Introduction
Linux, like every modern operating system, revolves around the concept of processes. A process is an executing instance of a program, complete with its own memory space, file descriptors, and execution context. Whether you’re a system administrator tuning a production server, a developer debugging a multithreaded application, or a security analyst hunting for malicious activity, a solid grasp of how Linux processes work is essential.
This article dives deep into the lifecycle of a Linux process, the kernel structures that represent it, the tools you can use to inspect and control processes, and the practical techniques for managing them in real‑world environments. By the end, you’ll be equipped to:
- Explain the kernel’s internal representation of a process (
task_struct). - Create, replace, and terminate processes using
fork(),exec(), and signals. - Monitor and troubleshoot processes with
ps,top,strace, and the/procfilesystem. - Influence scheduling, priorities, and resource limits via
nice,cgroups, andsystemd. - Apply security best practices such as namespaces and capabilities.
Let’s start with the fundamentals.
Table of Contents
- What Is a Process?
- Process Identification: PID, PPID, and TGID
- Process States and the Scheduler
- Creating a Process:
fork()andclone() - Replacing a Process Image:
exec()Family - Process Termination and Reaping
- Signals: Asynchronous Inter‑Process Communication
- Threads vs. Processes
- Inter‑Process Communication (IPC) Mechanisms
- Inspecting Processes:
/procand Common Tools - Controlling Execution: Priorities,
nice, andcgroups - Systemd and Service Management
- Security Contexts: Namespaces, Capabilities, and SELinux/AppArmor
- Real‑World Example: Building a Simple Daemon
- Conclusion
- Resources
1. What Is a Process?
At its core, a process is an abstraction that the kernel uses to isolate execution. When you run a program, the kernel creates a new process, allocates a virtual address space, and sets up the necessary kernel data structures to keep track of it.
Key attributes of a process include:
| Attribute | Description |
|---|---|
| Virtual memory | Separate address space (code, data, heap, stack). |
| File descriptor table | Open files, sockets, pipes, etc. |
| Execution context | CPU registers, program counter, stack pointer. |
| Credentials | UID, GID, capabilities, security labels. |
| Scheduling information | Priority, timeslice, CPU affinity. |
| Parent/child relationships | Form a process tree. |
Because each process has its own virtual memory, a bug in one process (e.g., a buffer overflow) cannot directly corrupt another’s memory—this isolation is a cornerstone of system stability and security.
2. Process Identification: PID, PPID, and TGID
Every process receives a Process ID (PID), a 32‑bit integer that uniquely identifies it on the system. The kernel also records:
- Parent PID (PPID) – the PID of the process that created it (usually via
fork()). - Thread Group ID (TGID) – the PID of the thread group leader; for a single‑threaded process, TGID = PID.
You can view these IDs with the ps command:
$ ps -eo pid,ppid,tgid,comm | head
PID PPID TGID COMMAND
1 0 1 systemd
2 0 2 kthreadd
3 2 3 rcu_gp
4 2 4 rcu_par_gp
10 2 10 ksoftirqd/0
Why TGID matters: In Linux, threads are implemented as lightweight processes that share the same address space. All threads in a process share the same TGID, which makes it easy for tools like top to group them under a single entry.
3. Process States and the Scheduler
A process can be in one of several states, represented internally by flags in task_struct. The most common states, visible via ps (STAT column), are:
| State | Symbol | Meaning |
|---|---|---|
| Running | R | Actively executing on a CPU. |
| Sleeping (interruptible) | S | Waiting for an event; can be awakened by signals. |
| Sleeping (uninterruptible) | D | Waiting for I/O; cannot be interrupted. |
| Stopped | T | Suspended (e.g., by SIGSTOP or a debugger). |
| Zombie | Z | Terminated but not yet reaped by its parent. |
| Traced | t | Being traced by ptrace. |
The Completely Fair Scheduler (CFS), the default Linux scheduler, assigns each runnable process a virtual runtime and tries to allocate CPU time proportionally to its weight (derived from the nice value). Understanding the scheduler is crucial when you need to tune latency‑sensitive workloads.
