Re: Mapping between host & container PIDs ?

[Matt Helsley <matthltc-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>]

On Tue, Nov 27, 2012 at 07:50:35AM -0600, Eric W. Biederman wrote:
> Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org> writes:
> 
> > Quoting Daniel P. Berrange (berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org):
> >> I'm trying to find out if there is a way to map between host and container
> >> PIDs, at minimum in the host -> container direction. My use case is to be
> >> able to kill processes associated with a container, based on the host PID,
> >> in a race free manner.
> >> 
> >> Given a host PID, I can read the 'tasks' file for the container's cgroup
> >> to verify that the PID is associated with the container in question. Then
> >> I can kill the PID with a signal. There is a small race condition in there,
> >> where the PID could die & a new process could be born using the original
> >> PID. Now this might not be very likely but I was thinking that if it is
> >> possible to map from a host PID to a container PID, you can do it more
> >> safely. eg Lookup the container PID associted with the host PID, then
> >> setns() into the container and kill the container PID. Now although there
> >> is still a race condition, you are guaranteed that if the race hits you'll
> >> only kill a process within the same container, not the host at large,
> >> which is good when the user invoking the API is unprivileged.
> >
> > I'm afraid I don't know of any way to do that.  At some point a new
> > /proc/self/pids or somesuch file was suggested to get that info.
> 
> I do wonder how the checkpoint/restart folks are getting that
> information.

Perhaps via the parasite thread? I guess they just inject code that does
getpid(), and, because we know which process they ptrace'd on the host
side, they know the mapping in both pid namespaces.

Cheers,
	-Matt Helsley