How to find source of spawning process?
There are a number of possibilities (some mentioned in other answers):
- A system or user cronjob executing often,
- In SysV init, an
/etc/inittabentry for the service with therespawndirective, - In systemd, a unit file with the
Restartoption set to a value other thanno, - In Upstart, a service configuration file with the
respawndirective, - A process monitoring tool such as
monit, or - An ad-hoc watchdog process for that particular service.
An interesting new (linux-only) tool that could provide more insight into where the process is being started is sysdig.
Sysdig uses the Linux Kernel's tracepoint features to provide what amounts to a fast, system wide strace.
For example, if I wanted to see every process starting ls, I can issue:
sudo sysdig evt.type=execve and evt.arg.exe=ls
When ls is run somewhere, I will get a message like this:
245490 16:53:54.090856066 3 ls (10053) < execve res=0 exe=ls args=--color=auto. tid=10053(ls) pid=10053(ls) ptid=9204(bash) cwd=/home/steved fdlimit=1024 pgft_maj=0 pgft_min=37 vm_size=412 vm_rss=4 vm_swap=0 env=...
I truncated the environment information returned, but as you can see, in the ptid I can see the name and pid of the program calling execve. execve is the system call used in Linux used to execute new commands (all other exec calls are just frontends to execve).
I believe you could use pstree. You could specify the command as,
pstree -p PID
The above will give you a list of all parents of the java applications.
You could have a look at its PPID (parent process ID) :
$ ps -eo pid,ppid,args | grep java
Once you've got the PPID (second column) of your Java process, use ps again to find the associated process:
$ ps -p [PPID]
Edit : if the parent is 1 (init), then the first parent of your Java process died right after "giving birth" (how sad). Because of that, you can't use the current process hierarchy to find it. The first thing I would recommend you to do is to check ps -ef. You might find the culprit just by reading the output.
Then, have a look at crontabs (you did it already, but it won't hurt) :
$ for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done
This will require root privileges.
Still can't see a Java process scheduled? Dang it. Let's try something else. If your Java process is present since boot, have a look at programs scheluded at boot time. I would suggest something like...
$ grep -iR java /etc/rc*
If you still can't find anything then... Well I admit I'm running out of ideas. You should really have another look at ps -ef, and locate processes associated with Java-based programs. You should come across a daemon, or a "launcher", responsible for the constant respawning of your Java process.