April 25, 2019

Deep System Discovery on your Linux Server With /proc

Live Processes

  • December 10, 2010
  • By Juliet Kemp
/proc is a virtual filesystem generated at boot and updated regularly by the kernel. With /proc you can investigate exactly what hardware your Linux kernel sees, what processes it is running, boot options, and also manipulate kernel events.
Juliet Kemp

With Linux, everything is a file – and that includes devices, processes, and system information. /proc allows you to take a look at these 'files'.

/proc (short for "process filesystem") isn't 'real'; it's a virtual filesystem, generated at boot and updated regularly by the kernel. Instead of storing information on disk, when you look at something in /proc, it fetches the information from the kernel to output as a file. This is great both for system communication (utilities can operate in userspace, rather than in kernel space), and for investigating your system's innards.

/proc and processes

If you type ls /proc, you'll see a set of numbered directories. These are your processes: one directory per process ID. Look at your process list with ps -A, and pick one to investigate. (Note that unless you have root/sudo access, you're best off choosing a process that you own.) Here's a sample process from my ps output:
juliet   25175  0.0  0.0  18044  1552 pts/31   Ss   Jul14   0:00 /bin/bash

Look at the proc directory of this process with ls -l /proc/25175/, then use cat or less to look at the file contents. Some files are binary, but they usually have at least some human-readable text. Here are some of the files and directories you'll see; for more info, check the very comprehensive proc manpage. Note that often these files will be links, so ls -l is useful.

  • cmdline: the command used to launch this process. Useful if you're debugging a launch problem, or to check which options were passed in.
  • environ: the command environment.
  • exe: the original executable file.
  • fd/: filehandle links to files in use by the process.
  • task: hard links to any other processes started by this process, including itself.
  • cwd: the process' working directory.
  • root: the root path, almost always /, unless the process is being run in a chroot jail.
  • maps: memory maps to executables and library files. For each such file, it shows the memory address, permissions (r/w/x, s(hared), and p(rivate - copy on write)), offset into the file, and device and inode.
  • stat, status: status information. status has better formatting.

Most Popular LinuxPlanet Stories