RE: [RFC PATCH 0/3] ns, procfs: pid conversion between ns and showing pidns hierarchy
Hi, > -Original Message- > From: Serge E. Hallyn [mailto:se...@hallyn.com] > > Hi, > > so the below is just 30 mins worth of playing around, will hang if you give > it bad pids, and requires privilege, but shows how to get pid conversion > in some cases. Basically it gives you what I had previously suggested > for the query_pid syscall before. > Thanks for teaching me of how ucred could be used for this case. > In general, usage is > > translatepid reporter_pid dest_pid query_pid > > where reporter_pid and dest_pid are pids in your pidns. It will assume > query_pid is a valid pid in reporter_pid's pidns, and return the pid of > the same process in dest_pid's namespace. > > In particular, > > if a process in a container (say pid 1, pid 2 in the host pidns) > reports something about another process (say pid 262) in the container, > and you have a shell (pid 1092) on the host, you can figure out the pid > for 262 in your host pidns using > > translatepid $$ 2 262 > > or to figure out what pid 25152 on the host is knows as in the > container, > > translatepid 2 $$ 25152 > It's very easy to use:) > I wonder whether this is enough to give you all you need. While it > won't be super-fast, you could use and ppid info to figure out who > is pid 1, etc. Yes, functionally it's very good. But for the cases of utilizes like sosreport, ps, it's a bit of slow. So the procfs still has its advantages. And also, I think the pidns hierarchy is needed. I'll send the v2 ns hierarchy patch soon. Thanks, - Chen N�Р骒r��yb�X�肚�v�^�)藓{.n�+�伐�{��赙zXФ�≤�}��财�z�:+v�����赙zZ+��+zf"�h���~i���z��wア�?�ㄨ��&�)撷f��^j谦y�m��@A�a囤� 0鹅h���i
RE: [RFC PATCH 0/3] ns, procfs: pid conversion between ns and showing pidns hierarchy
Hi, -Original Message- From: Serge E. Hallyn [mailto:se...@hallyn.com] Hi, so the below is just 30 mins worth of playing around, will hang if you give it bad pids, and requires privilege, but shows how to get pid conversion in some cases. Basically it gives you what I had previously suggested for the query_pid syscall before. Thanks for teaching me of how ucred could be used for this case. In general, usage is translatepid reporter_pid dest_pid query_pid where reporter_pid and dest_pid are pids in your pidns. It will assume query_pid is a valid pid in reporter_pid's pidns, and return the pid of the same process in dest_pid's namespace. In particular, if a process in a container (say pid 1, pid 2 in the host pidns) reports something about another process (say pid 262) in the container, and you have a shell (pid 1092) on the host, you can figure out the pid for 262 in your host pidns using translatepid $$ 2 262 or to figure out what pid 25152 on the host is knows as in the container, translatepid 2 $$ 25152 It's very easy to use:) I wonder whether this is enough to give you all you need. While it won't be super-fast, you could use and ppid info to figure out who is pid 1, etc. Yes, functionally it's very good. But for the cases of utilizes like sosreport, ps, it's a bit of slow. So the procfs still has its advantages. And also, I think the pidns hierarchy is needed. I'll send the v2 ns hierarchy patch soon. Thanks, - Chen N�Р骒r��yb�X�肚�v�^�)藓{.n�+�伐�{��赙zXФ�≤�}��财�z�j:+v�����赙zZ+��+zf"�h���~i���z��wア�?�ㄨ���)撷f��^j谦y�m��@A�a囤� 0鹅h���i
Re: [RFC PATCH 0/3] ns, procfs: pid conversion between ns and showing pidns hierarchy
