Episode 105 — Memory pressure: swapping, OOM, killed processes, memory leaks
In Episode One Hundred and Five, we focus our attention on the critical and often misunderstood realm of system memory management, specifically looking at how to understand memory stress so that sudden crashes stop being mysterious events. As a seasoned educator in the cybersecurity field, I have observed that many administrators feel helpless when a critical process is suddenly terminated by the kernel with no apparent warning. To maintain a professional-grade infrastructure, you must be able to determine if your system is experiencing a temporary resource spike, a long-term architectural deficiency, or a silent failure within the application code itself. If you do not understand the technical relationship between physical memory, the swap subsystem, and the kernel's defensive mechanisms, you will struggle to keep high-demand services online. Today, we will break down the mechanics of the Out-of-Memory Killer and the lifecycle of a memory page to provide you with a structured framework for achieving absolute system stability.
Before we continue, a quick note: this audio course is a companion to our Linux Plus books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
To establish a professional foundation for your troubleshooting, you must first learn to recognize swapping as the process of moving memory pages to the physical disk to free up space for active tasks. Swapping is a vital safety valve that allows the operating system to continue functioning even when the demand for memory exceeds the physical capacity of the installed Random Access Memory modules. You should visualize this as the kernel "borrowing" space from your hard drive or solid-state drive to act as a secondary, albeit much slower, memory pool. A seasoned educator will remind you that while swapping prevents an immediate crash, it introduces a significant performance penalty because the speed of a disk is orders of magnitude slower than that of actual silicon memory. Recognizing that the system has begun to rely on this secondary storage is the foundational step in moving from a stable state to an active resource investigation.
You must treat heavy swapping as a major performance killer and a critical warning sign that your system is reaching the limit of its operational capacity. When a server enters a state of "thrashing," it spends more time moving pages back and forth between the disk and the memory than it does actually executing application code. You might notice that the system becomes incredibly sluggish, with high input and output wait times and a load average that spikes even though the processor is largely idle. A cybersecurity professional treats excessive swap usage as a signal that the service-level agreement is in jeopardy and that immediate intervention is required to prevent a total collapse. Mastering the identification of this "slow-motion failure" ensures that you can take corrective action, such as migrating workloads or adding resources, before the system reaches its breaking point.
One of the most dramatic events in Linux administration is when you must understand the Out-of-Memory Killer, a kernel mechanism that ends processes when physical memory and swap are completely exhausted. The kernel maintains an internal scoring system that identifies which processes are consuming the most memory and which ones are least critical to the system's survival. When the pressure becomes unbearable, the kernel will "sacrifice" a process—often the largest consumer—to free up enough space to keep the core operating system alive. You should visualize the Out-of-Memory Killer as an emergency triage officer who must make the difficult choice to terminate one task to save the entire server. A seasoned educator will tell you that this is the final line of defense; if the kernel reaches this stage, it means all other memory management strategies have failed.
To confirm that an Out-of-Memory event has occurred, you must recognize the specific logs that show killed processes and provide evidence of the memory shortage. When a process is terminated by this mechanism, the kernel writes a detailed report to the system logs, including a "dump" of the memory state and the specific process ID that was selected for termination. You should look for phrases like "Out of memory: Kill process" or "sacrificial lamb" in your kernel ring buffer and systemd journal to confirm the technical cause of the disappearance. A professional administrator treats these log entries as a forensic trail that reveals exactly which service was the primary offender and how close the system was to a total hang. Without this log-based evidence, you are merely guessing why a service has vanished from your process list.
Another essential diagnostic skill is the ability to identify memory leaks by observing a steady, uninterrupted growth in memory consumption without any corresponding release. A memory leak occurs when a program allocates memory to perform a task but fails to return that memory to the pool once the task is complete. You will notice that the memory usage of a specific process climbs slowly over days or weeks, never returning to its baseline, until it eventually triggers the swap or kills we have discussed. You should use long-term monitoring and trend analysis to spot these "quiet" failures that are often invisible during a short-term check. A cybersecurity expert knows that a leak is often a sign of poor code quality or a potential vulnerability that could be exploited to cause a denial-of-service attack.
To avoid false positives, you must be able to differentiate between legitimate cache growth and an actual memory leak, while understanding the kernel's reclaim behavior. It is a common mistake for novice administrators to see "zero bytes free" and panic, not realizing that Linux intentionally uses all available memory to cache disk blocks for improved performance. This "buffering" is completely healthy, as the kernel will immediately reclaim and repurpose this space the moment an application actually needs it for active computation. You should look at the "available" memory column in your reporting tools, rather than the "free" column, to see the true amount of resources that can be used. A seasoned educator will remind you that "unused RAM is wasted RAM"; understanding this distinction prevents you from over-provisioning your hardware based on a misunderstanding of how the kernel manages its assets.
