killall Command: Tutorial & Examples

The original kill-by-name — older, simpler, and far more dangerous than its modern replacement.

What It Is

killall is the Linux command that signals every process matching a given name. You type killall nginx and every nginx process on the box gets a SIGTERM. One command, one name, every match — no PID hunting, no ps aux | grep dance. It's the bluntest of the kill-by-name tools, and on a Linux box from the psmisc package it does exactly what its name says: kill all processes named X.

It is also, famously, the command with the worst name in Unix history. On classic BSD and on Solaris, killall meant something entirely different — and a sysadmin trained on one flavor running it on the other has, more than once, taken a production server straight to the floor. We'll get to that story in History. For now, two practical points: if you've read the pgrep page, killall is the older, less-safe cousin of the pgrep / pkill preview-then-execute pair. And if you've read kill, killall is just sugar on top of the same kill(2) system call — it finds the PIDs for you, then signals them.

Your First Look

The minimal invocation. Stop every running copy of nginx:

killall nginx

No output on success — that's the Unix convention, silence means it worked. Every process named exactly nginx got a SIGTERM (signal 15), the polite "please wrap up and exit" signal. If nothing matched, you get the one diagnostic killall bothers to print:

killall ghostbuster

ghostbuster: no process found

Add -v to actually see what happened — useful when you want a receipt:

killall -v nginx

Killed nginx(2341) with signal 15
Killed nginx(2342) with signal 15
Killed nginx(2343) with signal 15

That's the whole shape of killall: name in, signals out, exit code 0 if it hit at least one process, non-zero if it missed.

How I Use It

Honestly? I mostly don't. I reach for pkill (with pgrep as a preview) for almost every "kill by name" job, because the preview habit saves me from a bad afternoon. But there are three situations where I still type killall without hesitation.

One: I know the exact process name and I want all of them, right now. killall does exact-name matching by default — no substring surprises, unlike pgrep. killall ssh does not match sshd or ssh-agent; it matches only literal ssh. That precision is sometimes exactly what I want, and it's the killer feature this command has over pkill's default substring match.

Two: I'm at the keyboard, the server is mine, and I want one keystroke fewer. killall firefox on my own laptop when the browser wedges is faster than typing pgrep firefox then pkill firefox. For ad-hoc interactive work on a machine where I know exactly what's running, the shorter command wins.

Three: I want killall -w — wait until everything's actually dead. This is the one killall feature pkill doesn't have. killall -w nginx sends SIGTERM and then loops once per second checking /proc until every matched PID is gone. Lovely in a deploy script that needs to be sure the old version is down before starting the new one.

Pro Tip

for anything written into a shell script — anything that will run unattended, ever — reach for pgrep + pkill instead of killall. pgrep -af pattern shows you exactly what would be hit, then swap one letter to pkill to execute. killall has no preview mode and no "show me what you'd do" dry run — by the time you see what it did, you've done it.

The Flags Explained

Every killall flag worth knowing, grouped by what it actually does.

Matching: how the name is compared.

(default) — exact match against the process name as the kernel stores it in /proc/<PID>/stat, truncated to 15 characters (the same kernel limit that bites pgrep users). This is the big difference from pkill, which substring-matches by default.
-e / --exact — require an exact match even when the name is longer than 15 chars. Without -e, killall will happily kill anything matching the first 15 characters of a long name. With -e, those ambiguous matches are skipped. Safety flag for long-named services.
-r / --regexp — treat the name as a POSIX extended regular expression. killall -r '^java.*' matches anything starting with java.
-I / --ignore-case — case-insensitive match.
A name containing / — interpreted as a path; matches only processes executing that exact file on disk. killall /usr/local/bin/mydaemon kills only the one started from that path, ignoring any mydaemon started from elsewhere.

Filtering: narrow the matches further.

-u user / --user user — only kill processes owned by USER. killall -u alice (with no name) sends SIGTERM to every process alice owns — the classic "clean out one user" admin move.
-o time / --older-than — match only processes older than TIME (-o 1h, -o 30m, -o 2d). Great for "kill the long-running stragglers."
-y time / --younger-than — match only those younger than TIME. Catch the runaway you spawned 30 seconds ago without nuking the long-lived siblings.
-n pid / --ns pid — restrict to the PID namespace of the given PID. The container-aware filter for Docker/Kubernetes hosts.
-Z regex / --context regex — match only processes whose SELinux security context matches REGEX. Niche but lifesaving on hardened boxes.

Signal & execution: what to send and how.

-SIGNAL / -s SIGNAL / --signal SIGNAL — send the named signal instead of SIGTERM. killall -HUP nginx to reload config; killall -9 firefox (or -KILL) for the sledgehammer.
-i / --interactive — prompt Y/N before signaling each match. The forgotten safety net — turn it on the first ten times you use killall on a new box and you'll never regret it.
-w / --wait — wait until every matched process is actually gone before returning. Polls once per second. Beware: if the signal was ignored or the process goes zombie, -w waits forever — pair with timeout in scripts.
-g / --process-group — signal the entire process group of each match, not just the individual PID. Useful for shells that spawned children.
-q / --quiet — suppress the "no process found" complaint. The scripting flag.
-v / --verbose — print one line per PID signaled. The receipt.
-l / --list — list every signal name the kernel knows (same as kill -l).

Warning

on classic BSD and on Solaris, killall with no arguments sends a signal to every process the caller owns — for root, that means the entire system. The Linux psmisc version refuses to run without a name, but if you ever land on a non-Linux Unix, check the man page before you type killall. This is the most famous foot-gun in Unix.

Reading It by Example

The five patterns that cover almost everything.

