To Obtain a snapshot of all the currently executing processes.
#ps -e
PID TTY TIME CMD
0 ? 0:39 sched
1 ? 0:25 init
2 ? 0:00 pageout
3 ? 1351:20 fsflush
477 ? 0:00 lockd
7 ? 2:24 svc.star
9 ? 5:04 svc.conf
400 ? 0:00 rpcbind
235 ? 0:00 efdaemon
120 ? 0:00 sysevent
186 ? 11:30 picld
492 ? 2:11 inetd
518 console 0:00 ttymon
163 ? 9:34 nscd
521 ? 0:00 smcboot
129 ? 0:00 drd
454 ? 0:00 statd
522 ? 0:00 smcboot
388 ? 0:00 iscsi-in
444 ? 0:17 nfsmapid
470 ? 78:32 in.route
494 ? 0:04 sac
146 ? 1:11 kcfd
263 ? 0:01 cron
438 ? 0:00 nfs4cbd
611 ? 0:33 automoun
510 ? 0:03 ttymon
610 ? 0:00 automoun
509 ? 0:16 utmpd
629 ? 0:03 sshd
632 ? 0:11 syslogd
523 ? 0:00 smcboot
652 ? 2:18 devfsadm
643 ? 0:00 vold
745 ? 4:37 sendmail
574 ? 0:00 dacs.snk
473 pts/1 0:00 ps
403 pts/1 0:00 sh
743 ? 1:04 sendmail
575 ? 539:38 dacs.snk
702 ? 5:26 fmd
685 ? 0:00 ldmad
635 ? 2021:03 p2ps
711 ? 0:02 snmpdx
738 ? 0:00 dmispd
710 ? 3:48 snmpd
176 ? 0:00 dtlogin
371 ? 0:01 sshd
396 ? 959:41 rrcpd
513 ? 137:12 java
370 ? 0:01 sshd
396 ? 0:01 sshd
397 ? 0:06 sshd
414 pts/1 0:00 bash
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 0 0 0 Aug 21 ? 0:39 sched
root 1 0 0 Aug 21 ? 0:25 /sbin/init
root 2 0 0 Aug 21 ? 0:00 pageout
root 3 0 0 Aug 21 ? 1351:20 fsflush
emon 477 1 0 Aug 21 ? 0:00 /usr/lib/nfs/lockd
root 7 1 0 Aug 21 ? 2:24 /lib/svc/bin/svc.startd
root 9 1 0 Aug 21 ? 5:04 /lib/svc/bin/svc.configd
emon 400 1 0 Aug 21 ? 0:00 /usr/sbin/rpcbind
root 235 1 0 Aug 21 ? 0:00 /usr/lib/efcode/sparcv9/e
root 120 1 0 Aug 21 ? 0:00 /usr/lib/sysevent/syseven
root 186 1 0 Aug 21 ? 11:30 /usr/lib/picl/picld
root 492 1 0 Aug 21 ? 2:11 /usr/lib/inet/inetd start
root 518 7 0 Aug 21 console 0:00 /usr/lib/saf/ttymon -g -d
nsole -l console -m ldterm,ttcompat -h -p p2ps
root 163 1 0 Aug 21 ? 9:34 /usr/sbin/nscd
root 521 1 0 Aug 21 ? 0:00 /usr/sadm/lib/smc/bin/smc
root 129 1 0 Aug 21 ? 0:00 /usr/lib/ldoms/drd
emon 454 1 0 Aug 21 ? 0:00 /usr/lib/nfs/statd
root 522 521 0 Aug 21 ? 0:00 /usr/sadm/lib/smc/bin/smc
root 388 1 0 Aug 21 ? 0:00 /lib/svc/method/iscsi-ini
emon 444 1 0 Aug 21 ? 0:17 /usr/lib/nfs/nfsmapid
root 470 1 0 Aug 21 ? 78:32 /usr/sbin/in.routed
root 494 7 0 Aug 21 ? 0:04 /usr/lib/saf/sac -t 300
emon 146 1 0 Aug 21 ? 1:11 /usr/lib/crypto/kcfd
root 263 1 0 Aug 21 ? 0:01 /usr/sbin/cron
emon 438 1 0 Aug 21 ? 0:00 /usr/lib/nfs/nfs4cbd
root 611 610 0 Aug 21 ? 0:33 /usr/lib/autofs/automount
root 510 494 0 Aug 21 ? 0:03 /usr/lib/saf/ttymon
root 610 1 0 Aug 21 ? 0:00 /usr/lib/autofs/automount
root 509 1 0 Aug 21 ? 0:16 /usr/lib/utmpd
root 629 1 0 Aug 21 ? 0:03 /usr/lib/ssh/sshd
root 632 1 0 Aug 21 ? 0:11 /usr/sbin/syslogd
root 523 521 0 Aug 21 ? 0:00 /usr/sadm/lib/smc/bin/smc
root 652 1 0 Aug 21 ? 2:18 devfsadmd
root 643 1 0 Aug 21 ? 0:00 /usr/sbin/vold -f /etc/vo
You can use the ps command to list all currently active processes on the local system. By default, ps prints the processes belonging to the user who issues the ps command:
$ ps PID TTY TIME CMD 29081 pts/8 0:00 ksh
The columns in the default ps list are the process identifier (PID), the terminal from which the command was executed (TTY), the CPU time consumed by the process (TIME), and the actual command that was executed (CMD), including any command-line options passed to the program.
