Pluralsight Logo
Author avatar

Gabriel Cánepa

Author badge Author

Linux Processes - Part 1

Gabriel Cánepa

Author BadgeAuthor
  • Aug 13, 2018
  • 5 Min read
  • Aug 13, 2018
  • 5 Min read
Linux Adminstration

Set Up

For additonal context to set up your workspace, please view the first guide in this series: User and Group Management in Linux .


Every program that runs on a Linux system is managed as a process. As such, it is started, executed, and eventually terminates or continues running in the background. In this last case, it is often referred to as a daemon or system service.

This cycle is automatically managed by the kernel, without need for user intervention under normal circumstances. However, a process may require action on our part if it is not behaving as expected, if it needs to be restarted after changes have been made to its configuration, or when we need to modify the system resources assigned to it before or during its execution.

In this section we are going to introduce the following process management commands:

  • ps: report a snapshot of the current processes

  • pstree: display a tree of processes

  • top: display processes and uptime information

  • nice: run a program with modified scheduling priority

  • renice: alter priority of running processes

  • kill: terminate processes

  • uptime: how long the system has been running

Introducing Processes in Linux

When a process is started either manually or during the boot process, it is assigned a unique integer number as identifier called Process ID or PID for short. If a process A launches or starts a process B, it is said that A is the parent of B, or that B is the child of A. Under this scenario, the PID of A is the Parent PID (or PPID) of B.

The first process started by the kernel at boot time (PID=1) is called systemd in modern Linux distributions. This process is responsible for starting several other processes, which in turn start more, until the operating system is fully functional.

Additionally, each process is associated with the user who started it. This user can be an actual person, or an account used by the system for its operation. What we discussed in the Linux Permissions guide applies here as well: a process only has access to the system resources that its associated user account can utilize. In other words, if a process A was started by user1, and such account does not have write permissions to a given file, the process will not be permitted to write to that file either.

To display a snapshot of all the processes currently running in our system, we will use ps. When executed without arguments, this command will return only the processes owned by the current user. More useful information is available by using the aux or -ef options. Since the output in both cases can be very long, we can pipe the output to a pager such as less to inspect it more easily:

ps aux | less


ps -ef | less

As expected, you will need to press the letter q to exit less and quit any of the above commands.

The above commands return more information than what we're usually interested in. Most often we will want to view the PPID, PID, the command associated with the process (or the absolute path to the executable file), and the percentage of system memory and CPU usage. Each of these fields (and others as well) are explained in detail under the STANDARD FORMAT SPECIFIERS section in man ps.

To view only these fields in the output of ps, we will use the -eo combined option followed by the corresponding format specifiers. For example,

ps -eo ppid,pid,cmd,%mem,%cpu | less

During a regular inspection or system troubleshooting, it is useful to identify which processes are consuming the most memory. Fortunately, ps supports the --sort option. When used with the above command, and piped to head instead of less, we can easily get a list of the most memory-hungry processes as follows:

ps -eo ppid,pid,cmd,%mem,%cpu --sort -%mem | head -n 5

Among other things, the above image shows that the PID of snapd is 940. This process was started by systemd, as we can tell from PPID=1, and is currently the process that is consuming the most memory.

The minus sign in -%mem after --sort indicates that the output should be sorted in descending form. Using a plus sign (+) instead, will result in the output being sorted in ascending form, which is the default behavior.

Next Steps

Please continue on to the next guide in this series: Linux Processes - Part 2 to continue learning about Linux Administration.