A brief analysis of the files in the /proc/[pid] directory in Linux

The Linux kernel provides a mechanism to access the kernel's internal data structures and change kernel settings at runtime through the proc file system. The proc file system is a pseudo file system that only exists in memory and does not occupy external memory space. It provides an interface for accessing system kernel data in the form of a file system.

Users and applications can obtain system information through proc and change some parameters of the kernel. Since system information, such as processes, changes dynamically, when a user or application reads a proc file, the proc file system dynamically reads the required information from the system kernel and submits it.

Not all of the files or subfolders listed below exist in your system, depending on your kernel configuration and loaded modules. In addition, there are three very important directories under proc: net, scsi and sys. The sys directory is writable and can be used to access or modify kernel parameters, while net and scsi depend on the kernel configuration. For example, if the system does not support scsi, the scsi directory does not exist.

In addition to the ones introduced above, there are also some directories named with numbers, which are process directories. Each process currently running in the system has a corresponding directory under proc, with the PID number of the process as the directory name. They are the interfaces for reading process information. The self directory is the information interface for reading the process itself, and is a link.

/proc/[pid]/auxv

/proc/[pid]/auxv contains the ELF interpreter information passed to the process. The format is that each item is an unsigned long length ID plus an unsigned long length value. The last item starts with two 0x00s in a row. Examples are as follows:

$ hexdump -x /proc/2406/auxv

0000000 0021 0000 0000 0000 f000 f7fa 7fff 0000
0000010 0010 0000 0000 0000 fbff 1f8b 0000 0000
0000020 0006 0000 0000 0000 1000 0000 0000 0000
0000030 0011 0000 0000 0000 0064 0000 0000 0000
0000040 0003 0000 0000 0000 0040 0040 0000 0000
0000050 0004 0000 0000 0000 0038 0000 0000 0000
0000060 0005 0000 0000 0000 0007 0000 0000 0000
0000070 0007 0000 0000 0000 0000 0000 0000 0000
0000080 0008 0000 0000 0000 0000 0000 0000 0000
0000090 0009 0000 0000 0000 55e0 0045 0000 0000
00000a0 000b 0000 0000 0000 0000 0000 0000 0000
00000b0 000c 0000 0000 0000 0000 0000 0000 0000
00000c0 000d 0000 0000 0000 0000 0000 0000 0000
00000d0 000e 0000 0000 0000 0000 0000 0000 0000
00000e0 0017 0000 0000 0000 0000 0000 0000 0000
00000f0 0019 0000 0000 0000 f079 f7f6 7fff 0000
0000100 001f 0000 0000 0000 ffea f7f6 7fff 0000
0000110 000f 0000 0000 0000 f089 f7f6 7fff 0000
0000120 0000 0000 0000 0000 0000 0000 0000 0000
0000130

/proc/[pid]/cmdline

/proc/[pid]/cmdline is a read-only file that contains the complete command line information of the process. If the process has been swapped out of memory or the process is a zombie process, this file will have no content. The file ends with the null character instead of a newline character. Examples are as follows:

$ ps aux|grep frps
root 2406 0.1 0.1 54880 10524 ? Sl Dec11 21:30 frps -c ./frps.ini

$ cat /proc/2406/cmdline
frps-c./frps.ini

/proc/[pid]/comm

/proc/[pid]/comm contains the command name of the process. Examples are as follows:

$ cat /proc/2406/comm
frps

/proc/[pid]/cwd

/proc/[pid]/cwd is a symbolic link to the current working directory of the process. Examples are as follows:

$ ls -lt /proc/2406/cwd
lrwxrwxrwx 1 root root 0 Dec 12 20:39 /proc/2406/cwd -> /home/mike/frp_0.13.0_linux_amd64

/proc/[pid]/environ

/proc/[pid]/environ Displays the environment variables of the process. Examples are as follows:

$ strings /proc/2406/environ

SUPERVISOR_GROUP_NAME=ssh
TERM=linux
SUPERVISOR_SERVER_URL=unix:///var/run/supervisor.sock
SUPERVISOR_PROCESS_NAME=ssh
RUNLEVEL=2
UPSTART_EVENTS=runlevel
PREVLEVEL=N
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
UPSTART_INSTANCE=
UPSTART_JOB=rc
SUPERVISOR_ENABLED=1
runlevel=2
PWD=/
previous=N