Alternatively, if you would like more information about the current user's processes, you can add the –f parameter:
$ ps -f
UID PID PPID C STIME TTY TIME CMD
pwatters 29081 29079 0 10:40:30 pts/8 0:00 /bin/ksh
Again, the PID, TTY, CPU time, and command are displayed. However, the UID is also displayed, as is the PID of the parent process identifier (PPID), along with the starting time of the process (STIME). In addition, a deprecated column (C) is used to display processor utilization. To obtain the maximum detail possible, you can also use the –loption, which means "long"—and long it certainly is, as shown in this example:
$ ps -l F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD 8 S 6049 29081 29079 0 51 20 e11b4830 372 e11b489c pts/8 0:00 ksh 8 R 6049 29085 29081 0 51 20 e101b0d0 512 pts/8 0:00 bash
Here, you can see the following:
- The flags (F) associated with the processes
- The state (S) of the processes (29081 is sleeping, S, 29085 is running, R)
- The process identifier (29081 and 29085)
- Parent process identifier (29079 and 29081)
- Processor utilization (deprecated)
- Process priority (PRI), which is 51
- Nice value (NI), which is 20
- Memory address (ADDR), which is expressed in hex (e11b4830 and e101b0d0)
- Size (SZ), in kilobytes, which is 372KB and 512KB
- The memory address for sleeping process events (WCHAN), which is e11b489c for PID 29081
- CPU time used (TIME)
If you're a system administrator, you're probably not interested in the status of just your own processes; you probably want details about all or some of the processes actively running on the system, and you can do this in many ways. You can generate a process list using the –A or the –e option, for example, and either of these lists information for all processes currently running on the machine:
# ps -A
PID TTY TIME CMD
0 ? 0:00 sched
1 ? 0:01 init
2 ? 0:01 pageout
3 ? 9:49 fsflush
258 ? 0:00 ttymon
108 ? 0:00 rpcbind
255 ? 0:00 sac
60 ? 0:00 devfseve
62 ? 0:00 devfsadm
157 ? 0:03 automount
110 ? 0:01 keyserv
112 ? 0:04 nis_cache
165 ? 0:00 syslogd
Again, the default display of PID, TTY, CPU time, and command is generated. The processes listed relate to the scheduler, init, the system logging facility, the NIS cache, and several other standard applications and services.
It is good practice for you to become familiar with the main processes on your system and the relative CPU times they usually consume. This can be useful information when troubleshooting or when evaluating security. One of the nice features of the ps command is the ability to combine multiple flags to print out a more elaborate process list. For example, you can combine the –A option (all processes) with the –f option (full details) to produce a process list with full details. Here's the full details for the same process list:
# ps -Af
UID PID PPID C STIME TTY TIME CMD
root 0 0 0 Mar 20 ? 0:00 sched
root 1 0 0 Mar 20 ? 0:01 /etc/init -
root 2 0 0 Mar 20 ? 0:01 pageout
root 3 0 0 Mar 20 ? 9:51 fsflush
root 258 255 0 Mar 20 ? 0:00 /usr/lib/saf/ttymon
root 108 1 0 Mar 20 ? 0:00 /usr/sbin/rpcbind
root 255 1 0 Mar 20 ? 0:00 /usr/lib/saf/sac -t 300
root 60 1 0 Mar 20 ? 0:00 /usr/lib/devfsadm/devfseventd
root 62 1 0 Mar 20 ? 0:00 /usr/lib/devfsadm/devfsadmd
root 157 1 0 Mar 20 ? 0:03 /usr/lib/autofs/automountd
root 110 1 0 Mar 20 ? 0:01 /usr/sbin/keyserv
root 112 1 0 Mar 20 ? 0:05 /usr/sbin/nis_cachemgr
root 165 1 0 Mar 20 ? 0:00 /usr/sbin/syslogd
Another common use for ps is to print process information in a format that is suitable for the scheduler:
% ps -c PID CLS PRI TTY TIME CMD 29081 TS 48 pts/8 0:00 ksh 29085 TS 48 pts/8 0:00 bash
Doing this can be useful when used in conjunction with the priocntl command, which displays the parameters used for process scheduling. This allows administrators, in particular, to determine the process classes currently available on the system, or to set the class of a specific process to interactive or time-sharing. You can obtain a list of all supported classes by passing the –l parameter to priocntl:
# priocntl -l
CONFIGURED CLASSES
==================
SYS (System Class)
TS (Time Sharing)
Configured TS User Priority Range: -60 through 60
IA (Interactive)
Configured IA User Priority Range: -60 through 60
