Linux Process Management: Fork, Exec, and Beyond

The Heart of Linux: Process Management

Every program you run on Linux becomes a process - a living entity with its own memory space, resources, and lifecycle. From the moment you boot your system with PID 1 (init/systemd) to the thousands of processes running right now, understanding process management is key to mastering Linux.

Think of It This Way

Processes are like actors on a stage

The kernel is the director

CPU cores are the stages where actors perform

The scheduler decides who performs when

Interactive Process Lifecycle

Watch every step of process creation, execution, and termination - from fork to zombie reaping:

Process Management Deep Dive

Watch processes fork, exec, become zombies, get orphaned, and transition through states - every step visualized.

Fork & Exec: Creating New ProgramsStep 1 of 10

Parent process running

Process PID 1234 is executing. It needs to run a child program (e.g., shell executes "ls" command).

Process Table:

1234

bash

PID: 1234

RUNNING

PC: main+0x42

Memory: code | data | stack

PID: 1234 Name: bash State: RUNNING

Memory: Code (read-only), Data, Stack

Program Counter: main+0x42

About to call fork() to create child

Current working: parsing user command "ls"

1 / 10

10% complete

The Process Tree

Every process on a Linux system is part of a hierarchical tree structure. PID 1 (systemd/init) sits at the root as the ancestor of all processes. Click any process to explore its relationships:

Interactive Process Tree

Click processes to see their ancestry (blue) and descendants (amber). Use Fork to create children, Kill to terminate and watch orphan re-parenting.

systemd

PPID: 0

RUNNING

100

systemd-journald

PPID: 1

RUNNING

200

sshd

PPID: 1

RUNNING

1001

sshd

PPID: 200

RUNNING

1002

sshd

PPID: 1001

RUNNING

1003

bash

PPID: 1002

RUNNING

1010

vim

PPID: 1003

RUNNING

1020

python

PPID: 1003

RUNNING

1050

sshd

PPID: 200

RUNNING

1051

sshd

PPID: 1050

RUNNING

1052

zsh

PPID: 1051

RUNNING

1060

htop

PPID: 1052

RUNNING

300

nginx

PPID: 1

RUNNING

301

nginx

PPID: 300

RUNNING

302

nginx

PPID: 300

RUNNING

Select a Process

Click on any process in the tree to view its details and see the parent-child chain highlighted.

Legend

Selected

Ancestors (parent chain)

Descendants (children)

Try it: Kill a parent process with children to see orphan adoption in action. The kernel automatically re-parents orphaned children to init (PID 1).

Process Fundamentals

What is a Process?

A process is more than just a running program. It's a container managed by the kernel that includes:

Identity: PID (Process ID), PPID (Parent PID), UID/GID (owner)
State: RUNNING, READY, WAITING, STOPPED, ZOMBIE
Memory: Code, data, heap, stack (separate virtual address space)
Resources: Open files, network connections, signals
Scheduling: Priority, nice value, CPU time consumed

The kernel represents each process with a task_struct - a data structure containing all this metadata (about 10KB per process).

Process vs Thread

Aspect	Process	Thread
Weight	Heavy-weight	Light-weight
Memory	Separate address space	Shared within process
Creation	`fork()` (slower)	`clone()` (faster)
Communication	IPC required	Direct memory access

When Firefox runs with 47 threads, they all share memory and file descriptors but have separate stacks and registers.

The Fork-Exec Model

Analogy: The Photocopier

fork() = Photocopying yourself. You now have two identical copies, both thinking they're the original.

exec() = The photocopy transforms into a completely different document. Same piece of paper (PID), but entirely different content.

fork(): Cloning Processes

fork() creates a new process by duplicating the calling process:

Kernel creates child: New PID, copy of task_struct
Copy-on-Write (COW): Memory pages shared, not copied immediately
Returns twice: Returns 0 to child, child PID to parent
Identical but separate: Same code position, but two different processes

exec(): Transformation

exec() replaces the current process image with a new program:

Same PID: Process identity preserved
New program: Code, data, stack replaced from executable file
File descriptors preserved: Open files remain open (unless close-on-exec)
Common pattern: fork() followed by exec() in child

Copy-on-Write Deep Dive

Fork-Exec & Copy-on-Write Visualizer

Watch how Linux creates processes efficiently using Copy-on-Write (COW). Memory pages are shared until modified - no wasteful copying!

