Managing Processes I

Summary:

Introducing Processes
Process Monitors
Processes In Detail

Introducing Processes

Did you ever had some program 'hanging' on your machine? Indeed 'hanging' so badly that it gobbled up all system resources, slowing down all operations to a crawl? And didn't you wish there were just a way to kill that damn thing? Were you ever interested in knowing how much system resources a program uses?

Well, you have come to right place, then :-). What are processes? Basically everything going on on your system: your web browser is a process, your web server - if you happen to run one - contains several processes. A process boots your machine and another shuts it down. Every tiny script starts a process, albeit usually a very short one. "A process", says the textbook, "is an instance of a program in execution."

Processes can be started, stopped and continued, killed, given priorities, scheduled. You do many of these actions already without knowing about it: when you open a program, you start a process, by closing the program, you kill the process. It's not some fancy Linux thing either, every modern operation system has them, because processes allow for multi-tasking: by keeping a unified list of what is going on, the operating system can run a schedule, thus providing its user with the illusion of being able to do many things at once.

Usually the operating system, i.e. the kernel, manages processes for you. You only need to interfere, if you have special preferences (e.g. want to have a process to get more resources) or if a process goes awry and starts eating all the available system resources.

section index

Process Monitors

The traditional Unix/Linux tools for viewing and handling processes are the console programs 'top' and 'ps' (part of the 'procps' RPM) as well as a bunch of command line programs like 'kill' or 'nice'.

There are graphical interfaces for these programs, however, which you might find more convenient and easier to use: 'ksysguard' (package 'kdebase-prog'), 'kpm' (package 'kdebase-prog') and 'gnome-system-monitor' (package 'gnome-system-monitor'). 'ksysguard' even allows you to watch and control processes on other machines. They can be found in your menu under System -> System Monitoring.

Since all these tools use the same information from the '/proc' directory (more on that later), they all display processes and their attributes in similar fashion.
If you open them, you'll find a dynamic (apart from 'ps') column display with a row for each process. Columns are:

```
PID
```
This is the Process IDentification number. To the system, processes are not known by their name, but by a unique number. Each new process gets a higher PID. The more processes you run and / or the longer your machine runs, the higher those numbers get. That's normal.
```
User
```
also:
```
Login
```
The user who 'owns', i.e. started this process. Users can only manipulate processes they own. Only 'root' can manipulate all processes.
```
Pri
```
also:
```
Nice
```
or
```
NI
```
The priority of a process in relation to all other processes. Lower numbers indicate higher priority. Standard priority is '0'.
```
Size
```
also:
```
VSZ
```
or
```
VmSize
```
The total amount of virtual system memory a process uses. As explained later on, that's by no means a fair indicator of how much memory the process actually uses. Compare next entry.
```
Resident
```
also:
```
VmRSS
```
or
```
RSS
```
The amount of physical system memory a process uses up. This is more accurate for measuring how much system memory a process needs.
```
Stat
```
(missing in 'ksysguard'): The status of a process. Sane processes are either 'R'unning or 'S'leeping. It is normal that only one process is displayed as 'running' at any given time while the others are 'sleeping' (i.e. waiting for a signal).
```
CPU
```
subdivided in
```
User%
```
and
```
\System%
```
by 'ksysguard'. Percentage of the processor time taken up by the process since the last display refresh.
```
MEM
```
Percentage of physical system memory consumed by the process.
```
Time
```
(missing in 'ksysguard'): Total amount of processor time the process has used since started.
```
Command
```
also:
```
Cmd
```
Command name of the process.

Manipulating processes via the graphical utilities usually just involves 'highlighting' the process you want to handle and using the right mouse button click context menu. 'top' is controlled via shortcut keys, read man top for a list.

Notice that there's a standard key combination for killing graphical applications, . This will change the mouse pointer to a 'death' symbol. Click on an application window and that application will be killed. You still want to check if the processes of that application had been killed, too, though.

section index

Processes In Detail

The father of all processes is 'init' (initializer). The pstree command shows this quite impressively.
'init' manages the runlevels, it controls which processes are started and stopped at which runlevels and it is responsible for bringing the system to these runlevels. If you shutdown your system, you essentially tell 'init' to bring it to runlevel 0. It's the same if you type shutdown -h now or init 0.

Information on current processes is stored in the '/proc' file system. The '/proc' file system consists of kernel data changed in real-time. It is therefore not a 'real' file system like the others: the data contained take up no place on the hard-disk and you can't write to it. But you can extract and change the information contained therein (e.g. using the 'cat' command).

Listing '/proc', you'll find a lot of directories which names only consist of numbers. These numbers are the 'process IDs' (PIDs). If you list such a directory, you'll find files like 'cmdline', which contains the command line the process was started with, or 'stat', which contains number codes on the current process.
For example:

~# cat /proc/1/cmdline
init

Which means: 'The process with the PID 1 was started with the command 'init''. 'init' will always be the first process and thus is the only process with a permanent PID. All other processes will have increasing PIDs, the maximum PID being 32768 (With the 2.6 kernel, this default value can be set to any value up to 2^22 (PID_MAX_LIMIT, approximately 4 million) in the file /proc/sys/kernel/pid_max)(The maximum number of processes on Linux is only limited by the amount of physical memory available).

