On Tue, Nov 27, 2012 at 07:50:35AM -0600, Eric W. Biederman wrote: > Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> writes: > > > Quoting Daniel P. Berrange (berrange@xxxxxxxxxx): > >> I'm trying to find out if there is a way to map between host and container > >> PIDs, at minimum in the host -> container direction. My use case is to be > >> able to kill processes associated with a container, based on the host PID, > >> in a race free manner. > >> > >> Given a host PID, I can read the 'tasks' file for the container's cgroup > >> to verify that the PID is associated with the container in question. Then > >> I can kill the PID with a signal. There is a small race condition in there, > >> where the PID could die & a new process could be born using the original > >> PID. Now this might not be very likely but I was thinking that if it is > >> possible to map from a host PID to a container PID, you can do it more > >> safely. eg Lookup the container PID associted with the host PID, then > >> setns() into the container and kill the container PID. Now although there > >> is still a race condition, you are guaranteed that if the race hits you'll > >> only kill a process within the same container, not the host at large, > >> which is good when the user invoking the API is unprivileged. > > > > I'm afraid I don't know of any way to do that. At some point a new > > /proc/self/pids or somesuch file was suggested to get that info. > > I do wonder how the checkpoint/restart folks are getting that > information. Perhaps via the parasite thread? I guess they just inject code that does getpid(), and, because we know which process they ptrace'd on the host side, they know the mapping in both pid namespaces. Cheers, -Matt Helsley _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