Hi, so the below is just 30 mins worth of playing around, will hang if you give it bad pids, and requires privilege, but shows how to get pid conversion in some cases. Basically it gives you what I had previously suggested for the query_pid syscall before. In general, usage is translatepid reporter_pid dest_pid query_pid where reporter_pid and dest_pid are pids in your pidns. It will assume query_pid is a valid pid in reporter_pid's pidns, and return the pid of the same process in dest_pid's namespace. In particular, if a process in a container (say pid 1, pid 2 in the host pidns) reports something about another process (say pid 262) in the container, and you have a shell (pid 1092) on the host, you can figure out the pid for 262 in your host pidns using translatepid $$ 2 262 or to figure out what pid 25152 on the host is knows as in the container, translatepid 2 $$ 25152 I wonder whether this is enough to give you all you need. While it won't be super-fast, you could use and ppid info to figure out who is pid 1, etc. #define _GNU_SOURCE /* See feature_test_macros(7) */ #include #include #include #include #include #include #include #include #include #include /* * general usage: *translatepid reporter_ns_pid dest_ns_pid query_pid * * reporter_ns_pid and dest_ns_pid are pids in your namespace. * query_pid is in reporter_ns_pid's namespace. The result is * in dest_ns_pid's namespace. * * If you see pid 10064 and want to know what it's vpid * is: *translatepid $$ 10064 10064 * If pid 10064 reported something about a pid 9 in its * own ns and you want to know what pid that is in your * ns: *translatepid 10064 $$ 9 * * First cpid1, in rpid's pidns, sends us query_pid. * Then we send that translated pid to cpid2, in dpid's pidns. * It prints out the answer */ static int proxyrecv(int sockfd, void *buf, size_t len) { struct timeval tv; fd_set rfds; FD_ZERO(); FD_SET(sockfd, ); tv.tv_sec = 2; tv.tv_usec = 0; if (select(sockfd+1, , NULL, NULL, ) < 0) return -1; return recv(sockfd, buf, len, MSG_DONTWAIT); } void send_creds(int sock, struct ucred *cred) { struct msghdr msg = { 0 }; struct iovec iov; struct cmsghdr *cmsg; char cmsgbuf[CMSG_SPACE(sizeof(*cred))]; char buf[1]; buf[0] = 'p'; if (proxyrecv(sock, buf, 1) != 1) { printf("%s: Error getting reply from server over socketpair", __func__); exit(1); } msg.msg_control = cmsgbuf; msg.msg_controllen = sizeof(cmsgbuf); cmsg = CMSG_FIRSTHDR(); cmsg->cmsg_len = CMSG_LEN(sizeof(struct ucred)); cmsg->cmsg_level = SOL_SOCKET; cmsg->cmsg_type = SCM_CREDENTIALS; memcpy(CMSG_DATA(cmsg), cred, sizeof(*cred)); msg.msg_name = NULL; msg.msg_namelen = 0; iov.iov_base = buf; iov.iov_len = sizeof(buf); msg.msg_iov = msg.msg_iovlen = 1; if (sendmsg(sock, , 0) < 0) { printf("%s: failed at sendmsg: %s", __func__, strerror(errno)); exit(1); } } void recv_creds(int sock, struct ucred *cred) { struct msghdr msg = { 0 }; struct iovec iov; struct cmsghdr *cmsg; char cmsgbuf[CMSG_SPACE(sizeof(*cred))]; char buf[1]; int ret; int optval = 1; cred->pid = -1; cred->uid = -1; cred->gid = -1; if (setsockopt(sock, SOL_SOCKET, SO_PASSCRED, , sizeof(optval)) == -1) { printf("Failed to set passcred: %s", strerror(errno)); return; } buf[0] = '1'; if (write(sock, buf, 1) != 1) { printf("Failed to start write on scm fd: %s", strerror(errno)); return; } msg.msg_name = NULL; msg.msg_namelen = 0; msg.msg_control = cmsgbuf; msg.msg_controllen = sizeof(cmsgbuf); iov.iov_base = buf; iov.iov_len = sizeof(buf); msg.msg_iov = msg.msg_iovlen = 1; // retry logic is not ideal, especially as we are not // threaded. Sleep at most 1 second waiting for the client // to send us the scm_cred ret = recvmsg(sock, , 0); if (ret < 0) { printf("Failed to receive scm_cred: %s", strerror(errno)); return; } cmsg = CMSG_FIRSTHDR(); if (cmsg && cmsg->cmsg_len == CMSG_LEN(sizeof(struct ucred)) && cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_CREDENTIALS) { memcpy(cred, CMSG_DATA(cmsg), sizeof(*cred)); } } int main(int argc, char *argv[]) { pid_t rpid, dpid, qpid; pid_t cpid1, cpid2; int
Re: [RFC PATCH 0/3] ns, procfs: pid conversion between ns and showing pidns hierarchy
