June 24, 2016

Make Peace With Your Processes: Part 3

tree-trunk-569275_1920.jpg

process tree
Learn how to use the ps command to identify parent and child processes.

In parts 1 and 2 of this series, I introduced the ps command and provided tips on how to harness some of its many options to find out which processes are running on your system.

Now, picture a scene in which you want to check for the parents of a process, which I’ll look at more closely in a minute. You can achieve this by using this command:

# ps --ppid 21201

This shows us the processes with a parent process of that ID. In other words we can pinpoint processes that are children of process "21201"in this case.

Having said earlier that usually case-sensitivity shouldn't cause too many headaches I'm going to completely contradict myself with a few examples of why that statement isn’t always true.

Try running my favorite ps command again; its abbreviated output is shown below:

# ps -ef

UID        PID     PPID  C STIME TTY TIME      CMD

apache   23026 22856  0 Feb26 ?        00:00:00 /usr/sbin/apache2

Now try running the full fat version by using an uppercase "F":


# ps -eF

UID        PID  PPID  C    SZ   RSS PSR STIME TTY          TIME CMD

apache   23026 22856  0 44482  3116   0 Feb26 ?        00:00:00 /usr/sbin/apache2

The differences are that the latter includes SZ, RSS and PSR fields. The first two are memory related, whereas PSR shows which CPU the process is using. For more information, there’s lots more in the manual:

# man ps

Moving on, we can look at another alternative to the “-Z” option, which we briefly touched on before:


# ps -efM

unconfined_u:system_r:apache2_t:s0 apache  23031 22856  0 Feb26 ?        00:00:00 /usr/sbin/apache2

A useful BSD throwback. I quite like the look of it -- possibly one of the shortest commands known to mankind. Have a look at Listing 1.


# ps l

F   UID   PID  PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND

4     0  1414     1  20   0   4064   584 n_tty_ Ss+  tty1       0:00 /sbin/mingetty /dev/tty1

4     0  1416     1  20   0   4064   588 n_tty_ Ss+  tty2       0:00 /sbin/mingetty /dev/tty2

4     0  1418     1  20   0   4064   584 n_tty_ Ss+  tty3       0:00 /sbin/mingetty /dev/tty3

4     0  1420     1  20   0   4064   580 n_tty_ Ss+  tty4       0:00 /sbin/mingetty /dev/tty4

4     0  1426     1  20   0   4064   584 n_tty_ Ss+  tty5       0:00 /sbin/mingetty /dev/tty5

4     0  1430     1  20   0   4064   588 n_tty_ Ss+  tty6       0:00 /sbin/mingetty /dev/tty6

4     0  9896  9558  20   0 191392  2740 poll_s S    pts/1      0:00 sudo -i

4     0  9899  9896  20   0 110496  1960 wait   S    pts/1      0:00 -bash

4     0 10776  9899  20   0 108104   980 -      R+   pts/1      0:00 ps l

Listing 1: Shows us the “long formatted” output, which can be embellished with other options, harking from BSD origins.

Clarity

Sometimes even the mighty ps command struggles to precisely refine its output. Imagine a scenario where Java processes are filling up the process table, and all you want to do is find their parent so that you can stop (or "kill") the process abruptly. To summarize your information, you can use the non-hyphenated “S” switch:

# ps S

This helps you to find a parent when its child processes only live for a short period of time.

What about when your Process Table is brimming with processes, and you need to list a number of process PIDs at once? As you’d expect, there are different ways to achieve this -- as shown in Listing 2 -- when we run the following command:

# ps -p "1 2" -p 3,4

PID TTY   TIME CMD

   1 ?        00:00:03 init

   2 ?        00:00:01 kthreadd

   3 ?        00:00:01 migration/0

   4 ?        00:00:20 ksoftirqd/0

Listing 2: We can pick and choose the PIDs that we view in a number of ways.

More to Come

Next time, I’ll look at how the well-considered Unix principle of “everything is a file” extends to the Process Table, and I’ll show how to uncover the wealth of information that can be found in the “procfs” pseudo-filesystem.

Chris Binnie is a Technical Consultant with 20 years of Linux experience and a writer for Linux Magazine and Admin Magazine. His new book Linux Server Security: Hack and Defend teaches you how to launch sophisticated attacks, make your servers invisible and crack complex passwords.

Click Here!