LFCS - Linux Process Management

Jarret B

Well-Known Member
Staff member
May 22, 2017
Reaction score
Every application running on a Linux machine is a process. Some applications may have multiple processes to help create the whole application. Managing these processes may seem an overwhelming task, but let’s make sense of it so it becomes easy
Every process has a Process ID (PID) which distinguishes it from other processes.

Process IDs

As Linux starts up, every application or process is given a number starting with 1. On an Ubuntu system, the process with PID of 1 is the 'systemd’.
For the ability to see this on your system you need to run the application ‘top’ in a Terminal. By default, the 'top' command should already be sorted by the PID. To see the beginning of the list press the 'end' key. You should now see the beginning of the list starting with the process that has the PID of 1 which is 'systemd'. To end the 'top' application press 'q' until you are back at the Terminal prompt.
You can list processes in a Terminal using the ‘ps’ or Process Status command. If you want only a specific PID then run the command ‘ps -PID’. For example, to see the application of the PID 1 you would run the command ‘ps -1’. The output may be a little different from the ‘top’ command, but it is the same. To get more information use the parameter ‘-F’.

NOTE: The ‘/sbin/init splash’ is a symbolic link to ‘systemd’.

To list all of the processes on your system, use the command ‘ps -elf’. The parameter ‘e’ is to list everything. The ‘l’ parameter displays a long listing and the ‘f’ is for a full listing. You can get quite a bit of information from this listing as shown in Figure 1.

Figure 01.jpg


The User ID (UID) is the name of the user which executed the command. The ‘TIME’ is the amount of time the process has been processed by the CPU. The command which has been executed is in the CMD column.
Using the command ‘top’ you can list all the processes and sort the list by a specific column.
You can use the option ‘F’ instead of ‘f’ to get an even fuller listing. There is a column which is represented by RSS which stands for ‘Resident Set Size’ or the memory used by the process. This is an easy way to determine which process is using most of your RAM in your system.
If you are looking for a specific process you can pipe the information through a ‘grep’ command. For instance, if you want to see if you have Firefox running you can use the command: ‘ps -ef | grep firefox’. Now, if Firefox is running you should get a listing of more than one process, as shown in Figure 2. Firefox requires more than one process for the application. Parts of Firefox are running as separate processes, such as each tab is a different process. You cannot stop a child process because the parent must be stopped which in turn stops all of the processes under it.

Figure 02.jpg


When you use ‘ps’ and ‘grep’ the last given line of information is the actual ‘grep’ command. The ‘ps’ process has quit and the ‘grep’ process is still active during the output.

If you want only the parent process then you can use the command ‘pgrep’ followed by the process name. For example, to find the parent process for Firefox you would use the command ‘pgrep firefox’ as shown in Figure 3. The result is the PID for the Firefox parent process. In a bit, we'll go over how to stop or kill a process.

Figure 03.jpg


Process Folder (/proc)

Since everything in Linux is a file, even processes, the ‘/proc’ folder holds all of the files of information about the processes on the system.
You can execute the 'ls' command to list files and folders in the '/proc' folder. An example is shown in Figure 4. The first thing you may notice is the numerous folders that have numeric names. These folders are named for the specific PID for which they contain the process information.

Figure 04.jpg


If I were to find the PID for Firefox, which is running on my system, I can open that specific PID folder. By running 'pgrep firefox' I get a result of '6106'. After I change to the 'proc' folder with the command 'cd /proc' I can then change to my Firefox PID folder. The command for me is 'cd 6106', which will most definitely be different for your system. Once in the Firefox PID folder, I can see what the folder contains by executing 'ls'.
One of the files listed there is a file named ‘cmdline’. If I view the file with the command ‘cat cmdline’ you will see the result is the location and name of the file used to start Firefox process. Another file called ‘limits’ shows the ‘Soft’ and ‘Hard’ limits for the process (cat limits).

NOTE: Every time you open a Terminal there is a new process created. In a Terminal, if you want to get to the '/proc' folder and the folder for the Terminal Process you can use the command 'cd /proc/$$'. The '$$' contains the PID of the current process. You can get the PID by the command 'echo $$'.