Step 1: Parent Process Running

Virtual: 15 pages

Physical: 15 pages

Parent process (bash) is running with its own memory space. Each region occupies physical pages.

PParent Process

1234

bash

main+0x42

RUNNING

Memory Regions

Code

4 pages • active

Data

2 pages • active

Heap

8 pages • active

Stack

1 pages • active

CChild Process

No child process yet

[kernel] Parent owns all 15 physical pages exclusively. About to call fork()...

1 / 6

Code

Program instructions (read-only)

Data

Global/static variables

Heap

Dynamic allocations (malloc)

Stack

Local variables, function calls

Copy-on-Write Efficiency

Without COW, fork() would copy 15 pages. With COW, only modified pages are copied. This is why fork() is fast even for large processes, and why fork+exec is efficient for running commands.

Process States

Every process is always in one of these states. Click to explore:

Process State Diagram

Click any state to learn about it, or run a simulation to see a process move through its lifecycle.

State Transitions

Select a State or Transition

Click on a state to see details, or click a transition to understand what triggers it.

Event Log

Run simulation to see events...

Key Insight

A process spends most of its time in READY (waiting for CPU) or WAITING (blocked on I/O). The ZOMBIE state is special - the process is dead but must exist until parent retrieves its exit status.

State Transitions Summary

From	To	Trigger
NEW	READY	fork() completes
READY	RUNNING	Scheduler dispatch
RUNNING	READY	Time slice expired
RUNNING	WAITING	I/O, sleep, lock
WAITING	READY	I/O complete, wake
RUNNING	STOPPED	SIGSTOP received
STOPPED	READY	SIGCONT received
RUNNING	ZOMBIE	exit() called

Zombies & Orphans

Analogy: Family Affairs

Zombie = A tombstone waiting for someone to read it. The person is gone, but the marker remains until the family (parent) acknowledges it.

Orphan = A child whose parent died. Automatically adopted by the state (init/systemd) to ensure proper care.

Zombie Processes

When a process terminates, it becomes a zombie - dead but not fully gone:

Why exist? Must preserve exit status for parent to retrieve
What's left? Only task_struct (process descriptor), no memory
How to see? ps aux | grep defunct or state shows 'Z'
How to kill? You can't! Already dead. Parent must call wait()
Problem: If parent never calls wait(), zombie persists forever

Orphan Processes

When a parent dies before its children:

Kernel re-parents: Orphans automatically adopted by init (PID 1)
init reaps: init periodically calls wait() to clean up orphans
No zombie accumulation: init ensures orphans don't become permanent zombies

This is why PID 1 (init/systemd) is special - it's the ultimate parent that never dies and always cleans up.

Orphan & Zombie Simulator

What happens when a parent process dies while its children are still running

Step 1: Normal Operation

Parent (PID 1000) and child (PID 1001) are both running happily.

systemd

PPID: 0

RUNNING

1000

parent

PPID: 1

RUNNING

1001

child

PPID: 1000

RUNNING

Zombie

Dead process waiting for parent to call wait(). Like a tombstone holding exit code.

Orphan

Child whose parent died. Automatically adopted by init (PID 1).

Init (PID 1)

The ultimate parent. Always reaps its children to prevent zombie accumulation.

Sessions and Process Groups

Analogy: Office Organization

Session = An office floor containing multiple teams

Process Group = A team that receives group messages (signals) together

When you press Ctrl+C, the memo goes to the foreground team only!

Signal Delivery

Understanding why Ctrl+C kills an entire pipeline but leaves background jobs alone:

Signal Delivery Simulator

Understand why Ctrl+C kills an entire pipeline but leaves background jobs alone. Signals are delivered to all processes in the foreground process group.

