From mboxrd@z Thu Jan  1 00:00:00 1970
From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
Subject: Re: Mapping between host & container PIDs ?
Date: Tue, 27 Nov 2012 07:50:35 -0600
Message-ID: <87vccrm9xw.fsf@xmission.com>
References: <20121127101555.GE24370@redhat.com>
	<20121127133609.GC3727@sergelap>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
In-Reply-To: <20121127133609.GC3727@sergelap> (Serge Hallyn's message of "Tue,
	27 Nov 2012 07:36:09 -0600")
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/containers>,
	<mailto:containers-request-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/containers/>
List-Post: <mailto:containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
List-Help: <mailto:containers-request-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/containers>,
	<mailto:containers-request-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org?subject=subscribe>
Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
To: Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
Cc: Linux Containers <containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
List-Id: containers.vger.kernel.org

Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org> writes:

> Quoting Daniel P. Berrange (berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org):
>> I'm trying to find out if there is a way to map between host and container
>> PIDs, at minimum in the host -> container direction. My use case is to be
>> able to kill processes associated with a container, based on the host PID,
>> in a race free manner.
>> 
>> Given a host PID, I can read the 'tasks' file for the container's cgroup
>> to verify that the PID is associated with the container in question. Then
>> I can kill the PID with a signal. There is a small race condition in there,
>> where the PID could die & a new process could be born using the original
>> PID. Now this might not be very likely but I was thinking that if it is
>> possible to map from a host PID to a container PID, you can do it more
>> safely. eg Lookup the container PID associted with the host PID, then
>> setns() into the container and kill the container PID. Now although there
>> is still a race condition, you are guaranteed that if the race hits you'll
>> only kill a process within the same container, not the host at large,
>> which is good when the user invoking the API is unprivileged.
>
> I'm afraid I don't know of any way to do that.  At some point a new
> /proc/self/pids or somesuch file was suggested to get that info.

I do wonder how the checkpoint/restart folks are getting that
information.

If you have the appropriate privileges you can use a unix domain socket.

Eric