On Thu, May 29, 2014 at 13:07 +0400, Pavel Emelyanov wrote: > On 05/29/2014 09:59 AM, Vasily Kulikov wrote: > > On Wed, May 28, 2014 at 23:27 +0400, Pavel Emelyanov wrote: > > ] We need a direct method of getting the pid inside containers. > > ] If some issues occurred inside container guest, host user > > ] could not know which process is in trouble just by guest pid: > > ] the users of container guest only knew the pid inside containers. > > ] This will bring obstacle for trouble shooting. > > > > A new syscall might complicate trouble shooting by admin. > > Pure syscall -- yes. What if we teach the ps and top utilities to show > additional > info? I think that would help.
I like the idea with low level non-shell API which can be used by utility like ps (or implementation of a new tool to work with complex namespace hierarchies). It should fit for troublesooting. Then there should be no reason to implement two different APIs for observation from shell via FS and from applications. However, maybe it is possible to implement not via new syscall but by implementation of new symlink in sysfs? Then both ps-like tool and CRIU-like tool is able to obtain the ns information by the same means. Maybe sort of a symlink to a parent namespace or a process which is inside of the parent namespace? Then a process may identify IDs using following steps: 1) identify target NS by walking current procfs 2) do setns(2)/chroot(2) 3) look at procfs to identify target IDs in the target NS It would be impossible to identify foreign IDs for unprivileged processes, however. Thanks, -- Vasily Kulikov http://www.openwall.com - bringing security into open computing environments -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