4. Creating a Process: fork() and clone()
4.1 fork()
The classic Unix way to create a new process is fork(). It clones the calling process, duplicating the entire address space (using copy‑on‑write), file descriptor table, and execution context.
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
int main(void) {
pid_t pid = fork();
if (pid < 0) {
perror("fork");
return 1;
} else if (pid == 0) {
/* Child */
printf("Hello from child, PID=%d\\n", getpid());
} else {
/* Parent */
printf("Hello from parent, PID=%d, child PID=%d\\n", getpid(), pid);
}
return 0;
}
Key points:
- The child receives 0 as the return value, the parent receives the child’s PID.
- Both processes continue execution from the point immediately after
fork(). - Memory pages are shared until one side writes (copy‑on‑write), making
fork()efficient.
4.2 clone()
Linux introduces clone() to give fine‑grained control over what is shared between parent and child. It is the backbone of thread creation (pthread_create() uses clone() under the hood).
#define _GNU_SOURCE
#include <sched.h>
#include <unistd.h>
#include <stdio.h>
int child_func(void *arg) {
printf("Child PID=%d, TGID=%d\\n", getpid(), gettid());
return 0;
}
int main(void) {
const int STACK_SIZE = 1024 * 1024;
char *stack = malloc(STACK_SIZE);
if (!stack) { perror("malloc"); return 1; }
pid_t pid = clone(child_func, stack + STACK_SIZE,
SIGCHLD | CLONE_VM | CLONE_FS,
NULL);
if (pid == -1) { perror("clone"); return 1; }
printf("Parent after clone, child PID=%d\\n", pid);
waitpid(pid, NULL, 0);
return 0;
}
Flags like CLONE_VM (share memory), CLONE_FS (share filesystem info), and CLONE_FILES (share file descriptors) let you compose a “process” that behaves more like a thread.
5. Replacing a Process Image: exec() Family
After fork(), the child usually calls one of the exec() functions to replace its memory image with a new program. The execve() system call is the raw interface; the higher‑level wrappers (execl, execvp, execvpe, etc.) add convenient argument handling.
#include <unistd.h>
#include <stdio.h>
int main(void) {
char *argv[] = { "ls", "-l", "/tmp", NULL };
printf("Running ls via execvp...\\n");
execvp("ls", argv);
perror("execvp"); // Only reached on failure
return 1;
}
Important characteristics:
- No return on success. The process image is completely overwritten.
- File descriptors remain open unless they have the
FD_CLOEXECflag set. - Environment can be passed via
execve(); wrappers inherit the current environment.
A common pattern in shells and init systems is fork() → exec() → parent monitors child.
6. Process Termination and Reaping
A process ends by calling exit() (or returning from main). The kernel then:
- Marks the process as a zombie (
Zstate) and stores its exit status in thetask_struct. - Notifies the parent via a
SIGCHLDsignal. - Waits for the parent to reap the child using
wait(),waitpid(), orwaitid().
If the parent never reaps the child, the zombie persists, consuming a slot in the PID table. An orphaned zombie will be adopted by init (PID 1) which automatically reaps it.
#include <sys/wait.h>
#include <unistd.h>
#include <stdio.h>
int main(void) {
pid_t pid = fork();
if (pid == 0) {
_exit(42); // Child exits with status 42
}
int status;
waitpid(pid, &status, 0);
if (WIFEXITED(status))
printf("Child exited with code %d\\n", WEXITSTATUS(status));
return 0;
}
Best practice: Always check the return value of wait* calls in long‑running daemons to avoid zombie accumulation.
7. Signals: Asynchronous Inter‑Process Communication
Signals are the original Unix IPC mechanism. They are asynchronous notifications sent to a process (or specific thread) to indicate events such as:
SIGINT– interrupt (Ctrl‑C)SIGTERM– polite termination requestSIGKILL– forced termination (cannot be caught)SIGSTOP/SIGCONT– stop/resume executionSIGUSR1/SIGUSR2– user‑defined purposes
7.1 Sending Signals
# Send SIGTERM to PID 1234
kill -TERM 1234
# Send SIGUSR1 to all processes in the current session
kill -USR1 -1
7.2 Handling Signals in C
#include <signal.h>
#include <stdio.h>
#include <unistd.h>
void handler(int sig) {
printf("Caught signal %d (%s)\\n", sig, strsignal(sig));
}
int main(void) {
struct sigaction sa = {0};
sa.sa_handler = handler;
sigaction(SIGUSR1, &sa, NULL);
printf("PID=%d – waiting for SIGUSR1...\\n", getpid());
pause(); // Wait for a signal
return 0;
}
Note: Signals are not reliable for transferring data. Use them to notify, then retrieve details via other mechanisms (pipes, shared memory).