Hi, so the below is just 30 mins worth of playing around, will hang if you give it bad pids, and requires privilege, but shows how to get pid conversion in some cases. Basically it gives you what I had previously suggested for the query_pid syscall before. In general, usage is translatepid reporter_pid dest_pid query_pid where reporter_pid and dest_pid are pids in your pidns. It will assume query_pid is a valid pid in reporter_pid's pidns, and return the pid of the same process in dest_pid's namespace. In particular, if a process in a container (say pid 1, pid 2 in the host pidns) reports something about another process (say pid 262) in the container, and you have a shell (pid 1092) on the host, you can figure out the pid for 262 in your host pidns using translatepid $$ 2 262 or to figure out what pid 25152 on the host is knows as in the container, translatepid 2 $$ 25152 I wonder whether this is enough to give you all you need. While it won't be super-fast, you could use and ppid info to figure out who is pid 1, etc. #define _GNU_SOURCE /* See feature_test_macros(7) */ #include stdio.h #include stdlib.h #include unistd.h #include sys/types.h #include sys/stat.h #include sys/socket.h #include fcntl.h #include sys/un.h #include sched.h #include errno.h /* * general usage: *translatepid reporter_ns_pid dest_ns_pid query_pid * * reporter_ns_pid and dest_ns_pid are pids in your namespace. * query_pid is in reporter_ns_pid's namespace. The result is * in dest_ns_pid's namespace. * * If you see pid 10064 and want to know what it's vpid * is: *translatepid $$ 10064 10064 * If pid 10064 reported something about a pid 9 in its * own ns and you want to know what pid that is in your * ns: *translatepid 10064 $$ 9 * * First cpid1, in rpid's pidns, sends us query_pid. * Then we send that translated pid to cpid2, in dpid's pidns. * It prints out the answer */ static int proxyrecv(int sockfd, void *buf, size_t len) { struct timeval tv; fd_set rfds; FD_ZERO(rfds); FD_SET(sockfd, rfds); tv.tv_sec = 2; tv.tv_usec = 0; if (select(sockfd+1, rfds, NULL, NULL, tv) 0) return -1; return recv(sockfd, buf, len, MSG_DONTWAIT); } void send_creds(int sock, struct ucred *cred) { struct msghdr msg = { 0 }; struct iovec iov; struct cmsghdr *cmsg; char cmsgbuf[CMSG_SPACE(sizeof(*cred))]; char buf[1]; buf[0] = 'p'; if (proxyrecv(sock, buf, 1) != 1) { printf(%s: Error getting reply from server over socketpair, __func__); exit(1); } msg.msg_control = cmsgbuf; msg.msg_controllen = sizeof(cmsgbuf); cmsg = CMSG_FIRSTHDR(msg); cmsg-cmsg_len = CMSG_LEN(sizeof(struct ucred)); cmsg-cmsg_level = SOL_SOCKET; cmsg-cmsg_type = SCM_CREDENTIALS; memcpy(CMSG_DATA(cmsg), cred, sizeof(*cred)); msg.msg_name = NULL; msg.msg_namelen = 0; iov.iov_base = buf; iov.iov_len = sizeof(buf); msg.msg_iov = iov; msg.msg_iovlen = 1; if (sendmsg(sock, msg, 0) 0) { printf(%s: failed at sendmsg: %s, __func__, strerror(errno)); exit(1); } } void recv_creds(int sock, struct ucred *cred) { struct msghdr msg = { 0 }; struct iovec iov; struct cmsghdr *cmsg; char cmsgbuf[CMSG_SPACE(sizeof(*cred))]; char buf[1]; int ret; int optval = 1; cred-pid = -1; cred-uid = -1; cred-gid = -1; if (setsockopt(sock, SOL_SOCKET, SO_PASSCRED, optval, sizeof(optval)) == -1) { printf(Failed to set passcred: %s, strerror(errno)); return; } buf[0] = '1'; if (write(sock, buf, 1) != 1) { printf(Failed to start write on scm fd: %s, strerror(errno)); return; } msg.msg_name = NULL; msg.msg_namelen = 0; msg.msg_control = cmsgbuf; msg.msg_controllen = sizeof(cmsgbuf); iov.iov_base = buf; iov.iov_len = sizeof(buf); msg.msg_iov = iov; msg.msg_iovlen = 1; // retry logic is not ideal, especially as we are not // threaded. Sleep at most 1 second waiting for the client // to send us the scm_cred ret = recvmsg(sock, msg, 0); if (ret 0) { printf(Failed to receive scm_cred: %s, strerror(errno)); return; } cmsg = CMSG_FIRSTHDR(msg); if (cmsg cmsg-cmsg_len == CMSG_LEN(sizeof(struct ucred)) cmsg-cmsg_level == SOL_SOCKET cmsg-cmsg_type == SCM_CREDENTIALS) { memcpy(cred, CMSG_DATA(cmsg), sizeof(*cred)); } } int