FX (Fixed priority)
Configured FX User Priority Range: 0 through 60
You can combine this with a –f full display flag to ps –c to obtain more information:
$ ps -cf
UID PID PPID CLS PRI STIME TTY TIME CMD
paul 29081 29079 TS 48 10:40:30 pts/8 0:00 /bin/ksh
paul 29085 29081 TS 48 10:40:51 pts/8 0:00 /usr/local/bin/bash
If you want to obtain information about processes being executed by a particular group of users, this can be specified on the command line by using the –g option, followed by the GID of the target group. In this example, all processes from users in group 0 will be printed:
$ ps -g 0
PID TTY TIME CMD
0 ? 0:00 sched
1 ? 0:01 init
2 ? 0:01 pageout
3 ? 9:51 fsflush
Another common configuration option used with ps is –j, which displays the session identifier (SID) and the process group identifier (PGID), as shown here:
$ ps -j PID PGID SID TTY TIME CMD 29081 29081 29081 pts/8 0:00 ksh 29085 29085 29081 pts/8 0:00 bash
Finally, you can print out the status of lightweight processes (LWP) in your system. These are virtual CPU or execution resources, which are designed to make the best use of available CPU resources based on their priority and scheduling class. Here is an example:
$ ps -L PID LWP TTY LTIME CMD 29081 1 pts/8 0:00 ksh 29085 1 pts/8 0:00 bash
Using the top Program
If you're an administrator, you probably want to keep an eye on all processes running on a system, particularly if the system is in production use. Buggy programs can consume large amounts of CPU time, preventing operational applications from carrying out their duties efficiently. Monitoring the process list almost constantly is necessary, especially if performance begins to suffer on a system. Although you could keep typing ps –eaf every five minutes or so, a much more efficient method is to use the topprogram to monitor the processes in your system interactively, and to use its "vital statistics," such as CPU activity states, real and virtual memory status, and the load average. In addition, top displays the details of the leading processes that consume the greatest amount of CPU time during each sampling period.
The display of top can be customized to include any number of these leading processes at any one time, but displaying the top 10 or 20 processes is usually sufficient to keep an eye on rogue processes. The latest version of top can always be downloaded from ftp://ftp.groupsys.com/pub/top.
top reads the /proc file system to generate its process statistics. This usually means that top runs as a setUID process, unless you remove the read and execute permissions for nonroot users and run it only as root. Paradoxically, doing this may be just as dangerous, because any errors in top may impact the system at large if executed by the root user. Again, setUID processes are dangerous, and you should evaluate whether the trade-off between accessibility and security is worthwhile in this case.
One of the main problems with top running on Solaris is that top is very sensitive to changes in architecture and/or operating system version. This is particularly the case if the GNU gcc compiler is used to build top, as it has its own set of include files. These files must exactly match the version of the current operating system, otherwise top will not work properly: the CPU state percentages may be wrong, indicating that processes are consuming all CPU time, when the system is actually idle. The solution is to rebuildgcc so that it generates header files that are appropriate for your current operating system version.
Let's examine a printout from top:
last PID: 16630; load averages: 0.17, 0.08, 0.06 09:33:29 72 processes: 71 sleeping, 1 on cpu CPU states: 87.6% idle, 4.8% user, 7.5% kernel, 0.1% iowait, 0.0% swap Memory: 128M real, 3188K free, 72M swap in use, 172M swap free
This summary tells us that the system has 72 processes, with only 1 running actively and 71 sleeping. The system was 87.6 percent idle in the previous sampling epoch, and there was little swapping or iowait activity, ensuring fast performance. The load average for the previous 1, 5, and 15 minutes was 0.17, 0.08, and 0.06 respectively— this is not a machine that is taxed by its workload. The last PID to be issued to an application, 16630, is also displayed.