/proc/[pid]/exe

/proc/[pid]/exe is the symbolic link to the actual running program. Examples are as follows:

$ ls -lt /proc/2406/exe
lrwxrwxrwx 1 root root 0 Dec 11 19:00 /proc/2406/exe -> /usr/bin/frps

/proc/[pid]/fd

/proc/[pid]/fd is a directory containing files opened by a process. Examples are as follows:

$ ls -lt /proc/2406/fd

lrwx------ 1 root root 64 Dec 24 09:39 77 -> socket:[44377722]
lrwx------ 1 root root 64 Dec 17 15:07 47 -> socket:[29482617]
lr-x------ 1 root root 64 Dec 12 20:18 0 -> pipe:[13282]
l-wx------ 1 root root 64 Dec 12 20:18 1 -> pipe:[13283]
lrwx------ 1 root root 64 Dec 12 20:18 10 -> socket:[12238218]
lrwx------ 1 root root 64 Dec 12 20:18 4 -> anon_inode:[eventpoll]
lrwx------ 1 root root 64 Dec 12 20:18 40 -> socket:[19378614]

Each item in the directory is a symbolic link pointing to the open file, and the number represents the file descriptor.

/proc/[pid]/latency

/proc/[pid]/latency displays which codes cause larger delays. If you want to use this feature, you need to execute:

$ echo 1 > /proc/sys/kernel/latencytop

Examples are as follows

$ cat /proc/2406/latency

Latency Top version : v0.1
30667 10650491 4891 poll_schedule_timeout do_sys_poll SyS_poll system_call_fastpath 0x7f636573dc1d
8 105 44 futex_wait_queue_me futex_wait do_futex SyS_futex system_call_fastpath 0x7f6365a167bc

The first three numbers in each line are the number of times the following code is executed, the total execution delay time (unit is microseconds) and the maximum execution delay time (unit is microseconds). What follows is the complete call stack of the code.

/proc/[pid]/maps

/proc/[pid]/maps Displays the memory area mapping information of the process. Examples are as follows:

$ cat /proc/2406/maps
00400000-006ea000 r-xp 00000000 fd:01 1727569 /usr/bin/frps
006ea000-00a6c000 r--p 002ea000 fd:01 1727569 /usr/bin/frps
00a6c000-00ab1000 rw-p 0066c000 fd:01 1727569 /usr/bin/frps
00ab1000-00ad4000 rw-p 00000000 00:00 0
c000000000-c00000b000 rw-p 00000000 00:00 0
c41feac000-c420000000 rw-p 00000000 00:00 0
c420000000-c420400000 rw-p 00000000 00:00 0
c420400000-c420700000 rw-p 00000000 00:00 0
c420700000-c420800000 rw-p 00000000 00:00 0
c420800000-c420900000 rw-p 00000000 00:00 0
c420900000-c420a00000 rw-p 00000000 00:00 0
c420a00000-c421ea0000 rw-p 00000000 00:00 0
c421ea0000-c422a00000 rw-p 00000000 00:00 0
c422a00000-c422a60000 rw-p 00000000 00:00 0
7f0418c01000-7f0418ee1000 rw-p 00000000 00:00 0
7ffff7f4f000-7ffff7f70000 rw-p 00000000 00:00 0 [stack:5121]
7ffff7fad000-7ffff7faf000 r--p 00000000 00:00 0 [vvar]
7ffff7faf000-7ffff7fb1000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

One thing to note is that [stack:] is the stack information of the thread, corresponding to the /proc/[pid]/task/[tid]/ path.