RE: [RFC PATCH 0/3] ns, procfs: pid conversion between ns and showing pidns hierarchy
Hi, > -Original Message- > Quoting Chen Hanxiao (chenhanx...@cn.fujitsu.com): > > This series will expose pid inside containers > > via procfs. > > Also show the hierarchy of pid namespcae. > > Then we could know how pid looks inside a container > > and their ns relationships. > > > > Chen Hanxiao (3): > > procfs: check uniq proc_dir_entry subdir name > > procfs: show hierarchy of pid namespace > > /proc/pid/status: show all sets of pid according to ns > > > > fs/proc/Kconfig | 6 ++ > > fs/proc/Makefile | 1 + > > fs/proc/array.c | 17 + > > fs/proc/generic.c | 15 + > > fs/proc/pidns_hierarchy.c | 161 > > ++ > > include/linux/proc_fs.h | 3 + > > 6 files changed, 203 insertions(+) > > create mode 100644 fs/proc/pidns_hierarchy.c > >Thanks, Chen. I'm sorry I won't have a chance to review this week, but >hope to do next week. > Thanks for your time and kindly help. -Chen
RE: [RFC PATCH 0/3] ns, procfs: pid conversion between ns and showing pidns hierarchy
Hi, -Original Message- Quoting Chen Hanxiao (chenhanx...@cn.fujitsu.com): This series will expose pid inside containers via procfs. Also show the hierarchy of pid namespcae. Then we could know how pid looks inside a container and their ns relationships. Chen Hanxiao (3): procfs: check uniq proc_dir_entry subdir name procfs: show hierarchy of pid namespace /proc/pid/status: show all sets of pid according to ns fs/proc/Kconfig | 6 ++ fs/proc/Makefile | 1 + fs/proc/array.c | 17 + fs/proc/generic.c | 15 + fs/proc/pidns_hierarchy.c | 161 ++ include/linux/proc_fs.h | 3 + 6 files changed, 203 insertions(+) create mode 100644 fs/proc/pidns_hierarchy.c Thanks, Chen. I'm sorry I won't have a chance to review this week, but hope to do next week. Thanks for your time and kindly help. -Chen
Re: [RFC PATCH 0/3] ns, procfs: pid conversion between ns and showing pidns hierarchy
Quoting Chen Hanxiao (chenhanx...@cn.fujitsu.com): > This series will expose pid inside containers > via procfs. > Also show the hierarchy of pid namespcae. > Then we could know how pid looks inside a container > and their ns relationships. > > Chen Hanxiao (3): > procfs: check uniq proc_dir_entry subdir name > procfs: show hierarchy of pid namespace > /proc/pid/status: show all sets of pid according to ns > > fs/proc/Kconfig | 6 ++ > fs/proc/Makefile | 1 + > fs/proc/array.c | 17 + > fs/proc/generic.c | 15 + > fs/proc/pidns_hierarchy.c | 161 > ++ > include/linux/proc_fs.h | 3 + > 6 files changed, 203 insertions(+) > create mode 100644 fs/proc/pidns_hierarchy.c Thanks, Chen. I'm sorry I won't have a chance to review this week, but hope to do next week. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [RFC PATCH 0/3] ns, procfs: pid conversion between ns and showing pidns hierarchy
Quoting Chen Hanxiao (chenhanx...@cn.fujitsu.com): This series will expose pid inside containers via procfs. Also show the hierarchy of pid namespcae. Then we could know how pid looks inside a container and their ns relationships. Chen Hanxiao (3): procfs: check uniq proc_dir_entry subdir name procfs: show hierarchy of pid namespace /proc/pid/status: show all sets of pid according to ns fs/proc/Kconfig | 6 ++ fs/proc/Makefile | 1 + fs/proc/array.c | 17 + fs/proc/generic.c | 15 + fs/proc/pidns_hierarchy.c | 161 ++ include/linux/proc_fs.h | 3 + 6 files changed, 203 insertions(+) create mode 100644 fs/proc/pidns_hierarchy.c Thanks, Chen. I'm sorry I won't have a chance to review this week, but hope to do next week. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/