PID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND 259 root 1 59 0 18M 4044K sleep 58:49 1.40% Xsun 16630 pwatters 1 59 0 1956K 1536K cpu 0:00 1.19% top 345 pwatters 8 33 0 7704K 4372K sleep 0:21 0.83% dtwm 16580 pwatters 1 59 0 5984K 2608K sleep 0:00 0.24% dtterm 9196 pwatters 1 48 0 17M 1164K sleep 0:28 0.01% netscape 13818 pwatters 1 59 0 5992K 872K sleep 0:01 0.00% dtterm 338 pwatters 1 48 0 7508K 0K sleep 0:04 0.00% dtsession 112 pwatters 3 59 0 1808K 732K sleep 0:03 0.00% nis_cachemgr 157 pwatters 5 58 0 2576K 576K sleep 0:02 0.00% automountd 422 pwatters 1 48 0 4096K 672K sleep 0:01 0.00% textedit 2295 pwatters 1 48 0 7168K 0K sleep 0:01 0.00% dtfile 8350 root 10 51 0 3000K 2028K sleep 0:01 0.00% nscd 8757 pwatters 1 48 10 5992K 1340K sleep 0:01 0.00% dtterm 4910 nobody 1 0 0 1916K 0K sleep 0:00 0.00% httpd 366 pwatters 1 28 0 1500K 0K sleep 0:00 0.00% sdtvolcheck
This top listing shows a lot of information about each process running on the system, including the PID, the user who owns the process, the nice value (priority), the size of the application, the amount resident in memory, its current state (active or sleeping), the CPU time consumed, and the command name. For example, the Apache Web server runs as the httpd process (PID=4910), by the user nobody, and is 1916KB in size.
Changing the nice value of a process ensures that it receives more or less priority from the process scheduler. Reducing the nice value ensures that the process priority is decreased, while increasing the nice value increases the process priority. Unfortunately, while ordinary users can decrease their nice value, only the superuser can increase the nice value for a process. In the preceding example for top, the dtterm process is running with a nice value of 10, which is low. If the root user wanted to increase the priority of a new dtterm process by 20, they would issue the following command:
# nice -–20 dtterm
Reducing the nice value can be performed by any user. To reduce the nice value of a new top process, the following command would be used:
$ nice –20 top
Now, if you execute an application that requires a lot of CPU power, you will be able to monitor the impact on the system as a whole by examining the changes in the processes displayed by top. If you execute the command
$ find . -name apache -print
the impact on the process distribution is immediately apparent:
last PID: 16631; load averages: 0.10, 0.07, 0.06 09:34:08 73 processes: 71 sleeping, 1 running, 1 on cpu CPU states: 2.2% idle, 0.6% user, 11.6% kernel, 85.6% iowait, 0.0% swap Memory: 128M real, 1896K free, 72M swap in use, 172M swap free
This summary tells you that the system now has 73 processes, with only 1 running actively, 1 on the CPU, and 71 sleeping. The new process is the find command, which is actively running. The system is now only 2.2 percent idle, a large increase on the previous sampling epoch. There is still no swapping activity, but iowait activity has risen to 85.6 percent, slowing system performance. The load average for the previous 1, 5, and 15 minutes was 0.10, 0.07, and 0.06 respectively—on the average, this machine is still not taxed by its workload and wouldn't be unless the load averages grew to greater than 1. The last PID to be issued to an application, 16631, is also displayed, and in this case it again refers to the find command.
PID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND 16631 pwatters 1 54 0 788K 668K run 0:00 1.10% find 259 root 1 59 0 18M 4288K sleep 58:49 0.74% Xsun 16630 pwatters 1 59 0 1956K 1536K cpu 0:00 0.50% top 9196 pwatters 1 48 0 17M 3584K sleep 0:28 0.13% netscape 8456 pwatters 1 59 0 5984K 0K sleep 0:00 0.12% dtpad 345 pwatters 8 59 0 7708K 0K sleep 0:21 0.11% dtwm 16580 pwatters 1 59 0 5992K 2748K sleep 0:00 0.11% dtterm 13838 pwatters 1 38 0 2056K 652K sleep 0:00 0.06% bash 13818 pwatters 1 59 0 5992K 1884K sleep 0:01 0.06% dtterm 112 root 3 59 0 1808K 732K sleep 0:03 0.02% nis_cachemgr 337 pwatters 4 59 0 4004K 0K sleep 0:00 0.01% ttsession 338 pwatters 1 48 0 7508K 0K sleep 0:04 0.00% dtsession 157 root 5 58 0 2576K 604K sleep 0:02 0.00% automountd 2295 pwatters 1 48 0 7168K 0K sleep 0:01 0.00% dtfile 422 pwatters 1 48 0 4096K 0K sleep 0:01 0.00% textedit
find now uses 1.1 percent of CPU power, which is the highest of any active process (i.e., in the "run" state) on the system. It uses 788KB of RAM, less than most other processes; however, most other processes are in the "sleep" state and do not occupy much resident memory.
