[systemd-devel] How can I map PID between host and container?

[Lennart Poettering]

On Fri, 24.04.15 00:10, WaLyong Cho (walyong.cho at samsung.com) wrote:

> Hello,
> 
> I'm looking for a proper way what method to map PID between host and
> container.
> 
> In case of systemctl, if I know pid in container(let's call this pid_c)
> then I can find the pid in sight of host(let's call this pid_h) by using
> "systemctl -M {container} pid_c" in host shell. But I can not find pid_c
> when I know pid_h by using "systemctl status pid_h".
> 
> The former seems possible by parsing machine cgroup.
> In the latter case, can we also find the pid_c?
> 
> And is there any other method to map between those?
> For example, when if I use lxc then how I find each pid? (lxc-ps?)
> According to my search, namespace can give me some of hints about this.
> I could not find more detail.
> Is there any proper libs or tools for this?

The kernel doesn't have any nice userspace APIs to translate PIDs like
this, to my knowledge at least. 

That said, one can implement something like this by using the fact
that the kernel will translate user credentials that are sent via
AF_UNIX SCM_CREDENTIALS that pass through a PID namespace
boundary. hence, let's say you have one pid $n that identifies the
namespace you care about, and a container pid $a you want to translate
to host pid $b, then you'd create an AF_UNIX/SOCK_SEQPACKET
socketpair(), fork(), run setns() in the child to join the namespace
of $n, and send a single datagram to the parent with sendmsg(), while
explicitly specifiying the SCM_CREDENTIALS auxiliary field with the $a
in it, and exit. In the parent you use recvmsg() to read that datagram
with its SCM_CREDENTIALS, and use the pid you see as $b. Vice versa,
if you want to translate the other way you would send the datagram the
other way.

nasty? absolutely! (also, only available for privileged processes, due
to the setns() call).

I am not aware of any nicer way.

Lennart

-- 
Lennart Poettering, Red Hat