Linux – Init Process: Ancestor of All Processes?

initlinuxprocess

I have always learned that the init process is the ancestor of all processes. Why does process 2 have a PPID of 0?

$ ps -ef | head -n 3
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 May14 ?        00:00:01 /sbin/init
root         2     0  0 May14 ?        00:00:00 [kthreadd]

Best Answer

First, “ancestor” isn't the same thing as “parent”. The ancestor can be the parent's parent's … parent's parent, and the kernel only keeps track of one level. However, when a process dies, its children are adopted by init, so you will see a lot of processes whose parent is 1 on a typical system.

Modern Linux systems additionally have a few processes that execute kernel code, but are managed as user processes, as far as scheduling is concerned. (They don't obey the usual memory management rules since they're running kernel code.) These processes are all spawned by kthreadd (it's the init of kernel threads). You can recognize them by their parent process ID (2) or, usually, by the fact that ps lists them with a name between square brackets or by the fact that /proc/2/exe (normally a symbolic link to the process executable) can't be read.

Processes 1 (init) and 2 (kthreadd) are created directly by the kernel at boot time, so they don't have a parent. The value 0 is used in their ppid field to indicate that. Think of 0 as meaning “the kernel itself” here.

Linux also has some facilities for the kernel to start user processes whose location is indicated via a sysctl parameter in certain circumstances. For example, the kernel can trigger module loading events (e.g. when new hardware is discovered, or when some network protocols are first used) by calling the program in the kernel.modprobe sysctl value. When a program dumps core, the kernel calls the program indicated by kernel.core_pattern if any.

Related Solutions

Linux – IPC with Init

Don't conflate processes and programs. There's one process #1, but it can be running one of a number of different programs.

If it is running the systemd program from the systemd package:
- There is an internal systemd API accessible via D-Bus, that is not guaranteed stable and not intended to be used by things outwith the systemd package.
- It responds to a large set of signals, ranging from SIGWINCH and SIGPWR to SIGRTMIN + 4.
If it is running the system-manager program from the nosh package:
- It responds to a fairly large subset of the signals recognized by systemd, with the same meanings where applicable.
If it is running the init program from upstart:
- There is an internal upstart API, accessible via D-Bus.
- It reads command messages from the initctl FIFO.
- It responds to small set of signals.
If it is running Joachim Nilsson's finit:
- It reads command messages from the initctl FIFO.
- It responds to a small set of signals.
If it is running the System 5 init then:
- It reads command messages from the initctl FIFO.
- It responds to a very small set of signals.

Some notes:

The signal API is mandated by the things that send the signals to process #1. These include the operating system kernel, which sends things like SIGWINCH, SIGINT, and SIGPWR, and various widespread system utility programs.
- Both systemd and the nosh system-manager extend this with signals that command system state changes (such as shutting down and powering off the system).
- Not all programs document supporting the full set of system-mandated signals. upstart makes no mention of responding to SIGPWR, for example.
- finit recognizes a different set of non-system-mandated extended signals, including SIGSTOP and SIGCONT.
Although the systemd package doesn't implement the initctl FIFO API in the program that runs as process #1, it does provide a compatibility shim in another process, running another program, that translates that mechanism onto native systemd mechanisms. (The nosh toolset has its own initctl-read compatibility shim that similarly translated into the native mechanisms of the nosh toolset's system management.)
- initctl really isn't native to anything but System V init, as the others (if they do so at all) only implement the notion of run levels as a limited backwards-compatibility mechanism.
- As the upstart man page for its init program says, the initctl mechanism isn't well documented. Even the System V init people go around telling people that only things in the System V init package should use it. It doesn't help, moreover, that the Debian System V maintainers relocated it from /dev to /run.

So yes, programs do IPC with process #1. Their reasons for doing so vary.

The systemd program is a combination system manager, service manager, and control groups manager and so there are a lot of purposes for which programs employ IPC to process #1. The same for upstart's init.
For nosh's system-manager, conversely, service management is done by another program (service-manager) in another process with its own (daemontools-compatible) APIs. So the only reason to do IPC with process #1 is for system state management, such as (say) rebooting the machine.

For many (not all) purposes, one is better off sticking to other APIs, using conventional system utilities to do things like shutdown and reboot the system, rather than sending the signals understood by the system-manager and systemd programs when they are running as process #1.

#! /bin/sh -
pid=${1?Please give a pid}
ps -Ao pid= -o ppid= -o args= |
  awk -v p="$pid" '
    {
      pid = $1; ppid[pid] = $2
      sub(/([[:space:]]*[[:digit:]]+){2}[[:space:]]*/, "")
      args[pid] = $0
    }
    END {
      while (p) {
        printf "%s%*d%*s%s\n", sep, 3+length(p)/2, p, 4-length(p)/2, "", args[p]
        p = ppid[p]
        sep = "  |\n"
      }
    }'

Best Answer

Related Solutions

Linux – IPC with Init

Further reading

Shell – View current user process ancestors and formatting the output

Related Question