Using the truss Program
If you've identified a process that appears to be having problems and you suspect an application bug is the cause, the solution involves more than just going back to the source to debug the program or making an educated guess about what's going wrong. In fact, one of the great features of Solaris is the ability to trace system calls for every process running on the system. This means that if a program is hanging, for example, because it can't find its initialization file, the failed system call revealed using truss would display this information. truss prints out each system call, line by line, as it is executed by the system. The syntax is rather like a C program, making it easy for C programmers to interpret the output. The arguments are displayed by retrieving information from the appropriate headers, and any file information is also displayed.
As an example, let's look at the output from the cat command, which we can use to display the contents of /etc/resolv.conf, which is used by the Domain Name Service (DNS) to identify domains and name servers. Let's look at the operations involved in this running this application:
# truss cat /etc/resolv.conf
execve("/usr/bin/cat", 0xEFFFF740, 0xEFFFF74C) argc = 2
open("/dev/zero", O_RDONLY) = 3
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0xEF7B0000
open("/usr/lib/libc.so.1", O_RDONLY) = 4
fstat(4, 0xEFFFF2DC) = 0
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF7A0000
mmap(0x00000000, 704512, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =
0xEF680000
munmap(0xEF714000, 57344)
= 0
mmap(0xEF722000, 28368, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|
MAP_FIXED, 4, 598016) = 0xEF722000
mmap(0xEF72A000, 2528, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|
MAP_FIXED, 3, 0) = 0xEF72A000
close(4) = 0
open("/usr/lib/libdl.so.1", O_RDONLY) = 4
fstat(4, 0xEFFFF2DC) = 0
mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|
MAP_FIXED, 4, 0) = 0xEF7A0000
close(4) = 0
open("/usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1", O_RDONLY) = 4
fstat(4, 0xEFFFF0BC) = 0
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF790000
mmap(0x00000000, 16384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =
0xEF780000
close(4) = 0
close(3) = 0
munmap(0xEF790000, 8192) = 0
fstat64(1, 0xEFFFF648) = 0
open64("resolv.conf", O_RDONLY) = 3
fstat64(3, 0xEFFFF5B0) = 0
llseek(3, 0, SEEK_CUR) = 0
mmap64(0x00000000, 98, PROT_READ, MAP_SHARED, 3, 0) = 0xEF790000
read(3, " d", 1) = 1
memcntl(0xEF790000, 98, MC_ADVISE, 0x0002, 0, 0) = 0
domain paulwatters.com
nameserver 192.56.67.16
nameserver 192.56.67.32
nameserver 192.56.68.16
write(1, " d o m a i n p a u l w a t t e r s .".., 98) = 98
llseek(3, 98, SEEK_SET) = 98
munmap(0xEF790000, 98) = 0
llseek(3, 0, SEEK_CUR) = 98
close(3) = 0
close(1) = 0
llseek(0, 0, SEEK_CUR) = 57655
_exit(0)
First, cat is called using execve(), with two arguments (the application name, cat, and the file to be displayed, /etc/resolv.conf). The arguments to execve() include the name of the application (/usr/bin/cat), a pointer to the argument list (0xEFFFF740), and a pointer to the environment (0xEFFFF74C). Next, library files such as /usr/lib/libc.so.1are read. Memory operations (such as mmap()) are performed continuously. The resolv.conf file is opened as read only, after which the contents are literally printed to standard output. Then the file is closed. truss can be used in this way to trace the system calls for any process running on your system.
ps
The following table summarizes the main options used with ps.
Option
|
Description
|
|---|---|
–a
|
Lists most frequently requested processes
|
–A, –e
|
List all processes
|
–c
|
Lists processes in scheduler format
|
–d
|
Lists all processes
|
–f
|
Prints comprehensive process information
|
–g
|
Prints process information on a group basis for a single group
|
–G
|
Prints process information on a group basis for a list of groups
|
–j
|
Includes SID and PGID in printout
|
–l
|
Prints complete process information
|
–L
|
Displays LWP details
|
–p
|
Lists process details for list of specified processes
|
–P
|
Lists the CPU ID to which a process is bound
|
–s
|
Lists session leaders
|
–t
|
Lists all processes associated with a specific terminal
|
–u
|
Lists all processes for a specific user
|