The children of 'init' can have child processes themselves. If you start a program by typing its name on a command line, the program will be a child of the program which handles the command line. In most cases, this will be 'bash' (the 'Bourne-Again-SHell').
One important thing to know is that child processes 'inherit' some assets of their fathers. If you run a process with 'root' privileges, a child of this process will also have these privileges.

Now you might ask: 'Since init runs with 'root' privileges, and it is the father of all processes, does that mean that all processes and programs on Linux run with root privileges?'

It's obvious they don't do that. Servers like the font server, web servers, mail servers run on their own user account. The font server for example runs on the 'xfs' account, the Apache web server on the 'apache' user account. Servers which don't come with their own user account use the standard 'nobody' user account. These are not 'real' accounts: nobody can login via these so-called system accounts.
The reason for this is security: servers can be accessed from outside the machine. If one of them contains a software flaw which allows attackers to execute commands on your machine as the user who is running the server, it would be a disaster if that user would be 'root'. Notice that this isn't a system mechanism, but a standard feature of Linux servers. You should refrain at all cost from using servers which do not include it.

Another mechanism is the 'login' command. Have a look at the output of 'pstree' again. You will see that every process and program you started after boot is a child of the 'login' process. 'login' switches the permissions of these child processes depending on how you log into the system. If you log in as 'root', all children will have 'root' privileges, if you log in as a user, the children will run with the permissions (the '~UserID', UID) of this user. The latter is preferable for the system's security and stability. If you need 'root' privileges, you can always log into the 'root' account from your user account by using 'su' or 'sudo'.

setUID

As you've already seen, processes can run with a ~UserID different from the user who started them. Servers are started by 'root' but drop this privilege as soon as possible and run on their own system account. In Unix-speak, one says they are running 'setuid account' (e.g. Apache runs 'setuid apache').

Of course, you can also do that the other way round by providing processes started by a user root privileges.
The most prominent example is the graphical subsystem, 'X'. 'X' needs 'root' privileges to run. However, the children of X do not run as 'root'. How come?
'X' is started via a so-called wrapper, '/usr/X11/bin/Xwrapper'. If you look at the permission bits of this program, you will see it's 'setuid root':

-rw<strong>s</strong>&#150;&#150;x&#150;&#150;x

. This wrapper handles the permissions part when starting X, so that X itself doesn't need to be 'setuid root'. It runs as 'root' but its children don't inherit its UID.

Priority

Processes run either in user mode or in kernel mode. The operating system and its core services run in the privileged kernel mode, whereas 'normal' applications run in user mode, this way badly behaving user processes do not interfere with system operation. Some user processes however need access to privileged kernel functions. For this they switch to kernel mode, execute the needed function and switch back to user mode.

All user processes get the same share on the processor schedule. But you can change that with the nice -n value process command. Negative values increase the priority. They can only be applied by 'root', whereas positive values can be applied by any user.
nice -n value process starts a process with a given priority, the command renice priority PID changes the priority of a running process.

Processes And Threads

A program may open several processes if needed. This however isn't very efficient: each process would need its own address (memory) space and switching between these would cost a considerable amount of system resources. This is where 'threads' come in. Threads are started by a process, but they remain within the original address space used by the process. Switching between threads consumes much less resources than between processes. Applications which use this technique are called 'multi-threaded'.
Programming thread-enabled applications cleanly is very hard which justifies the use of threads only in very complex pieces of software, like the Mozilla browser.

As a system administrator, you only have to know about them that process monitors on Linux can not discriminate a thread from a process. Point in case is the Mozilla browser. If you start it, the process monitors will show multiple entries for it:

tom 11290 13.4 2.3 33080 21124 ? S 11:47 0:02 /usr/lib/mozilla/
tom 11296 0.0 2.3 33080 21124 ? S 11:47 0:00 /usr/lib/mozilla/
tom 11297 0.0 2.3 33080 21124 ? S 11:47 0:00 /usr/lib/mozilla/
tom 11298 0.0 2.3 33080 21124 ? S 11:47 0:00 /usr/lib/mozilla/
tom 11299 0.7 2.3 33080 21124 ? S 11:47 0:00 /usr/lib/mozilla/

This does not mean that the Mozilla browser has started five processes, but that's one process with four threads, all in the same address space. How can one tell? Well, you don't get any real proof, since the monitor doesn't know either, but there are hints like the same memory consumption numbers, the same command name and the same start time. Only the first entry is valid when looking at system resource usage.

For more on Linux process management, read the Linux Gazette article Processes on Linux and Windows NT by Glen Flower.

section index

Next Item: Accounting, restricting, measuring and killing processes