The pid of the process in wsl2 differs from the pid returned in ebpf program `bpf_get_current_pid_tgid()`

[Timothy-Liuxf]

Windows Version

10.0.26100.1742

WSL Version

2.2.4.0

Are you using WSL 1 or WSL 2?

• [X] WSL 2
• [ ] WSL 1

Kernel Version

6.6.36.6-microsoft-standard-WSL2+

Distro Version

Ubuntu 24.04

Other Software

No response

Repro Steps

I compiled the WSL2 kernel manually to get eBPF supported. And I wrote a simple eBPF program to monitor the getpid syscall:

• https://github.com/Timothy-Liuxf/ebpf-examples/blob/e82a808d7ffaab2a7091b76bdce37157bebca96c/test.bpf.c
• https://github.com/Timothy-Liuxf/ebpf-examples/blob/e82a808d7ffaab2a7091b76bdce37157bebca96c/test.c

And I also wrote a program main.cpp to trigger getpid syscall periodically:

#include <iostream>
#include <unistd.h>

int main()
{
    while (1)
    {
        std::cout << ::getpid() << std::endl;
        sleep(1);
    }
}

First, run this trigger program:

g++ main.cpp && ./a.out

And it will print the pid (assume it is 3826), and compile and run the ebpf prigram:

gen.sh && make && sudo ./test 3826

Then mount the tracing filesystem to check the log:

sudo mount -t debugfs none /sys/kernel/debug/
sudo echo 1 > /sys/kernel/debug/tracing/events/syscalls/sys_enter_execve/enable
sudo cat /sys/kernel/debug/tracing/trace_pipe

Expected Behavior

It is expected to print:

a.out-3826    xxxxxxxxx: bpf_trace_printk: do_sys_getpid called: pid: 3826, m_pid: 3826

Actual Behavior

The pid returned by bpf_get_current_pid_tgid() is different from m_pid:

Diagnostic Logs

WslLogs-2024-10-02_16-46-04.zip

[github-actions[bot]]

Logs are required for review from WSL team

If this a feature request, please reply with '/feature'. If this is a question, reply with '/question'. Otherwise please attach logs by following the instructions below, your issue will not be reviewed unless they are added. These logs will help us understand what is going on in your machine.

How to collect WSL logs

Download and execute [collect-wsl-logs.ps1](https://github.com/Microsoft/WSL/blob/master/diagnostics/collect-wsl-logs.ps1) in an **administrative powershell prompt**: ``` Invoke-WebRequest -UseBasicParsing "https://raw.githubusercontent.com/microsoft/WSL/master/diagnostics/collect-wsl-logs.ps1" -OutFile collect-wsl-logs.ps1 Set-ExecutionPolicy Bypass -Scope Process -Force .\collect-wsl-logs.ps1 ``` The script will output the path of the log file once done. If this is a networking issue, please use [collect-networking-logs.ps1](https://github.com/Microsoft/WSL/blob/master/diagnostics/collect-networking-logs.ps1), following the instructions [here](https://github.com/microsoft/WSL/blob/master/CONTRIBUTING.md#collect-wsl-logs-for-networking-issues) Once completed please upload the output files to this Github issue. [Click here for more info on logging](https://github.com/microsoft/WSL/blob/master/CONTRIBUTING.md#8-collect-wsl-logs-recommended-method) If you choose to email these logs instead of attaching to the bug, please send them to wsl-gh-logs@microsoft.com with the number of the github issue in the subject, and in the message a link to your comment in the github issue and reply with '/emailed-logs'.

[Timothy-Liuxf]

/question

[github-actions[bot]]

Diagnostic information

``` Issue was edited and new log file was found: https://github.com/user-attachments/files/17226615/WslLogs-2024-10-02_16-46-04.zip .wslconfig found Custom kernel found: 'E:\vm\wsl\kernel\6.6.36.6-ebpf\bzImage' Detected appx version: 2.2.4.0 Unexpected format in optional-component.txt: State : EnablePending ```

[github-actions[bot]]

Diagnostic information

``` Found '/question', adding tag 'question' ```

[OneBlue]

@Timothy-Liuxf: This is the expected behavior. Internally, WSL uses different PID namespaces for each distros (so each distro has init with pid=1).

What you're most likely seeing in your eBPF program is the PID from the root namespace's perspective, which is different from the one you're seeing in the distro namespace.

[Timothy-Liuxf]

@Timothy-Liuxf: This is the expected behavior. Internally, WSL uses different PID namespaces for each distros (so each distro has init with pid=1).

What you're most likely seeing in your eBPF program is the PID from the root namespace's perspective, which is different from the one you're seeing in the distro namespace.

Then how to get the PID of the root namespace in a WSL2 distro (since getpid cannot)?

[OneBlue]

By design, you can't do that from within the distribution. There's more info on how this works here: https://www.man7.org/linux/man-pages/man7/pid_namespaces.7.html .