8. Threads vs. Processes
Linux implements threads as lightweight processes that share the same memory space, file descriptors, and signal handlers. The POSIX thread library (pthread) abstracts this detail.
8.1 Creating a Thread
#include <pthread.h>
#include <stdio.h>
void *worker(void *arg) {
printf("Thread %ld is running\\n", (long)pthread_self());
return NULL;
}
int main(void) {
pthread_t th;
pthread_create(&th, NULL, worker, NULL);
pthread_join(th, NULL);
return 0;
}
8.2 When to Choose Threads
- Shared data – threads can directly read/write common memory.
- Fine‑grained parallelism – low overhead compared to separate processes.
- Same security context – no need for extra credential management.
8.3 When to Choose Separate Processes
- Isolation – crashes or memory leaks in one process do not affect others.
- Different privileges – each process can have distinct UID/GID or capabilities.
- Simpler debugging – each process has its own address space, reducing accidental data races.
9. Inter‑Process Communication (IPC) Mechanisms
Linux offers many IPC primitives. Choose based on data volume, latency, and required semantics.
| Mechanism | Typical Use‑Case | Characteristics |
|---|---|---|
Pipes (pipe()) | Simple one‑way streams | Byte‑oriented, bounded buffer (default 64 KB) |
| FIFO (named pipe) | Decoupled producer/consumer | Persistent in the filesystem |
| Unix Domain Sockets | Local client‑server communication | Supports SOCK_STREAM (reliable) and SOCK_DGRAM (datagram) |
Message Queues (msgget, msgsnd) | Structured messages with priorities | Kernel‑managed, can survive process restarts |
Shared Memory (shmget, mmap) | High‑throughput data sharing | Must handle synchronization manually |
Semaphores (semget, semop) | Synchronization across processes | Can be used with shared memory |
| Signals | Event notification | Limited payload (just the signal number) |
Example: Using a Unix Domain Socket
/* server.c */
#include <sys/socket.h>
#include <sys/un.h>
#include <stdio.h>
#include <unistd.h>
#define SOCKET_PATH "/tmp/uds_example.sock"
int main(void) {
int fd = socket(AF_UNIX, SOCK_STREAM, 0);
struct sockaddr_un addr = { .sun_family = AF_UNIX };
strncpy(addr.sun_path, SOCKET_PATH, sizeof(addr.sun_path)-1);
unlink(SOCKET_PATH);
bind(fd, (struct sockaddr *)&addr, sizeof(addr));
listen(fd, 5);
printf("Server listening on %s\\n", SOCKET_PATH);
int client = accept(fd, NULL, NULL);
char buf[128];
ssize_t n = read(client, buf, sizeof(buf)-1);
buf[n] = '\\0';
printf("Received: %s\\n", buf);
write(client, "ACK", 3);
close(client);
close(fd);
unlink(SOCKET_PATH);
return 0;
}
# In another terminal:
$ echo "Hello server" | socat - UNIX-CONNECT:/tmp/uds_example.sock
10. Inspecting Processes: /proc and Common Tools
10.1 The /proc Filesystem
/proc is a pseudo‑filesystem exposing kernel data structures as files. Each PID has a directory: /proc/<pid>/. Important entries:
| File | Content |
|---|---|
cmdline | Full command line (null‑separated). |
status | Human‑readable status (state, UID, memory usage). |
fd/ | Symlinks to open file descriptors. |
maps | Memory mappings (including shared libraries). |
stat | Numeric status fields (used by ps). |
comm | Short command name. |
cgroup | Cgroup hierarchy for the process. |
Example:
$ cat /proc/1/status | grep -E 'Name|State|Uid|VmSize'
Name: systemd
State: S (sleeping)
Uid: 0 0 0 0
VmSize: 10568 kB
10.2 ps – Snapshot of Processes
# Full listing with hierarchy
ps -e -o pid,ppid,cmd --forest
10.3 top / htop – Interactive Monitoring
topprovides a real‑time view of CPU, memory, and load.htopadds color, tree view, and mouse support.
