my-docs/Linux/Advanced-Administration/01-Zombie-ps.md

Zombie Processes

What is a Zombie Process?

In Linux/Unix operating systems, when a process ends, its execution is halted, but it leaves behind an entry in the process table. This entry contains the process's exit status, which needs to be read by its parent process.

A zombie process (or defunct process, indicated by the Z state in ps output) is a child process that has completed its execution, but its parent process has not yet called the wait() or waitpid() system calls to read its exit status. Because the parent hasn't acknowledged the death, the OS keeps the child's entry in the process table.

The Effect of Zombie Processes

At first glance, a zombie process seems harmless:

• It consumes $0$ CPU resources.
• It consumes $0$ Memory (RAM).

The Danger: PID Exhaustion The only resource a zombie consumes is an entry in the OS process table and a Process ID (PID). Operating systems have a maximum limit of PIDs available (often 32768 by default, though tunable in sysctl). If a poorly written parent process continuously spawns children and never reaps them, the system will eventually run out of available PIDs.

When PID exhaustion occurs, the OS cannot create any new processes. You won't be able to SSH into the server, execute basic commands, or spawn new application threads, effectively bringing the system down.

How to Identify Zombies

• Using top: The header will explicitly show a counter for zombie processes.
• Using ps: List the PIDs of all processes with a Z (Zombie) state:

ps aux | awk '{ print $8 " " $2 }' | grep -w Z

How to "Kill" a Zombie Process

Important Rule: You cannot kill a zombie process directly. Even kill -9 <zombie_pid> (SIGKILL) will not work because the process is already dead. To clear a zombie, you must deal with its parent process.

Step 1: Find the Parent Process ID (PPID) Find out which process spawned the zombie:

ps -o ppid= -p <zombie_pid>

Step 2: Ask the parent to reap the child Send a SIGCHLD signal to the parent process. This acts as a gentle reminder for the parent to execute the wait() system call and clean up its children.

kill -s SIGCHLD <parent_pid>

Step 3: Kill the Parent Process (If Step 2 fails) If the parent process is poorly programmed, hung, or ignoring the SIGCHLD signal, your only operational choice is to kill the parent process:

kill -9 <parent_pid>

Note on Step 3: When the parent dies, the zombie process becomes an "orphan". The OS kernel automatically reassigns all orphan processes to the init system (usually systemd or init, which is PID 1). PID 1 is specifically designed to routinely execute wait() and will instantly reap the zombie, finally clearing it from the process table.