconf-service}]
     |-evince---3*[{evince}]
     |-evinced---{evinced}
     |-evolution-sourc---2*[{evolution-sourc}]
     |-firefox-+-plugin-containe---16*[{plugin-containe}]
     |         `-36*[{firefox}]
     |-gconfd-2
     |-gedit---3*[{gedit}]
     |-6*[getty]
     |-gnome-keyring-d---7*[{gnome-keyring-d}]
     |-gnome-terminal-+-bash
     |                |-bash-+-less
     |                |      `-pstree
     |                |-gnome-pty-helpe
     |                `-3*[{gnome-terminal}]
     |-gvfs-afc-volume---2*[{gvfs-afc-volume}]
     |-gvfs-gphoto2-vo---{gvfs-gphoto2-vo}
     |-gvfs-mtp-volume---{gvfs-mtp-volume}
     |-gvfs-udisks2-vo---{gvfs-udisks2-vo}
     |-gvfsd---{gvfsd}
     |-gvfsd-burn---2*[{gvfsd-burn}]
     |-gvfsd-fuse---4*[{gvfsd-fuse}]
     ...
     ...
     ...
  • The output confirms that init is at the top of process tree. Also, if you observe the text in bold, you will see the complete parent child relation of pstree process. 
  • Now, lets come back to the question (we left open in the last section) about the consequences when parent process gets killed while child is still alive. Well in this case, the child obviously becomes orphan but is adopted by the init process. So, init process becomes the new parent of those child processes whose parents are terminated.

4. Process Life Cycle

In this section, we will discuss the life cycle of a normal Linux process covers before it is killed and removed from kernel process table.
  • As already discussed, a new process is created through fork() and if a new executable is to be run then exec() family of functions is called after fork().  As soon as this new process is created, it gets queued into the queue of processes that are ready to run.
  • If only fork() was called then it is highly likely that new process runs in user mode but if exec() is called then the new process will run in kernel mode until a fresh process address space is created for it.
  • While the process is running, a higher priority process can pre-empt it through an interrupt. In this case, the pre-empted process again goes into queue of processes that are ready to run. This process is picked up by the scheduler at some later stage.
  • A process can enter into kernel mode while running. This is possible when it requires access some resource like text file which is kept on hard disk. As operations involving access to hardware may take time, it is highly likely that process will go to sleep and will wake up only when the requested data is available.  When the process is awakened, it does not mean that it will start executing immediately, it will again queue up and will be picked for execution by scheduler at appropriate time.
  • A process can be killed through many ways. It can call exit() function to exit or can process Linux signals to exit. Also, some signals cannot be caught and cause the process to terminate immediately.
  • There are different types of Linux process. Once the process is killed, it does not get completely eliminated. An entry containing some information related to it is kept in the Kernel process address table till the parent process explicitly calls wait() or waitpid() functions to get the exit status of child process. Until parent process does this, the terminated process is known as zombie process.



Types of process

So we see that process is a concept that is fundamental to an operating system. Almost every activity on an OS takes form of a process to do some stuff. There are different types of processes running on a system, some of them are :

Child processes

A process that is created by some other process during run-time. Usually child processes are created to execute some binary from within an existing process. Child processes are created using fork() system call. Normally process are made to run through shell/terminal. In that case the shell becomes the parent and the executed process becomes the child process. On Unix/Linux each process has a parent except the init process(we will learn about this later).

Daemon Processes

These are special processes that run in background. They are system related process that have no associated terminal. These processes run will root permissions and usually provide services to processes. As we already know that a daemon process does not have an attached terminal, well to achieve this the process has to be detached from the terminal. The ideal way on Linux/Unix to do this is to run a process through terminal and from within this process create another process and then terminate the parent process. Since the parent is terminated so now the child will become independent of the terminal and would be taken over by init process and hence would become a daemon process. A typical example would be a mail daemon that waits for the arrival of e-mails and notify when a mail is received.

Orphan processes

Usually a process creates a child process (as described above) and when the child process terminates, a signal is issued to the parent so that parent can do all the stuff that it is required to do when one of the child gets terminated. But there are situations when parent gets killed. In that case the child processes become orphan and then taken under by the init process. Though the init process takes the ownership of the orphan process but still these process are called as orphan as their original parents no longer exists.

Zombie process

When a child process gets terminated or completes its execution, then its entry in the process table remains until the parent process fetches the status information of the terminated child. So, until then the terminated process enters zombie state and is known as zombie process.  When a process is terminated then all the memory and resources associated with the process are released but the entry of the process in process table exists. A signal SIGCHILD is send to the parent of the process (that just terminated). Typically, the handler of this signal in the parent executes a ‘wait’ call that fetches the exit status of the terminated process and then the entry of this zombie process from the process table is also removed.

The init process

As we discussed earlier, init process is the 5th stage in the 6 St.age of Linux Boot Process.
You would be cognizant of the famous ‘chicken and egg’ theory regarding who came first. In terms of processes, as each process has a parent process, the same question can be asked about parent or child process. Well, fortunately there is an answer here. The answer is the init process that is started as a first process during boot sequence. That means there is no parent of init process. Lets verify it, since PID of init is ’1′, we use the ps command :
So we see from the output that PPID is 0, which means that there is no parent for this process.
$ ps -l 1
F S   UID   PID  PPID  C PRI  NI ADDR SZ WCHAN  TTY        TIME CMD
4 S     0     1     0  0  80   0 -  5952 poll_s ?          0:00 /sbin/init

No comments:

Post a Comment