Linux Processes – Finding and Viewing Processes on CentOS/RHEL 7

In linux there are lots of processes running, there are a number of commands available to find and view these processes. To get a full list, we use the ps command:

The following command gives a complete list of all the processes that are currently running:

$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.4  59744  4848 ?        Ss   May01   0:05 /usr/lib/systemd/systemd --switched-root --system --deserialize 24
root         2  0.0  0.0      0     0 ?        S    May01   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    May01   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   May01   0:00 [kworker/0:0H]
.
.
...etc

This lists (a)ll processes for every (u)ser and it lifts the “must have tty” restri(x)ion so to also allowing to display processes owned by system accounts (e.g. processes owned by the sshd service).

If you see the man page for ps, you'll find that the "aux" is bsd syntax, which isn't recommended. Instead we should be using the "standard syntax" alternative for specifying flags:

$ ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 May01 ?        00:00:05 /usr/lib/systemd/systemd --switched-root --system --deserialize 24
root         2     0  0 May01 ?        00:00:00 [kthreadd]
.
.
.

This lists the same processes, but gives different column info when compared to the aux, you can fix this by manually specifying what column you want:

$ ps -eo user,pid,pcpu,pmem,vsize,rss,tname,stat,start_time,bsdtime,command | head
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.4  59744  4848 ?        Ss   May01   0:05 /usr/lib/systemd/systemd --switched-root --system --deserialize 24
root         2  0.0  0.0      0     0 ?        S    May01   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    May01   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   May01   0:00 [kworker/0:0H]
root         6  0.0  0.0      0     0 ?        S    May01   0:00 [kworker/u2:0]
root         7  0.0  0.0      0     0 ?        S    May01   0:00 [migration/0]
root         8  0.0  0.0      0     0 ?        S    May01   0:00 [rcu_bh]
root         9  0.0  0.0      0     0 ?        S    May01   0:00 [rcuob/0]
root        10  0.0  0.0      0     0 ?        R    May01   0:04 [rcu_sched]

You can find info about all the columns in the ps command's man page. Here's some one liner descriptions for some of the more less obvious columns:

VSZ - This is the amount of ram space that this process has reserved.
RSS - This is the amount of ram that this process is actually using.
TTY - A "?" indicates that this is process is not a shell job, i.e. it is a background process that has been triggered by a service, or parent processes
STAT - this means status, where "S" means it is asleep, and "R" means it is running.

Parent and Child process

Processes can trigger other child processes. You can find the parent process id for a given process by displaying the parent process id "ppid" column:

[root@localhost /]# ps -eo user,pid,ppid,pcpu,pmem,vsize,rss,tname,stat,start_time,bsdtime,command | head
USER       PID  PPID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1     0  0.0  0.4  59744  4848 ?        Ss   May01   0:05 /usr/lib/systemd/systemd --switched-root --system --deserialize 24
root         2     0  0.0  0.0      0     0 ?        S    May01   0:00 [kthreadd]
root         3     2  0.0  0.0      0     0 ?        S    May01   0:00 [ksoftirqd/0]
root         5     2  0.0  0.0      0     0 ?        S<   May01   0:00 [kworker/0:0H]
root         6     2  0.0  0.0      0     0 ?        S    May01   0:00 [kworker/u2:0]
root         7     2  0.0  0.0      0     0 ?        S    May01   0:00 [migration/0]
root         8     2  0.0  0.0      0     0 ?        S    May01   0:00 [rcu_bh]
root         9     2  0.0  0.0      0     0 ?        S    May01   0:00 [rcuob/0]
root        10     2  0.0  0.0      0     0 ?        R    May01   0:04 [rcu_sched]

However this isn't that easy to following. A better command to use is the pstree, which shows the relationships more visually:

$ pstree -ap
systemd,1 --switched-root --system --deserialize 24
  ├─ModemManager,626
  │   ├─{ModemManager},635
  │   └─{ModemManager},691
  ├─NetworkManager,2112 --no-daemon
  │   ├─dhclient,11814 -d -q -sf /usr/libexec/nm-dhcp-helper -pf /var/run/dhclient-enp0s3.pid -
  ├─at-spi-bus-laun,3794
  │   ├─dbus-daemon,3798 --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
  │   │   └─{dbus-daemon},3800
  │   ├─{at-spi-bus-laun},3795
  │   ├─{at-spi-bus-laun},3797
  │   └─{at-spi-bus-laun},3799
  ├─at-spi2-registr,3803 --use-gnome-session
  │   └─{at-spi2-registr},3806
  ├─atd,1332 -f
  ├─gdm,1334
  │   ├─gdm-simple-slav,1355 --display-id /org/gnome/DisplayManager/Displays/_0
  │   │   ├─Xorg,1367 :0 -background none -verbose -auth /run/gdm/auth-for-gdm-AS4ueL/database -seat seat0 -nolisten tcp vt1
  │   │   ├─gdm-session-wor,3593
  │   │   │   ├─gnome-session,3626 --session gnome-classic
  │   │   │   │   ├─abrt-applet,4015
  │   │   │   │   │   └─{abrt-applet},4035
  │   │   │   │   ├─gnome-settings-,3816
  │   │   │   │   │   ├─{gnome-settings-},3824
  │   │   │   │   │   ├─{gnome-settings-},3829
.
.
...etc

You can also view the process visually using ps, like this:

$ ps -ef f
UID        PID  PPID  C STIME TTY      STAT   TIME CMD
root         2     0  0 12:09 ?        S      0:00 [kthreadd]
root         3     2  0 12:09 ?        S      0:00  \_ [ksoftirqd/0]
root         5     2  0 12:09 ?        S<     0:00  \_ [kworker/0:0H]
root         7     2  0 12:09 ?        S      0:00  \_ [migration/0]
root         8     2  0 12:09 ?        S      0:00  \_ [rcu_bh]
root         9     2  0 12:09 ?        S      0:00  \_ [rcu_sched]
root        10     2  0 12:09 ?        S      0:00  \_ [watchdog/0]
.
.
.
.
...etc

Note if a child process is note responding for any reason, then a quick way to fix this is by killing the parent process.

One of the things you will often find yourself doing is locating a particular process. This can be done by piping the output of "ps -ef" to a grep command. However you can also use the pgrep command. For example to list all processes called something like "http" and are running under the user "apache", we do:

$ pgrep -lu apache http
20428 httpd
20429 httpd
20430 httpd
20431 httpd
20432 httpd

Take the RHCSA Quiz

This article is part of our RHCSA Study guide (click on the yellow tab on the far left). By the end of this article you should be able to answer the following questions:


What is the command to list all processes running on the machine?

$ ps -ef
# this list's (e)very process in (f)ull format

What command can visually show process dependencies, along with pid values and command line arguements?

$ pstree -ap
# this will show all (p)id values and command line (a)rguements

What is the command to display all the pids for processes matching the search term 'httpd' that are running under the user 'apache'?

$ pgrep -lu apache httpd
# this will (l)ist pids along with process names that are running by the given (u)ser

What is the command to display all processes along with pid values for the root user?

$ pgrep -lu root
# this will (l)ist pids along with process names that are running by the given (u)ser