Error 404 Learning Guide

Zombie Processes

Notes for checking and understanding zombie processes on Linux/RHEL systems.

A zombie process is a process that has finished running, but its parent process has not collected its exit status yet.

Zombie processes usually do not use CPU or memory like normal running processes, but many zombies can indicate a problem with the parent process.

What is a zombie process?

A zombie process is already dead, but still appears in the process table.

It usually shows status:

Z

or:

defunct

Example:

user      12345  1234  0 10:00 ?  00:00:00 [process_name] <defunct>

Important concept

You usually do not kill the zombie process directly.

The zombie is already dead.

You normally need to look at the parent process.

Check for zombie processes

Using ps

ps aux | grep -w Z

Better:

ps aux | grep defunct

Show process state, PID, and parent PID

ps -eo stat,pid,ppid,cmd | grep -w Z

or:

ps -eo stat,pid,ppid,cmd | grep defunct

Important fields:

PID  = zombie process ID
PPID = parent process ID
STAT = process state
CMD  = command

Find the parent process

If the zombie has parent PID 1234, check the parent:

ps -fp 1234

Also:

pstree -p 1234

If pstree is not installed, use:

ps -ef --forest | less

Count zombie processes

ps -eo stat | grep -c Z

More detailed:

ps -eo stat,pid,ppid,cmd | grep -w Z

Check system impact

Zombie processes usually do not consume CPU.

Still check general system health:

uptime
top
free -h
ps aux --sort=-%cpu | head
ps aux --sort=-%mem | head

What to do

If there are only one or two zombies

Usually:

observe
identify parent process
check if it disappears later
check application logs

If many zombies are created repeatedly

Investigate the parent process or application.

Commands:

ps -eo stat,pid,ppid,cmd | grep -w Z
ps -fp PARENT_PID
journalctl -xe
journalctl -u SERVICE_NAME -n 100

Restart parent service

If the parent belongs to a known service, restart the service only if approved.

Example:

systemctl status SERVICE_NAME
journalctl -u SERVICE_NAME -n 100
sudo systemctl restart SERVICE_NAME

Verify:

ps -eo stat,pid,ppid,cmd | grep -w Z
systemctl status SERVICE_NAME

If parent process is PID 1

If the zombie parent is PID 1, it may be adopted by systemd/init.

Check:

ps -fp 1

Usually this should be handled automatically, but if zombies remain, investigate further.

Kill parent process

Warning: killing the parent process can stop an application or service.

Only do this if you understand the impact.

sudo kill PARENT_PID

If it does not stop:

sudo kill -9 PARENT_PID

Use kill -9 only as a last resort.

Common causes

Parent process bug
Application not properly reaping child processes
Script spawning background jobs incorrectly
Service stuck or unhealthy
Application server issue
Old process after failed restart

First command set for zombie process issues

hostnamectl
uptime
ps -eo stat,pid,ppid,cmd | grep -w Z
ps aux | grep defunct
top
journalctl -xe
systemctl --failed

If parent PID is known:

ps -fp PARENT_PID
pstree -p PARENT_PID

Troubleshooting flow

1. Confirm zombies exist.
2. Count how many.
3. Identify the zombie PID and parent PID.
4. Identify the parent process or service.
5. Check logs for the parent service.
6. Decide if observation is enough.
7. If needed and approved, restart the parent service.
8. Verify zombies are gone or no longer increasing.

Dangerous actions

Be careful with:

killing parent processes
restarting production services
using kill -9
rebooting just to remove zombies
ignoring many repeated zombies

Personal notes

Add sanitized examples here.

Examples:

- A few zombies disappeared by themselves.
- Many zombies came from one parent process.
- Restarting the parent service cleared the zombies.
- The real issue was an application bug.