Table of Contents
Introduction
In Linux, almost everything that happens on the system is done by processes. To understand how to control, monitor, and troubleshoot your system from the command line, you first need a clear idea of what a process is and how it behaves.
This chapter introduces processes in Linux at a conceptual level. Later chapters in this section will show you how to view, manage, and control them with specific commands.
Program vs process
A program is a file stored on disk that contains instructions. For example, /bin/ls is a program. It sits in the filesystem and does nothing until you run it.
A process is a running instance of a program. When you type ls in a terminal and press Enter, the shell starts the ls program, and at that moment a process is created. If you open three terminals and run ls in each, you still have one program file /bin/ls, but you now have three separate processes, each with its own state and data in memory.
So the program is passive code on disk, and the process is that code being executed on the CPU with its own resources.
How a process is created
When you start a command in a shell, the shell does not directly turn into that program. Instead, the usual sequence is:
- The shell creates a new process by duplicating itself. This operation is typically called
fork. - In the new process, the shell image in memory is replaced with the program you want to run. This replacement is typically called
exec.
You do not need to know the exact system calls at this point, but it is important to understand that new processes come from existing processes. There is always a parent process that creates a child process.
On a typical Linux system, there is one very early process that starts during boot and then creates other processes. From that initial process, an entire tree of processes grows.
Process identifiers (PIDs)
Every process on a Linux system has a unique numeric identifier called a Process ID, or PID. The kernel uses the PID to track and manage each process.
For example, if a process has PID 1234, you can often refer to it by that number when using process management commands.
PIDs are positive integers. The kernel assigns them as processes are created. When a process exits, its PID can eventually be reused for a new process.
Each process also knows the PID of its parent. The parent PID is often called the PPID. These identifiers help form a hierarchy that you can view as a process tree.
Important rule: Every running process has a unique PID, and each process (except the very first) has a parent process with its own PID.
The process tree
Linux organizes processes in a tree structure. At the top is a special process that is started very early in the boot process. On modern systems this is usually systemd, which often has PID 1.
From this initial process, other processes are started, which can start more processes in turn. This creates a parent and child relationship that can be visualized as a tree.
For example, your graphical session might be started by a display manager process, which in turn starts your desktop environment, which starts your terminal emulator, which starts your shell, which finally starts the commands you run.
Understanding that processes form a tree helps explain why some processes get terminated when their parent exits, and why killing a parent can affect its children. How to view this tree and manage it is covered in later chapters.
What a process consists of
Inside the system, a process is more than just running code. It has:
A piece of memory containing the program instructions and the process data. This includes variables, buffers, and other runtime data.
A set of open file descriptors. These are references to files, terminals, network connections, and other resources. Standard input, standard output, and standard error are common examples and are used by many command line programs.
A current working directory. This is the directory that the process treats as its starting point for relative paths.
A user and group identity. The process runs with the permissions of a specific user and possibly additional groups. This controls what files and resources it can access.
A current state. The kernel tracks whether the process is currently running on a CPU, waiting for input or output, sleeping until some event, or stopped.
All of this information together defines the process in the eyes of the kernel.
Foreground and background processes
When you run commands in a terminal, some processes take control of that terminal. These are called foreground processes. While a foreground process runs, your shell usually waits for it to finish before giving you another prompt.
Other processes can run in the background. A background process does not block your shell prompt, so you can continue typing commands while it runs. The concept of foreground and background is tied to terminals and job control, which is covered in a later chapter.
The important idea here is that a process may be connected to a terminal and interact with you directly, or it may run without any terminal interaction.
Interactive vs non-interactive processes
Processes can be interactive or non-interactive.
An interactive process reads input from a user and writes output that the user sees. A shell in a terminal is a typical interactive process.
A non-interactive process runs without requiring user input. It might be a background service, a scheduled job, or a utility that processes data and exits.
Most services that make a Linux system useful, such as web servers and database servers, are non-interactive processes. They run independently of any logged in user.
Processes and system resources
Processes use system resources such as CPU time, memory, and input and output operations. The kernel constantly manages which processes get CPU time and when, how memory is allocated to them, and how they access disks and network devices.
At any given moment, some processes are actively running on a CPU core, while others are waiting. The kernel schedules processes so that the system remains responsive and fair according to its scheduling policies.
From a user perspective, this means that having many processes running can affect system performance, and that some processes may be prioritized over others. How to monitor and interpret this is covered when you learn about process viewing tools.
Process lifetime
A process has a life cycle.
It is created by a parent process, given a PID, and starts executing the program code.
During its life it may create child processes, open files, allocate memory, and interact with the system and users.
Eventually the process finishes. This can happen because the program reaches the end of its work and exits normally, or because it encounters an error, or because it is terminated by a signal such as one that is sent from a process management command.
When a process exits, it returns an exit status code to its parent. In most shells you can see this as a numeric value. A value of 0 usually means success, and any nonzero value usually means some kind of failure or special condition.
Important convention: Exit status 0 means success, and a nonzero exit status means an error or special condition.
After a process exits and its exit status is collected by its parent, the kernel cleans up its resources and the PID becomes available for reuse.
Processes and the kernel
The Linux kernel is at the core of the operating system. It manages all hardware resources and provides services to user programs. Processes run in a mode that is separate from the kernel itself, often called user space.
When a process needs something that requires hardware access, such as reading from disk or sending data over the network, it requests help from the kernel. The kernel then performs the operation and returns the result.
From the point of view of this chapter, it is enough to understand that processes do not control the hardware directly. They always go through the kernel, which enforces security and fairness among all processes.
Summary
A process in Linux is a running instance of a program, identified by a PID, created by an existing parent process, and managed by the kernel. Each process has its own memory, open files, user identity, and state. Processes form a tree that starts from an initial process created at boot, and they can run interactively in a terminal or silently in the background.
Later chapters will show how to inspect processes, control them, and use job control to manage foreground and background execution from the command line.