The polite-then-firm escalation — same ladder as kill, but by name:

killall nginx              # SIGTERM, polite
# wait 10 seconds, check with: pgrep nginx
killall -9 nginx           # only if SIGTERM was ignored

Reload a daemon's config without restarting it — works for nginx, apache, postfix, bind, haproxy, and almost every Unix daemon ever shipped:

killall -HUP nginx

The SIGHUP signal is the universal "reread your config" message. On a modern systemd box, systemctl reload nginx is the friendlier wrapper — but it's literally sending the same signal.

Kill everything owned by one user — the cleanup move when a user leaves a runaway pile behind:

killall -u alice -TERM
killall -u alice -KILL     # if anything survives

Notice: no process name. With -u you can omit the name entirely and killall signals every process that user owns. Powerful, occasionally exactly right, and worth respecting.

Kill only the stragglers — anything older than an hour, by name:

killall -o 1h chrome

Lovely for the runaway-build, the leaked browser tab, the process someone left behind on a shared dev box.

Wait until they're really gone — the deploy-script idiom:

killall -w -TERM myapp && systemctl start myapp

-w blocks until every matched PID is actually gone, so the restart starts on a clean machine. Combine with timeout if you're worried about waiting forever:

timeout 30 killall -w -TERM myapp || killall -KILL myapp

Cheat Sheet

The lines worth memorizing:

killall name — SIGTERM every exact-name match. The default move.
killall -9 name — SIGKILL, last resort.
killall -HUP name — tell a daemon to reload its config.
killall -i name — prompt before each kill. Use this when you're not 100% sure.
killall -v name — verbose, prints every PID signaled.
killall -w name — wait until they're all gone before returning.
killall -u user — every process owned by USER (name optional).
killall -o 1h name — only matches older than an hour.
killall -r '^java' — regex match instead of exact name.
killall -e long-daemon-name — exact even for >15-char names, no truncation gambling.

How You'll Actually Use It

Three contexts. Interactive cleanup on your own machine: killall firefox, killall code, killall slack when a desktop app wedges and you don't care about its state. Fast, exact, done. Ad-hoc admin on a server you own: a runaway worker pool with a known name, a stuck build process, a forgotten test daemon — when you can name it and you want all of them gone, killall -v name is honest and quick. Deploy scripts that need -w: the "stop the old version, then start the new one" pattern where you need to be sure the old processes are gone, not just signaled.

For everything else — scripts, cron jobs, anything that runs unattended, anything where you want to see what you'd hit before you hit it — reach for pgrep + pkill instead. And for managing a known service on a systemd box, the right tool is systemctl restart / systemctl reload / systemctl stop — they handle the cgroup, the escalation timeouts, and the child processes for you.

Gotchas

The 15-character truncation bites here too. The kernel only stores the first 15 chars of a process name in /proc/<PID>/stat, so killall my-long-daemon-name is matching against my-long-daemon- and may hit unintended siblings. Use -e to skip ambiguous long names, or pkill -f to match the full command line.
Default is exact match, not substring. killall ssh does not kill sshd — that's a feature, not a bug, and it's why killall is sometimes safer than pkill ssh. But it surprises people coming from pkill.
No preview mode. Unlike pkill (which has pgrep as its preview sibling), killall has no built-in dry-run. The closest you get is -i for interactive confirmation. To preview, run pgrep -af exact-name first.
killall -w can wait forever. If the process blocks or ignores the signal, or becomes a zombie, -w polls forever. Always wrap with timeout in scripts.
You can only signal what you own. As a mortal user, killall nginx won't touch nginx workers running as the www-data user. You'll need sudo (or be root) for system daemons.
PIDs get reused, names get reused, race conditions exist. Between the moment killall reads /proc and the moment it sends a signal, a PID could die and be reassigned to something else. The window is tiny but real. For high-stakes targeting, prefer kill PID on a freshly-checked PID.
Don't run it on a non-Linux Unix without checking the man page. See History — this command has the worst cross-Unix compatibility story in the toolbox.

History & Philosophy

Here's the magic — and it's a cautionary tale.

On the original BSD Unix, and on AT&T Solaris, killall did exactly what its name says: send a signal to every process the caller can signal. As root, that meant every process on the entire system. It existed as part of the shutdown sequence — the operating system would invoke killall while bringing the box down, to clear out user processes before unmounting the disks. The Solaris man page literally read: "send a signal to all active processes." That was the design.

Then Linux came along, and the psmisc project shipped a killall that did something completely different: kill processes by name match. Different command, same word, opposite semantics. And so was born one of the most famous foot-guns in Unix lore: a Linux sysadmin, trained to type killall apache, ssh-es into a Solaris box one afternoon, fingers go on autopilot, types killall to kill the runaway — forgets the argument — hits enter. As root. The Solaris box obediently signals every process on the machine, takes itself down to single-user mode mid-day, and the sysadmin gets a very memorable phone call. This happened. More than once. It is in Unix graybeard folklore for a reason.

The Linux psmisc killall is the safe one — refuses to run without a name, scopes itself to one process name at a time, never tries to signal the world. But the name collision lives on, which is why POSIX deliberately chose pkill as the standardized name-based killer in 1996 (originally from Solaris) — a fresh word with no historical landmine. If you ever wondered why we have both killall and pkill doing the same job on Linux, this is your answer: pkill is the modern, cross-Unix-safe replacement; killall is the original, beloved on Linux, kept around for the muscle memory of two generations of sysadmins.

The deeper philosophy is the same one running through top, ps, and pgrep: killall doesn't do anything you couldn't do yourself. It walks /proc, reads the name out of each /proc/<PID>/stat, matches, then calls the kill(2) system call on each hit. The whole "kill by name" feature is twenty lines of shell over a /proc walk. But having it as a one-keystroke command with -w, -u, -o, and -i baked in is what makes it useful — and the cautionary history is what makes it interesting.