cancel
Showing results for 
Search instead for 
Did you mean: 
TudorRaduta
Community Manager
Community Manager
  • 283 Views

RHCSA Practice: Find, Analyze, and Kill a Process

Monday Mission: The Runaway Process Hunt

Happy Monday! Let's kick off the week by combining our learning mission with a hands-on challenge.

This week, we're targeting a critical RHCSA objective from the "Operate running systems" category: "Identify CPU/memory intensive processes and kill processes."

The Mission

My mission this week is to master the tools I need *before* a server gets sluggish. I want to know exactly how to find and handle a rogue process that's eating 100% CPU, and understand the right way to stop it.

The Map:

The best resources are the `man` pages for the tools themselves. They explain all the signals, flags, and output formats:

  • man top
  • man ps
  • man kill

Your Turn! (The Challenge)

Let's practice. A server is extremely sluggish. Your task is to find and neutralize the rogue process. Post the commands you would use in the comments!

  1. What command would you run to get a live, updating list of all running processes, sorted by CPU usage?
  2. You see the rogue process: its PID is 12345. What command would you use to politely ask it to shut down?
  3. You wait a few seconds... but it's still running! What is the "forceful" command you would use to guarantee it stops?
  • Bonus Question: What's the real difference between the signal you sent in step 2 (SIGTERM) and the one you sent in step 3 (SIGKILL)?

Let's see your process-hunting skills!

6 Replies
Chetan_Tiwary_
Community Manager
Community Manager
  • 180 Views

@TudorRaduta your Bonus question is a big Diwali bonus - it revealed the answers 

Andrew
Flight Engineer
Flight Engineer
  • 143 Views

I'm curious where we were going with the last question. I use the process sitting at a bar enjoying a frosty beverage metaphor when describing:

The process, sitting at a bar after work, may have a bag, enjoying something to eat, defnintely a beer...

The bouncer approaches.

With SIGTERM, the bouncer taps the process on the shoulder, says "the kernel has decided you cannot stay here, please gather your stuff up, deposit your garbage, take your bag with you, and exit ASAP".

The process gathers their bag & sundries, drains their beer, deposits their uneaten entree in the garbage on their way to the front door & exits quietly, leaving the barstool ready for another patron.

---

With SIGKILL, the bouncer takes the process by the belt and nape of the neck, hurling them through the front window. The process's uneaten entree remains behind, along with the halfdrunk beer, and their bag. Then there's the broken glass that has to be cleaned up, and a new window put in. A right mess!

---

Either way, the process has left. But with SIGTERM everything is nice and orderly and the janitorial and reaping processes have nothing out of the ordinary to do. With SIGKILL, there's a TON of cleanup, which is more taxing than it might sound

Use SIGKILL sparingly. The after-work with SIGTERM is much lighter lifting!

TudorRaduta
Community Manager
Community Manager
  • 119 Views

That is an absolutely B R I L L I A N T metaphor!

This is one of the best explanations of
SIGTERM vs. SIGKILL I've ever seen. You've perfectly captured the "why" behind the advice "always try SIGTERM first."

You're 100% right about the "mess" left behind by SIGKILL. In system terms, that mess can include things like:

  • Temporary files not being deleted.
  • Data in a buffer that never gets written to disk.
  • Child processes being left orphaned.
  • Shared memory segments not being cleaned up.

and the bouncer hurling the process through the window is the perfect visual for that.

Thank you for sharing such a creative and memorable way to explain this. This is a huge help to everyone in the community!

Chetan_Tiwary_
Community Manager
Community Manager
  • 102 Views

@Andrew You are right , when graceful recovery is not possible - then we need to use SIGKILL. It is kind of an emergency brake which could leave scars behind.

But SIGKILL is also a direct saviour in cases like if there is a malicious process found in a securoty scan , or system is unstable or you need urgent recovery , system performance is at stake eg. a rogue process consuming more than 97% of CPU , process has a deadlock or is hung at I/O , multiple zombie processes due to a hardware corruption etc.

In these cases - you can directly employ your sniper aka SIGKILL in production.

and yes for general admin/routine tasks - SIGTERM is deployed.

Blue_bird
Starfighter Starfighter
Starfighter
  • 97 Views

Great post..! with Great Answers with valuable information..!

1) To get a live, list of all running processes, sorted by CPU usage - I go for top and htop

2) Tpolitely ask it to shut down - I go for kill 12345 

kill by default sends SIGTERM (signal 15)

3)  The "forceful" command you would use to guarantee it stops - I go for kill -9 12345

-9 sends SIGKILL, which immediately kills the process.

4) The difference between the signal SIGTERM and SIGKILL is:

SIGTERM (Signal 15) - It Gracefully terminate a process. The process receives the signal and can choose how to handle it. It can clean up resources, save work, or ignore the signal.


SIGKILL (Signal 9) — “Forceful kill”, Immediately stop a process, no questions asked. The process cannot catch, block, or ignore this signal. It is terminated instantly by the kernel. No cleanup is performed (files, memory, sockets may remain open).

 

Thanks

Chetan_Tiwary_
Community Manager
Community Manager
  • 65 Views

@Blue_bird Spot on !

0 Kudos
Join the discussion
You must log in to join this conversation.