10.4 strace – System Call Tracing
# Trace all syscalls of a running process
strace -p 1234 -o /tmp/trace.log
10.5 lsof – List Open Files
# Show all files opened by a specific process
lsof -p 1234
10.6 pidstat – Per‑PID Statistics
pidstat -p ALL 1
These tools together give you a comprehensive picture of what a process is doing, where it spends time, and which resources it consumes.
11. Controlling Execution: Priorities, nice, and cgroups
11.1 Nice Values
The nice value ranges from -20 (high priority) to +19 (low priority). The kernel uses it to compute the process’s weight for the CFS scheduler.
# Run a CPU‑intensive command with low priority
nice -n 15 dd if=/dev/zero of=/dev/null bs=1M count=1000
You can adjust an existing process with renice:
renice -n -5 -p 2345
11.2 Cgroups (Control Groups)
Cgroups allow you to limit, account, and isolate resource usage (CPU, memory, I/O, etc.) for a set of processes.
Creating a simple memory‑limited cgroup (v2 unified hierarchy):
# Mount the unified hierarchy if not already mounted
mount -t cgroup2 none /sys/fs/cgroup
# Create a new cgroup
mkdir /sys/fs/cgroup/limited
# Limit memory to 200 MiB
echo $((200*1024*1024)) > /sys/fs/cgroup/limited/memory.max
# Add a process (PID 5678)
echo 5678 > /sys/fs/cgroup/limited/cgroup.procs
You can also use higher‑level tools like systemd-run:
systemd-run --scope -p MemoryMax=200M --nice=10 stress --cpu 2 --timeout 60
Cgroups are the foundation of containers (Docker, Podman, LXC) and are essential for multi‑tenant environments.
12. Systemd and Service Management
Modern Linux distributions use systemd as the init system and service manager. Systemd treats each service as a unit, which is essentially a process with a well‑defined lifecycle.
12.1 Unit Files
A simple service unit (/etc/systemd/system/myapp.service):
[Unit]
Description=My Example Application
After=network.target
[Service]
ExecStart=/usr/local/bin/myapp --config /etc/myapp.conf
Restart=on-failure
User=appuser
Group=appgroup
LimitNOFILE=65535
CPUQuota=25%
[Install]
WantedBy=multi-user.target
Key directives:
ExecStart– command to launch.Restart– policy for automatic restart.User/Group– drop privileges.CPUQuota– enforce cgroup CPU limit.LimitNOFILE– set RLIMIT_NOFILE (max open files).
12.2 Managing Services
# Reload unit files after editing
systemctl daemon-reload
# Start the service
systemctl start myapp.service
# Enable at boot
systemctl enable myapp.service
# View logs (journal)
journalctl -u myapp.service -f
Systemd also provides socket activation, timer units, and dependency graphs, making it a powerful framework for orchestrating complex process hierarchies.
13. Security Contexts: Namespaces, Capabilities, and SELinux/AppArmor
13.1 Namespaces
Namespaces isolate global resources:
| Namespace | What It Isolates |
|---|---|
pid | Process ID number space |
net | Network interfaces, IP stack |
mnt | Mount points |
ipc | System V IPC and POSIX message queues |
uts | Hostname and domain name |
user | UID/GID mapping |
cgroup | Cgroup hierarchy |
Containers rely on a combination of these namespaces to create an illusion of a separate OS instance.
13.2 Capabilities
Instead of an all‑or‑nothing root user, Linux splits privileged operations into capabilities (e.g., CAP_NET_ADMIN, CAP_SYS_PTRACE). A process can retain only the capabilities it needs, reducing attack surface.
# Drop all capabilities except CAP_NET_BIND_SERVICE
setcap cap_net_bind_service=+ep /usr/local/bin/myweb
13.3 Mandatory Access Control (MAC)
- SELinux – policy‑based labeling of files, sockets, and processes.
