G'day.
We are currently looking into doing more monitoring and management of our VEs
from the hardware node, and as part of that we would like to have access to a
reasonably reliable mapping of VE id to VE init process PID on the host node.
(This would be, basically, the equivalent of /var/run/foo.pid, where foo was
the VEID, and the PID was the host-node PID of the init process.)
This mapping would make it easier for our tools to first verify that the init
process was correct[1], then to walk the process tree or otherwise inspect the
children running in that container.
Sadly, to my eye it doesn't look possible to capture this without a private
patch to the vzctl tool[2], since none of the current hooks have access to the
information, and the init process forks away to a new PGIG, SID, etc, quite
deliberately (and sensibly.)
So ... is there any sensibly way I could implement this without needing a
private patch, other than to scan the process table after starting the
container and rebuilding that mapping?
Daniel
Footnotes:
[1] Check /proc/$pid/status for matching envID, and VPid of 1, to verify that
the init process matches our mapping. If not, raise a warning because
something unexpected has happened.
[2] ...and the assumption that only vzctl starts containers, which is an
assumption I can live with: this all is supposed to improve our
monitoring capabilities, not prevent a hostile root-capable user on the
hardware node from doing something dubious.
--
✣ Daniel Pittman ✉ [email protected] ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
_______________________________________________
Users mailing list
[email protected]
https://openvz.org/mailman/listinfo/users