Session 1000

/dev/pts/0

Shell

PGID: 1000 • 📦 Background

1000

bash

leader • RUNNING

handler: ignored

Pipeline (foreground)

PGID: 1010 • 🎯 Foreground

1010

cat

leader • RUNNING

handler: default

1011

grep

RUNNING

handler: default

1012

RUNNING

handler: default

Background Job

PGID: 1020 • 📦 Background

1020

sleep

leader • RUNNING

handler: default

Terminal Output

$ cat file.txt | grep pattern | wc -l

# Pipeline started as foreground job

Why This Matters

• Ctrl+C sends SIGINT to all processes in the foreground process group
• Pipeline commands share the same PGID, so they all receive the signal together
• Background jobs have different PGIDs and are unaffected by foreground signals
• SIGKILL (kill -9) cannot be caught or ignored - it's the nuclear option

The Hierarchy

Session: A collection of process groups, typically one per terminal/login
Process Group: One or more processes treated as a unit for job control
Foreground Group: The group receiving terminal signals (Ctrl+C, Ctrl+Z)

When you run cat file | grep pattern | wc -l, all three commands share the same PGID - that's why they all die together on Ctrl+C!

CPU Scheduling

Linux uses the Completely Fair Scheduler (CFS) for normal processes:

Red-black tree: Processes sorted by virtual runtime
Fairness: Each process gets fair share proportional to priority
Time slices: Dynamic, based on number of runnable processes
Real-time classes: SCHED_FIFO and SCHED_RR for critical tasks

Context Switch

When the scheduler switches from one process to another:

Save current process state (registers, PC) to memory
Load new process state from memory
Switch page tables (change memory view)
Jump to new process's program counter

Context switches are expensive (~microseconds) so minimize thrashing!

Nice Values

Process priority controlled by "nice" value (-20 to +19):

Nice	Priority	Behavior
-20	Highest	Least nice, hogs CPU
0	Default	Normal priority
+19	Lowest	Very nice, yields CPU

📋 Priority Commands (click to expand)

# Start with lower priority
nice -n 10 ./cpu-intensive-task

# Change priority of running process
renice -n 5 -p 1234

# Require root for negative nice
sudo renice -n -10 -p 1234

# Real-time priority (requires root)
chrt -f 99 ./realtime-app   # SCHED_FIFO priority 99

Process Inspection & Control

📋 Essential Process Commands (click to expand)

# View all processes
ps aux

# Process tree showing relationships
pstree -p

# Watch processes in real-time
htop

# View process memory map
cat /proc/1234/maps

# View process status
cat /proc/1234/status

# Send signals
kill -SIGTERM 1234   # Request termination (15)
kill -SIGKILL 1234   # Force kill (9)
kill -SIGSTOP 1234   # Suspend (19)
kill -SIGCONT 1234   # Resume (18)

# Job control
command &      # Run in background
jobs           # List jobs
fg %1          # Bring to foreground
bg %1          # Send to background

Common Patterns

Fork-Exec Pattern (Shell executing command)

pid = fork();
if (pid == 0) {
    // Child: replace with new program
    exec("/bin/ls", args);
} else {
    // Parent: wait for child
    wait(&status);
}

Daemon Process Pattern

fork() and parent exits (detach from terminal)
setsid() to create new session
Change directory to /
Close stdin/stdout/stderr
Write PID to /var/run/daemon.pid

Essential Takeaways

1.fork() clones, exec() transforms - the fundamental pattern for creating processes

2.Every process has exactly one parent (except PID 0/1)

3.Zombies = dead but task_struct preserved for exit status

4.Orphans are automatically adopted by init (PID 1)

5.Process groups enable job control - signals go to the group

6.SIGTERM asks nicely, SIGKILL forces (cannot be caught)

7.Always wait() for children to prevent zombie accumulation

8.Copy-on-Write makes fork() efficient - memory shared until modified

System Calls: How user programs communicate with kernel
Memory Management: Virtual memory and address spaces
Kernel Architecture: How the kernel manages processes
Init Systems: PID 1 and the process hierarchy
Linux Namespaces: PID namespaces for container isolation
Containers Under the Hood: How process isolation creates containers