diffrence between zombie and orphan process

Zombie Process :
---------------------

If the child process is dead but its parent process is alive, the child process is declared zombie, means if you run ps aux, you will see that the just died child process is having a Z in the STAT column.

>> It does not use resources and it cannot be scheduled for execution. 

Sometimes the parent process keeps the child in the zombie state to ensure that the future children processes will not receive the same PID

$ ps aux | grep Z

Orphan Process :
---------------------

If parent process is dead but its child process is alive, the child process is declared orphan, means it is now adopted by its new parent .. the init process.

An Orphan Process is a process whose parent is dead (terminated). A process with dead parents is adopted by the init process.
When does a process become an orphan process?
Sometimes, when a process crashes, it leaves the children processes alive, transforming them into orphan processes. A user can also create a orphan process, by detaching it from the terminal.

How to find orphaned processes:
This command will not display only the orphaned processes, but all the processes having the PPID 1 (having the init process as it’s parent).

ps -elf | head -1; ps -elf | awk '{if ($5 == 1) {print $0}}'

The command snapshots all the processes with PPID 1. Keep that result. Thereafter, you may periodically run the command to compare the result of the time with snapshot taken earlier. Any differences found in the new snapshot might be potentially being orphan processes.

Note, the differences found are only suggest that they’re potential (not confirm) orphan processes in Linux system. You have to get more info to confirm them before terminating those processes. For example, how STIME figure, CPU utilization, understanding its purpose of executing, etc.

Once you have confirm them, you should not hesitate to terminate them as soon as possible, by the kill -9 command, as orphan processes will drain out your Linux system resources over the time.

>> Orphan processes use a lot of resources, so they can be easily found with top or htop. 

To kill an orphaned process, use kill -9 PID.

How to Kill a Process

How to Kill a Process

You may want to stop a process while it is running. For instance, you may be running a program that contains an endless loop, so that the process you created will never stop. Or you may decide not to complete a process you started, either because it is hogging system resources or because it is doing something unintended. If your process is actively running, just hit the BREAK or DELETE key However, you cannot terminate a background process or one attached to a different terminal this way, unless you bring it back to the foreground.

You should observe some cautions when using kill to end processes. Before you attempt to kill a process, you should ensure that you have correctly identified the process ID (PID) you wish to kill. In this “family” relationship that is built as processes spawn others, you can inadvertently kill a process that is the parent of the one you want to kill, and leave an orphan, or—in the worst case—a zombie (a process that still appears in the process table as though it were active, but either has been killed or has completed and is consuming no resources).

You may also transpose numbers in the PID and kill a process that is being used for a different purpose, even a system-level process. The results can be disastrous, especially if you use what is known as a “sure (or unconditional) kill.” This type of kill is discussed in the next section.

To terminate such a process, or kill it, use the kill command, giving the process ID as an argument. For instance, to kill the process with PID 2312 (as revealed by ps), type

$  kill  2312

This command sends a signal to the process. In particular, when used with no arguments, the kill command sends the signal 15 to the process. (Over 30 different signals can be sent on UNIX systems. See Table 11–1, in the section “Signals and Semaphores,” for a list.) Signal 15 is the software termination signal (SIGTERM) that is used to stop processes.

Table 11–1: The Thirty Most Common UNIX Signals

Signal	Abbreviation	Meaning
1)	HUP	Hangup
2)	INT	Interrupt
3)	QUIT	Quit
4)	ILL	Illegal instruction
5)	TRAP	Trace/breakpoint trap
6)	ABRT	Abort
7)	EMT	Emulation trap
8)	FPE	Floating point exception
9)	KILL	Kill
10)	BUS	Bus error
11)	SEGV	Segmentation fault
12)	SIGSYS	Bad system call
13)	PIPE	Broken pipe
14)	ALRM	Alarm clock
15)	TERM	Terminated
16)	USR1	User signal 1
17)	USR2	User signal 2
18)	CLD	Child status changed
19)	PWR	Power failure
20)	WINCH	Window size change
21)	URG	Urgent socket condition
22)	POLL	Pollable event
23)	STOP	Stopped
24)	STP	Stopped (user)
25)	CONT	Continued
26)	TTIN	Stopped terminal input
27)	TTOU	Stopped terminal output
28)	VTALRM	Virtual timer expired
29)	PROF	Profiling timer expired
30)	XCPU	CPU time exceeded

Some processes, such as the shell, do not die when they receive this signal. You can kill processes that ignore signal 15 by supplying the kill command with the −9 flag. This sends the signal 9, which is the unconditional kill signal, to the process. For instance, to kill a shell process with PID 517, type

$ kill −9 517

You may want to use kill −9 to terminate sessions. For instance, you may have forgotten to log off at work. When you log in remotely from home and use the ps command, you will see that you are logged in from two terminals. You can kill the session you have at work by using the kill −9 command.

To do this, first issue the ps command to see your running processes:

$ ps
 PID     TTY        TIME    COMD
 3211    term/41    0:05    ksh
12326    term/41    0:01    ps
12233    term/15    0:20    ksh

You can see that there are two kshs running: one attached to terminal 41, one, to terminal 15. The ps command just issued is also associated with terminal 41. Thus, the ksh associated with term/15, with process number (PID) 12233, is the login at work. To kill that login shell, use the command

$  kill  −9  12233

You can also kill all the processes that you created during your current terminal login session. A process group is a set of related processes, for example, all those with a common ancestor that is a login shell. Use the command

$  kill  0

to terminate all processes in the process group.

If you program in Shell (see Chapter 20), you may want to know if a particular process is running prior to executing a command. The −0 (zero) option of kill allows you to do this. Putting the string

kill  −0  pid

into your shell script will return a value indicating whether or not the indicated process (pid) is alive.

Parent and Child Processes

When you type a command line on your UNIX system, the shell handles its execution. If the command is a built-in command known by the shell (echo, break, exit, test, and so forth), it is executed internally without creating a new process. If the command is not a built-in, the shell treats it as an executable file. The current shell uses the system call fork and creates a child process, which executes the command. The parent process, the shell, waits until the child either completes execution or dies, and then it returns to read the next command.

Normally when the shell creates the child process, it executes a wait system call. This suspends operation of the parent shell until it receives a signal from the kernel indicating the death of a child. At that point, the parent process wakes up and looks for a new command.

When you issue a command that takes a long time to run (e.g., a troff command to format a long article), you usually need to wait until the command terminates. When the troff job finishes, a signal is sent to the parent shell, and the shell begins paying attention to your input once again. You can run multiple processes at the same time by putting jobs into the background. If you end a command line with the ampersand (&) symbol, you tell the shell to run this command in the background. The command string

$ cat * troff -mm lp 2> /dev/null &

causes all the files in the current directory to be formatted and sent to the printer. Because this command would take several minutes to run, it is placed in the background with the & symbol.

When the shell sees the & at the end of the command, it forks off a child shell to execute the command, but it does not execute the wait system call. Instead of suspending operation until the child dies, the parent shell resumes processing commands immediately If anything goes wrong with the process, the output of the lp command is redirected to the device /dev/ null(discarded) to avoid a lengthy printout of garbage.

The shell provides programming control of the commands and shell scripts you execute. The command format

$ (command; command; command) &

instructs the shell to create a child or subshell to run the sequence of commands, and to place this subshell in the background.