You must also consider the impact of container limits and control groups, which can cause unexpected process kills even when the host system appears to have plenty of memory. Modern virtualization and container technologies use control groups to set a "hard limit" on how much memory a specific set of processes can consume. If a container exceeds its allocated limit, the kernel will trigger an Out-of-Memory event specifically for that group, terminating the offending container even if sixty-four gigabytes of RAM are sitting idle on the host. You should be prepared to audit these configuration limits in your container orchestration tools to ensure they match the actual requirements of the workload. Recognizing these "logical boundaries" is essential for troubleshooting in modern, high-density cloud environments where resource isolation is strictly enforced.
Let us practice a recovery scenario where a critical application dies every night at two o'clock in the morning, and you must decide if it is a memory leak or a workload spike. Your first move should be to examine the system logs around the time of the failure to see if the Out-of-Memory Killer was triggered. Second, you would look at the long-term usage trends for that specific process; if the usage grows slowly all day, you have a leak. Third, if the usage is flat but spikes suddenly at two o'clock, you should look for a scheduled job or a backup routine that is overwhelming the system's capacity. This methodical "leak-versus-spike" investigation is how you find the real cause with professional authority. It ensures that you do not spend weeks refactoring code when the real problem is just a misconfigured cron job.
A vital technical rule for any professional administrator is to reduce memory pressure by tuning services, adding physical memory, or reducing the overall load, rather than simply killing processes blindly. If a database is consuming too much memory, you should look at its internal buffer and cache settings to see if they can be optimized for the available hardware. You might also consider moving non-essential services to a different server to reduce the competition for resources on the primary node. A cybersecurity professional treats "resource tuning" as a strategic activity that balances performance with stability. Maintaining this "optimization" mindset ensures that your systems remain reliable without the need for constant manual intervention or emergency reboots.
You should also strictly avoid disabling swap as a permanent fix without deeply understanding the stability implications for the system. Some administrators believe that turning off swap will improve performance by forcing the kernel to keep everything in RAM, but this actually makes the system much more fragile. Without a swap area, the kernel has no "buffer" for temporary spikes, meaning it will trigger the Out-of-Memory Killer much sooner and much more aggressively. You should instead focus on setting the "swappiness" value to a level that tells the kernel how much you want it to prefer physical memory over the disk. A seasoned educator will tell you that "swap is your safety net"; by keeping it active, you provide the system with the flexibility it needs to survive unexpected resource demands.
To help you remember these complex memory concepts during a high-pressure incident, you should use a simple memory hook: swap slows, the Out-of-Memory Killer kills, and leaks grow quietly. Swapping is a performance issue that indicates you are running out of room; the Out-of-Memory Killer is a survival mechanism that terminates work to save the host; and memory leaks are slow-moving threats that eventually trigger the first two. By keeping this "severity-based" lifecycle distinction in mind, you can quickly categorize any memory issue and reach for the correct technical tool to solve it. This mental model is a powerful way to organize your technical knowledge and ensure you are always managing the right part of the memory stack. It provides a roadmap that prevents you from getting lost in the "caches" while the "killer" is active.
For a quick mini review of this episode, can you state two primary technical signs that a system is under extreme memory pressure? You should recall that "active swap usage" accompanied by high input and output wait times, and "Out-of-Memory termination messages" in the system logs, are the two most definitive indicators of a crisis. Each of these signals represents a different stage of the system's struggle to manage its limited resources, and knowing them by heart is essential for fast and accurate triage in the field. By internalizing these "memory gates," you are preparing yourself for the real-world engineering and leadership tasks that define a technical expert. Understanding the "why" behind the killed process is what allows you to lead a successful remediation effort.
As we reach the conclusion of Episode One Hundred and Five, I want you to describe your first check aloud after you discover that an Out-of-Memory event has occurred on a production server. Your first step should be to identify exactly which process was killed and which process was the largest consumer at the time of the event by reviewing the kernel logs. Second, you would audit the current "available" memory and swap usage to see if the system is still in danger or if the kill successfully relieved the pressure. Finally, you should review the long-term monitoring data to determine if the event was caused by a gradual leak or a sudden, temporary workload spike. By verbalizing your strategic choice, you are demonstrating the professional integrity and the technical mindset required for the certification and a successful career in cybersecurity.
