How to kill a zombie process on Linux |

How to kill a zombie process on Linux

To kill a zombie process, you must remove its name from the process list.

Full moon on a hazy night
Image credits : 

Subscribe now

Get the highlights in your inbox every week.

Happy Halloween Open SOURCE-rers!

Here's a tale as old as epoch time. Since there has been C and Unix, and (later on) Linux, we've had zombies. Specifically, there are processes that get marked as a zombie process. Misunderstood by some, ignored by others, and immune to the efforts of so many of us trying to kill these processes without much success. Why is that?

What is a process in Linux?

It all begins when a program in Linux gets executed, and when it does, its running instance is called a process. You can see all processes on your Linux environment with the ps command.

$ ps -ax
        PID TTY         STAT   TIME COMMAND
        1 ?     Ss      0:01 /usr/lib/systemd/systemd rhgb --switched-root --sys
        2 ?     S       0:00 [kthreadd]
        3 ?     I<      0:00 [rcu_gp]
        4 ?     I<      0:00 [rcu_par_gp]

Sometimes a process starts another process, making the first process the parent of the second. The pstree command is a great tool that allows you to see the processes' "genealogy" on your system.

$ pstree -psn
        │                     ├─systemd-userwor(12714)
        │                     └─systemd-userwor(12715)

Every process gets assigned a number in the system. Process ID number 1 gets assigned to the very first process executed during the boot process, and every subsequent process after PID 1 is a descendant of it. The PID 1 process is the init, which on most newer versions of Linux is just a symbolic link to the systemd program.

Ending a process with the kill command

You can terminate processes in a Linux system with the kill commandDespite the name, the kill command and a set of others such as pkill and killall got written/designed to send SIGNALS to one or more processes. When not specified, the default SIGNAL it sends is the SIGTERM signal to terminate the process.

When a parent process dies or gets killed, and its child process doesn't follow its parent's demise, we call that process an orphan process.

How to kill a zombie process

Zombie processes, on the other hand, cannot be killed! Why might you ask? Well, because they are already dead!

Every child process, when terminated, becomes a zombie process and then removed by the parent. When the process exits its existence and releases the resources it had used, its name is still on the OS process table. It is then the parent's process job to remove its name from the process table. When that fails, we have the zombie process, which isn't really a process anymore, but just an entry on the process table of the OS.

This is why trying to do a kill command even with the -9 (SIGKILL) option on a defunct (zombie) process doesn't work, because there is nothing to kill.

So, to kill a zombie process, as in to remove its name from the process list (the process table), you have to kill its parent. For instance, if PID 5878 is a zombie process, and its parent is PID 4809, then to kill the zombie (5878) you end the parent (4809):

$ sudo kill -9 4809  #4809 is the parent, not the zombie

My final word of warning about zombies. Be very careful when killing parent processes. If the parent of a process is PID 1 and you kill that, you'll reboot yourself!

And that will be an even scarier story to tell!

x sign

In the final article in this series about chaos engineering, do some experiments to learn how changes affect your infrastructure's state.
World locations with red dots with a sun burst background

One of the most fundamental diagnostic tools for networked connectivity is the ping command.

About the author

Anderson Silva - He was introduced to Linux by his uncle back in 1996. In the early 2000s Anderson transitioned from being a developer to a system administrator/release engineer. He joined Red Hat as an IT Release Engineer in 2007. As of 2021, he is the Director of Incident Response @ Red Hat's Information Security Team. He currently holds an RHCE and an expired RHCA and is an active Fedora package maintainer...