Open cyphar opened 7 years ago
I don't think that will work because you won't be able to do any syscalls on the pids.
that is a really good idea for saving process information
@crosbymichael
I don't that that will work because you won't be able to do any syscalls on the pids.
What do you mean? If you read the pid out from /proc/self/stat
, the kernel will use pid_vnr
to compute the "correct" PID in your current namespace (assuming that there is an ancestral relationship with the namespaces). I believe you get ESRCH
if you try to read /proc/self/stat
for a process which isn't mapped in your namespace (I'll have to check though).
@cyphar Ya, I guess if you are reading from the host and the container namespaces are children. I thought you were talking about mapping it the other way, where the child had mounts to parent namespaces.
So, I was playing around with different tricks you can do with persistent namespaces and I noticed that you can bindmount
/proc/[pid]
directories:This means there are two things that we can solve with this:
We can manage containers from a different PID namespace, because the
/proc/self/stat
pseudo-file will generate the correct PID for us. I'm not sure what happens if you try to access it from a different namespace though (probablyESRCH
).We can remove the
initProcessTime
magic with a simple check to see if/run/runc/[ctr]/init
gives usESRCH
. This is a fool-proof method because we're pinning the kernelstruct task
'sprocfs
entry.There's also some other cool stuff we could do.