- AppArmor – profile‑based confinement.
Both enforce rules beyond traditional UNIX permissions, controlling which resources a process may access.
Example: Enforcing an AppArmor profile for a custom daemon
# /etc/apparmor.d/usr.bin.mydaemon
#include <tunables/global>
profile mydaemon /usr/local/bin/mydaemon {
# Allow read access to config
/etc/mydaemon/*.conf r,
# Allow network bind on port 8080
network inet stream,
# Deny all other file writes
deny /** w,
}
Load the profile with apparmor_parser -r /etc/apparmor.d/usr.bin.mydaemon.
14. Real‑World Example: Building a Simple Daemon
Let’s put many concepts together by creating a minimal systemd‑managed daemon that:
- Runs as a non‑root user.
- Writes periodic status messages to the journal.
- Limits its memory usage via cgroups.
- Handles
SIGTERMgracefully.
14.1 Daemon Source (mydaemon.c)
#define _POSIX_C_SOURCE 200809L
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <syslog.h>
volatile sig_atomic_t keep_running = 1;
void term_handler(int signum) {
(void)signum;
keep_running = 0;
}
int main(void) {
/* Daemonize */
if (daemon(0, 0) == -1) {
perror("daemon");
exit(EXIT_FAILURE);
}
openlog("mydaemon", LOG_PID, LOG_DAEMON);
syslog(LOG_INFO, "Daemon started, PID=%d", getpid());
signal(SIGTERM, term_handler);
signal(SIGINT, term_handler);
int counter = 0;
while (keep_running) {
syslog(LOG_INFO, "Heartbeat %d", ++counter);
sleep(10);
}
syslog(LOG_INFO, "Daemon exiting cleanly");
closelog();
return 0;
}
Compile:
gcc -Wall -O2 -o mydaemon mydaemon.c
sudo cp mydaemon /usr/local/bin/
14.2 Systemd Unit (/etc/systemd/system/mydaemon.service)
[Unit]
Description=Simple Heartbeat Daemon
After=network.target
[Service]
ExecStart=/usr/local/bin/mydaemon
User=nobody
Group=nobody
Restart=on-failure
MemoryMax=50M
CPUQuota=10%
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target
14.3 Deploy and Test
sudo systemctl daemon-reload
sudo systemctl enable --now mydaemon.service
# Verify status
systemctl status mydaemon.service
# View live logs
journalctl -u mydaemon.service -f
You should see a heartbeat message every 10 seconds. Sending systemctl stop mydaemon triggers SIGTERM, which the daemon catches and exits cleanly—demonstrating proper signal handling and resource constraints.
15. Conclusion
Linux processes are far more than mere entries in a table; they embody a rich set of abstractions—memory isolation, scheduling, credentials, and hierarchical relationships—that together provide stability, security, and flexibility. By mastering:
- Creation (
fork,clone) and replacement (exec) mechanisms, - Signal handling and IPC for communication,
- Monitoring tools (
ps,top,/proc,strace), - Resource control through nice, cgroups, and systemd,
- Security layers like namespaces, capabilities, and MAC frameworks,
you gain the ability to design robust services, debug complex bugs, and enforce strict security policies. Whether you’re writing a simple background task or orchestrating a fleet of containers, the principles covered here form the foundation of effective Linux system administration and development.
Stay curious, experiment with the tools, and remember that the kernel’s transparency (via /proc and cgroup interfaces) is your greatest ally in understanding what’s happening under the hood.
16. Resources
Linux Kernel Documentation – Process Management
https://www.kernel.org/doc/html/latest/process/index.htmlThe Linux Programming Interface (Michael Kerrisk) – Comprehensive guide to system calls, signals, and process control.
https://man7.org/tlpi/Systemd.unit Manual – Official systemd unit file reference and resource control options.
https://www.freedesktop.org/software/systemd/man/systemd.unit.htmlcgroups v2 Documentation – Detailed description of the unified hierarchy and resource controllers.
https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.htmlLWN.net – “Understanding the Linux Scheduler” – In‑depth article on CFS and scheduling concepts.
https://lwn.net/Articles/369157/