Mapping between host & container PIDs ?

Serge Hallyn serge.hallyn at canonical.com
Tue Nov 27 13:36:09 UTC 2012


Quoting Daniel P. Berrange (berrange at redhat.com):
> I'm trying to find out if there is a way to map between host and container
> PIDs, at minimum in the host -> container direction. My use case is to be
> able to kill processes associated with a container, based on the host PID,
> in a race free manner.
> 
> Given a host PID, I can read the 'tasks' file for the container's cgroup
> to verify that the PID is associated with the container in question. Then
> I can kill the PID with a signal. There is a small race condition in there,
> where the PID could die & a new process could be born using the original
> PID. Now this might not be very likely but I was thinking that if it is
> possible to map from a host PID to a container PID, you can do it more
> safely. eg Lookup the container PID associted with the host PID, then
> setns() into the container and kill the container PID. Now although there
> is still a race condition, you are guaranteed that if the race hits you'll
> only kill a process within the same container, not the host at large,
> which is good when the user invoking the API is unprivileged.

I'm afraid I don't know of any way to do that.  At some point a new
/proc/self/pids or somesuch file was suggested to get that info.

However, for your use case, what about freezing the container, checking
again that the task exists and is in the container, killing it, then
unfreezing it?

(You also should be able to look at /proc/$pid/cgroups as a perhaps
faster way to verify its container, as opposed to searching
/sys/fs/cgroups/freezer/libvirt/lxc/$container/tasks;  then again it's
more complicated to parse which might offset the searching time in most
cases...)

-serge


More information about the Containers mailing list