/proc/[pid]/root

/proc/[pid]/root is a symbolic link to the process root directory. Examples are as follows:

$ ls -lt /proc/2406/root
lrwxrwxrwx 1 root root 0 Dec 12 20:39 /proc/2406/root -> /

/proc/[pid]/stack

/proc/[pid]/stack shows the kernel call stack information of the current process. This file will be generated only if the CONFIG_STACKTRACE compilation option is turned on during kernel compilation. Examples are as follows:

$ cat /proc/2406/stack
[<ffffffff810fa996>] futex_wait_queue_me 0xc6/0x130
[<ffffffff810fb05d>] futex_wait 0x17d/0x270
[<ffffffff810fd2d5>] do_futex 0xd5/0x520
[<ffffffff810fd791>] SyS_futex 0x71/0x150
[<ffffffff8180cc76>] entry_SYSCALL_64_fastpath 0x16/0x75
[<ffffffffffffffff>] 0xffffffffffffffff
</ffffffffffffffff></ffffffff8180cc76></ffffffff810fd791></ffffffff810fd2d5></ffffffff810fb05d></ffffffff810fa996>

/proc/[pid]/statm

/proc/[pid]/statm Displays statistical information on the memory size occupied by the process. Contains seven values, and the unit of measurement is page (the page size can be obtained through getconf PAGESIZE). Examples are as follows:

$ cat /proc/2406/statm
13720 2617 493 746 0 12007 0

The meaning of each value:

a) The total memory occupied by the process
b) The physical memory occupied by the process at the current moment
c) Memory shared with other processes
d) Code segment of the process
e) Shared library (from version 2.6 onwards, this value is 0)
f) Stack of the process
g) dirty pages (from version 2.6 onwards, this value is 0)

/proc/[pid]/status

/proc/[pid]/status contains status information of the process. Much of its content is the same as /proc/[pid]/stat and /proc/[pid]/statm, but presented in a clearer way. Examples are as follows:

$ cat /proc/2406/status
Name: frps
State: S (sleeping)
Tgid: 2406
Ngid: 0
ID: 2406
PPid: 2130
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 128
Groups: 0
NStgid: 2406
NSpid: 2406
NSpgid: 2406
NSsid: 2130
VmPeak: 54880 kB
VmSize: 54880 kB
VmLck: 0 kB
VmPin: 0 kB
VmHWM: 34872 kB
VmRSS: 10468 kB
VmData: 47896 kB
VmStk: 132 kB
VmExe: 2984 kB
VmLib: 0 kB
VmPTE: 68 kB
VmPMD: 20 kB
VmSwap: 0 kB
HugetlbPages: 0 kB
Threads: 11
SigQ: 0/31834
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000000000
SigCgt: fffffffe7fc1feff
CapInh: 0000000000000000
CapPrm: 0000003ffffffffff
CapEff: 0000003ffffffffff
CapBnd: 0000003ffffffffff
CapAmb: 0000000000000000
Seccomp: 0
Cpus_allowed: f
Cpus_allowed_list: 0-3
Mems_allowed: 00000000,00000001
Mems_allowed_list: 0
voluntary_ctxt_switches: 2251028
nonvoluntary_ctxt_switches: 18031

Information about signals: SigQ is divided into two parts (for example, 0/31834). The former indicates the signal currently in the queue (0), and the latter indicates how many signals the queue can store in total (31834); SigPnd Represents the pending signal of the current thread, while ShdPnd indicates the pending signal of the entire process; SigBlk, SigIgn and SigCgt respectively indicate whether the signal processing is blocked, ignored, or captured. (For relevant knowledge about Unix signals, please refer to Unix: Dealing with signals).

/proc/[pid]/syscall

/proc/[pid]/syscall displays the system calls being executed by the current process. Examples are as follows:

$ cat /proc/2406/syscall
202 0xab3730 0x0 0x0 0x0 0x0 0x0 0x7ffff7f6ec68 0x455bb3

The first value is the system call number (202 represents poll), followed by the parameter values ​​of 6 system calls (located in registers), and the last two values ​​are the stack pointer and instruction counter values. If the current process is blocked, but the blocking function is not a system call, the value of the system call number is -1, followed by the values ​​of the stack pointer and instruction counter. If the process is not blocked, the file will only have a running string.

This file will be generated only when the CONFIG_HAVE_ARCH_TRACEHOOK compilation option is turned on during kernel compilation.

/proc/[pid]/wchan

/proc/[pid]/wchan Displays the functions currently running by the kernel when the process sleeps. Examples are as follows:

$ cat /proc/2406/wchan
futex_wait_queue_meadmin

The above is the detailed content of A brief analysis of the files in the /proc/[pid] directory in Linux. For more information, please follow other related articles on the PHP Chinese website!