One more useful command to use in the '/proc' folder is the command 'cat loadavg' as shown in Figure 5. There are five sets of numbers given by the command. The first three are the averages of the jibs waiting for Disk I/O over the last 5, 10 and 15 minutes. The fourth set is two numbers separated by a slash (/). The first number is the number of scheduling entities being run (processes and threads). The second number is the number of kernel scheduling entities that exist. The fifth number is the last PID used by the system which is most likely the current 'cat' command just executed.

Figure 05.jpg


The command 'cat meminfo' shows useful information on the memory state of your system. Another command is 'cat version' which displays the version of your Linux Kernel, GCC and Ubuntu version.
Now that you have a grasp of finding and displaying PID information it will be good to know how to stop certain programs.

The Kill Command

The ‘kill’ command is used to send a signal to the given process. The default signal is a ‘SIGnal TERMinate’ or SIGTERM.
To see the various signals you can open a Terminal and type the command 'kill -l' (a lower-case L). The resulting list is made up of 64 different signals. There are only two signals which you need to concern yourself with for the LFCS.
The default is SIGTERM (15) and another option is SIGKILL (9). The numbers for the signals can be used in place of the signal name.
The ‘kill’ command is an easy one: ‘kill -signal PID’.
If I had a Firefox parent PID of 6106 and I wanted to send a SIGTERM signal I could use one of the following commands:

kill 6106
kill -term 6106
kill -sigterm 6106
kill -15 6106

All of these do the same thing. The command sends a signal to terminate the process to the process itself. By using a SIGTERM the process has the option to ignore the signal. In the first example, the signal type does not need to be used since SIGTERM (15) is the default. When using a signal name, the 'SIG' can be dropped, as in example two. In example three, the fill signal name can be used. In the final command, you can use the signal number.
In most cases, the SIGTERM signal can be ignored by the process. In this case, the process can most likely be stopped by a SIGKILL command.

NOTE: Be aware that to stop a process you must send the signal to the parent process and not the child process. Also, you must have permission to stop a process. You can stop any process which you started that has the same User ID (UID). The UID is listed when you use the parameter ‘-f’ with the ‘ps’ command.

If the process does not terminate then you can issue the ‘SIGKILL’ command which will most likely stop any process. From the example above we can use one of the following ‘SIGKILL’ examples:

kill -sigkill 6106
kill -kill 6106
kill -9 6106

NOTE: You can list multiple PIDs separated by a space to kill them all at once.

The process cannot ignore the ‘SIGKILL’ signal as long as you are the ‘owner’ of the process and it is not a child process.
To view the parent and child processes you must first get the parent PID. As mentioned before, use the command ‘pgrep’ followed by the process name. For example, ‘pgrep firefox’ to get the PID of the parent Firefox process. Let’s say the PID is returned as 6106.
You can then issue the command ‘pstree 6106’. The resulting list will show all of the processes for Firefox. An example is shown in Figure 6. Each line has a number followed by an asterisk (*). The value is the number of child processes. You may see quite a few. Other processes may have fewer or no child processes at all.

Figure 06.jpg


If you want to kill a process for which you are not an owner, you can try to use ‘sudo’, but this may not always work.

If you have a Terminal open and want to kill all the processes started by the Terminal, as well as the Terminal, you can issue the command ‘kill -9 0’ or ‘kill -15 0’. The PID of ‘0’ will issue the signal to every process under the current process (the Terminal).
If you want to kill every process you have started, which has your UID, the use the PID of ‘-1’. To kill all your processes the command would be ‘kill -9 -1’ or ‘kill -15 -1’. This command can be similar to logging out.

NOTE: It is possible to use a kill command and not know the PID. The command is ‘pkill’. You can specify the signal type like before, but now you can specify the process name. For example, to kill the Firefox process you can use the command ‘pkill -9 firefox’.


These commands can be very useful if a process is not responding in the Graphical User Interface (GUI). You can easily open a Terminal and kill a process that will not stop in its normal fashion. Be cautious with this command as you can cause system instability if you close the wrong process.
Practice these commands and familiarize yourself with them. They do come in handy at times.

Staff online