Guide to Understanding Linux Process Management with 'ps' and 'kill'
Learn how to inspect Linux processes with `ps`, read key columns, and stop processes safely with `kill`, `pkill`, and `killall`.
Guide to Understanding Linux Process Management with 'ps' and 'kill'
Managing Linux processes is a daily troubleshooting skill. When an app hangs, a backup job eats CPU, or a daemon needs a clean restart, ps helps you find the process and kill lets you send it the right signal.
Every running program has a process ID, or PID. Once you know that PID, you can inspect ownership, parent processes, CPU and memory use, and decide whether to ask the process to stop cleanly or force it down as a last resort.
The Linux Process Model: PIDs and States
In Linux, every running program, service, or task is treated as a process. Each process is uniquely identified by a Process ID (PID), a positive integer assigned by the kernel upon creation. This PID is the primary way system tools reference and manipulate a specific process.
Processes move through states such as running, sleeping, stopped, and zombie. A sleeping process is usually waiting for I/O or another event. A zombie has already exited, but its parent process has not collected its exit status.
Viewing Processes with the ps Command
The ps (process status) command is used to display information about currently running processes. Because the output can be overwhelming, different options are used to select which processes to display and which information columns to include.
Essential ps Syntax and Flags
There are two primary styles for ps flags: Unix style (prefixed with -) and BSD style (no prefix). Modern practice often favors combining Unix-style flags for comprehensive views.
1. Viewing All Processes (BSD Style)
The most common command for a system overview is ps aux.
a: Show processes for all users.u: Display processes in a user-oriented format (showing user, CPU usage, memory usage, etc.).x: Include processes that do not have a controlling terminal (like background daemons).
ps aux
2. Viewing Processes in a Standard Format (UNIX Style)
The ps -ef command provides a full listing in a POSIX-style format.
-e: Select all processes.-f: Display the full-format listing, including PPID and command arguments.
ps -ef
Interpreting Key Output Columns
Regardless of the flags used, certain columns are critical for process management:
| Column | Description |
|---|---|
| PID | Process ID (the unique identifier) |
| PPID | Parent Process ID (the PID of the process that started this one) |
| USER | The user who owns the process |
| %CPU | Percentage of CPU time used |
| %MEM | Percentage of physical memory used |
| VSZ | Virtual memory size (in KiB) |
| RSS | Resident Set Size (physical memory used, in KiB) |
| STAT | Current state of the process (e.g., R=Running, S=Sleeping, Z=Zombie) |
| COMMAND | The command that started the process |
Filtering Processes with grep
To find a specific process, you can pipe ps to grep.
For example, this looks for Apache httpd processes:
ps aux | grep httpd
Tip:
ps | grepoften shows thegrepprocess itself. Bracket notation avoids that extra match:ps aux | grep '[h]ttpd'
Managing Processes with the kill Command
The kill command doesn't just stop processes; it sends signals to them. The default behavior is to request a graceful termination, but other signals can instruct a process to reread configuration files, halt execution temporarily, or force an immediate exit.
Understanding Signals
Signals are standardized numeric or mnemonic codes. You can list available signals using kill -l.
| Signal Name | Signal Number | Description |
|---|---|---|
| SIGTERM | 15 | The default termination signal. Asks the process to shut down gracefully. |
| SIGKILL | 9 | The immediate, forceful termination signal. The process cannot ignore this. |
| SIGHUP | 1 | Hangup signal, often used by daemons to reread configuration files. |
| SIGSTOP | Usually 19 on x86 Linux | Stops (pauses) a process without terminating it. |
| SIGCONT | Usually 18 on x86 Linux | Resumes a stopped process. |
Sending Signals with kill
The basic syntax for the kill command is:
kill -SIGNAL PID
1. Graceful Termination (The Best Practice)
Try SIGTERM first. It gives the application a chance to save state, close files, finish requests, and release locks.
kill 12345 # Defaults to SIGTERM (15)
# OR
kill -15 12345
2. Forceful Termination (Last Resort)
If a process is unresponsive and ignores SIGTERM, use SIGKILL (signal 9). This stops the process without application-level cleanup. That can leave partial writes, abandoned lock files, or interrupted transactions depending on what the process was doing.
kill -9 12345
Managing Processes by Name: pkill and killall
While ps and kill rely on PIDs, sometimes it's faster to target processes by name. Use these commands with extreme caution, as they can affect multiple processes simultaneously.
killall
Terminates all processes matching the exact process name provided.
killall httpd # Sends SIGTERM to all processes named 'httpd'
killall -9 cron # Forcefully kills all 'cron' processes
pkill
Allows for pattern matching (regex) when selecting which processes to signal, offering more flexibility than killall.
# Kills any process whose full command line contains 'firefox'
pkill -f firefox
Warning on
killallandpkill: If you accidentally target a critical system process (likeinitorsystemd), you can destabilize or crash your entire operating system. Always verify the target PID usingpsbefore usingkillallorpkillwith broad patterns.
A Safe Process Management Workflow
When troubleshooting a runaway application, follow this systematic approach:
- Identify: Use
ps aux | grep <process_name>to find the process PID and verify its status. - Check State: Examine the
STATcolumn. If it isZ, the process is already dead; you need the parent process to reap it. Check thePPIDbefore killing anything. - Attempt Graceful Stop: Send
SIGTERM(defaultkill PID). Wait a few seconds. - Verify Stop: Run
psagain. - Force Stop If Needed: If the process persists and you understand the risk, send
SIGKILLwithkill -9 PID.
The practical habit is simple: identify the PID, check the owner and state, send the gentlest useful signal, then verify the result. That keeps process cleanup predictable and reduces the chance of stopping the wrong workload.