What is the meaning of ps process names printed in [] such as [cgroup]?

Question

when I do a command such as ps -aux on CentOS 6 I get a bunch of processes whos command is listed in [] as shown below. What is the meaning of the [] in the name? I am assuming that these are special processes of some kind, what makes a process name show up with a [] around it?

[root@centos6 src]# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 18:48 ?        00:00:01 /sbin/init
root         2     0  0 18:48 ?        00:00:00 [kthreadd]
root         3     2  0 18:48 ?        00:00:00 [migration/0]
root         4     2  0 18:48 ?        00:00:00 [ksoftirqd/0]
root         5     2  0 18:48 ?        00:00:00 [migration/0]
root         6     2  0 18:48 ?        00:00:00 [watchdog/0]
root         7     2  0 18:48 ?        00:00:02 [events/0]

The answers below are right, I just want to add that those processes in square brackets on top of your output are kernel threads - those are actually processes, rather than threads, running in the kernel mode and having only kernel part of virtual address space (only upper 1 Gb, corresponding to addresses 0xC000000 - 0xFFFFFFFF in 32-bit mode, cause they are not meant to access userspace at all). For instance, ksoftirqd is a daemon, responsible for running the bottom halves of interrupts, when the CPU is not busy with more urgent tasks. — Boris Burkov, Aug 25 '13 at 13:46

slm · Accepted Answer · 2013-08-25T01:44:50.087

If the command line is inaccessible to ps, i.e. /proc/<pid>/cmdline returns an empty string then ps wraps it in square brackets.

You can use this to test the above, by running the following command and then checking it out in the process list:

$ perl -e '$0 = ""; sleep'

Then do a ps:

saml     26756  2098  0 21:21 pts/9    00:00:00 []

Sure enough our perl process shows up with the square brackets ([]).

cmdline's are empty, really?

Yeah seems a bit odd but just to confirm I checked the first couple and they're definitely empty:

$ for i in `seq 2125`;do [ -e /proc/$i/cmdline ] || continue; \
    echo -n "PID# $i: "; echo $(cat /proc/$i/cmdline);done | less

PID# 1: /sbin/init
PID# 2: 
PID# 3: 
PID# 4: 
PID# 5: 
PID# 15: 
...
PID# 1187: /sbin/rsyslogd-c4
PID# 1189: /sbin/rsyslogd-c4
PID# 1190: /sbin/rsyslogd-c4
PID# 1211: 
PID# 1229: irqbalance
PID# 1255: rpcbind
PID# 1269: mdadm--monitor--scan-f--pid-file=/var/run/mdadm/mdadm.pid
...

Getting rid of them?

If you use the -f and -c switches you can see the expanded version of these processes without the square brackets:

$ ps --version
procps version 3.2.8

$ ps -auxfc | less
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         2  0.0  0.0      0     0 ?        S    Aug21   0:00 kthreadd
root         3  0.0  0.0      0     0 ?        S    Aug21   0:04  \_ ksoftirqd/0
root         4  0.0  0.0      0     0 ?        S    Aug21   0:03  \_ migration/0
root         5  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ watchdog/0
root        15  0.0  0.0      0     0 ?        S    Aug21   0:04  \_ events/0
root        19  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ cpuset
root        20  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ khelper
root        21  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ netns
root        22  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ async/mgr
root        23  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ pm
root        24  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ sync_supers
root        25  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ bdi-default
root        26  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ kintegrityd/0
root        30  0.0  0.0      0     0 ?        S    Aug21   0:07  \_ kblockd/0
root        34  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ kacpid
root        35  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ kacpi_notify
root        36  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ kacpi_hotplug
root        37  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ ata_aux
root        38  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ ata_sff/0
root        42  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ khubd
root        43  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ kseriod
root        44  0.0  0.0      0     0 ?        S    Aug21   0:35  \_ kswapd0
root        45  0.0  0.0      0     0 ?        SN   Aug21   0:00  \_ ksmd
root        46  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ aio/0
root        50  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ crypto/0
root        59  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ scsi_eh_0
root        60  0.0  0.0      0     0 ?        S    Aug21   0:26  \_ scsi_eh_1
root        61  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ scsi_eh_2
root        62  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ scsi_eh_3
root        63  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ scsi_eh_4
root        64  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ scsi_eh_5
root        71  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ kpsmoused
root        72  0.0  0.0      0     0 ?        S    Aug21   0:00  \_ kstriped

From the man page for ps:

   -c    Show different scheduler information for the -l option.

   -f    does full-format listing. This option can be combined with many 
         other UNIX-style options to add additional columns. It also 
         causes the command arguments to be printed. When used with -L, 
         the NLWP (number of threads) and LWP (thread ID) columns will be 
         added. See the c option, the format keyword args, and the format 
         keyword comm.

What is the meaning of ps process names printed in [] such as [cgroup]?

1 Answers1

cmdline's are empty, really?

Getting rid of them?