Mapping between host & container PIDs ?
Eric W. Biederman
ebiederm at xmission.com
Tue Nov 27 13:50:35 UTC 2012
Serge Hallyn <serge.hallyn at canonical.com> writes:
> Quoting Daniel P. Berrange (berrange at redhat.com):
>> I'm trying to find out if there is a way to map between host and container
>> PIDs, at minimum in the host -> container direction. My use case is to be
>> able to kill processes associated with a container, based on the host PID,
>> in a race free manner.
>>
>> Given a host PID, I can read the 'tasks' file for the container's cgroup
>> to verify that the PID is associated with the container in question. Then
>> I can kill the PID with a signal. There is a small race condition in there,
>> where the PID could die & a new process could be born using the original
>> PID. Now this might not be very likely but I was thinking that if it is
>> possible to map from a host PID to a container PID, you can do it more
>> safely. eg Lookup the container PID associted with the host PID, then
>> setns() into the container and kill the container PID. Now although there
>> is still a race condition, you are guaranteed that if the race hits you'll
>> only kill a process within the same container, not the host at large,
>> which is good when the user invoking the API is unprivileged.
>
> I'm afraid I don't know of any way to do that. At some point a new
> /proc/self/pids or somesuch file was suggested to get that info.
I do wonder how the checkpoint/restart folks are getting that
information.
If you have the appropriate privileges you can use a unix domain socket.
Eric
More information about the Containers
mailing list