Poking at /proc: A Weekend in Linux Internals

Lorem ipsum dolor sit amet, consectetur adipiscing elit. It started on a Saturday morning with a cup of coffee and a burning question: what is my system actually doing right now? Not at the top level of abstraction — at the kernel level. Where do processes live? How does the OS track open files? Where does memory accounting happen?

The answer, on Linux, is almost always the same: /proc.

$ ls /proc/
1    42   1337  buddyinfo  cpuinfo  filesystems  interrupts
kcore  meminfo  mounts  net  self  stat  uptime  version ...

What Even Is /proc?

Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. The /proc filesystem is not a real filesystem on disk. It's a virtual filesystem, synthesized by the kernel on the fly. When you cat /proc/meminfo, the kernel generates that text from internal data structures in real time. Nothing is stored anywhere. It evaporates the moment you stop reading.

"Everything is a file" is a Unix cliché, but /proc takes it further: everything is a file generated on demand by the kernel itself.

Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Each numeric directory under /proc corresponds to a running process, named by its PID.

Spelunking a Process

Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Let's pick a random process and see what we can learn.

# Pick the PID of your shell
PID=$$

ls /proc/$PID/
# cmdline  cwd  environ  exe  fd  maps  mem  
# net  ns  smaps  stat  status  ...

cmdline — What Is This Process?

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. The cmdline file holds the command line used to start the process, with arguments separated by null bytes. A quick trick to read it human-legibly:

$ tr '\0' ' ' < /proc/$PID/cmdline
bash

maps — Memory Layout

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium. This is where it gets interesting. The maps file shows every memory region mapped into the process's virtual address space:

$ cat /proc/$PID/maps
55a1b2c3d000-55a1b2c3e000 r--p 00000000 fd:01 123456  /usr/bin/bash
55a1b2c3e000-55a1b2d1a000 r-xp 00001000 fd:01 123456  /usr/bin/bash
...
7ffd3b200000-7ffd3b221000 rwxp 00000000 00:00 0        [stack]
7ffd3b3d5000-7ffd3b3d9000 r--p 00000000 00:00 0        [vvar]
7ffd3b3d9000-7ffd3b3db000 r-xp 00000000 00:00 0        [vdso]

Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit. Each line is: address range, permissions (read/write/execute/private or shared), file offset, device, inode, and path. You can see the ELF text segment, the heap, shared libraries, and the stack right there in plain text.

fd — Open File Descriptors

At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium. The fd directory contains symbolic links for each open file descriptor. Want to know what files a process has open? Easy:

$ ls -la /proc/$PID/fd
lrwxrwxrwx 1 user user 64 Apr 22 08:31 0 -> /dev/pts/0
lrwxrwxrwx 1 user user 64 Apr 22 08:31 1 -> /dev/pts/0
lrwxrwxrwx 1 user user 64 Apr 22 08:31 2 -> /dev/pts/0
lrwxrwxrwx 1 user user 64 Apr 22 08:31 255 -> /dev/pts/0

That shell has stdin (0), stdout (1), and stderr (2) all pointing to the same terminal. Exactly what you'd expect.

System-Wide Files

Temporibus autem quibusdam et aut officiis debitis aut rerum necessitatibus saepe eveniet. Beyond the per-process directories, /proc has system-wide files that expose hardware and kernel state:

• /proc/cpuinfo — CPU model, flags, cache sizes
• /proc/meminfo — memory stats (MemTotal, MemFree, Buffers, Cached…)
• /proc/net/tcp — active TCP connections in hex
• /proc/loadavg — 1/5/15-minute load averages
• /proc/sys/ — kernel tunables you can read and write

Tuning the Kernel Live

Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. The /proc/sys subtree is writable (as root). This is how sysctl works under the hood — it's just reading and writing files under /proc/sys:

# Check current max open files
cat /proc/sys/fs/file-max

# Bump it temporarily (survives until reboot)
echo 2000000 > /proc/sys/fs/file-max

# The sysctl way (same effect)
sysctl -w fs.file-max=2000000

Closing Thoughts

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. The /proc filesystem is one of those things that, once you really understand it, permanently changes how you debug. Before reaching for a heavyweight profiler or a vendor monitoring agent, try cat /proc/<pid>/status. The answer is probably already there, free, no binary to install.

Next time: /sys, the younger sibling of /proc that the kernel devs actually like.