Linux Process – How to Find Out Namespace of a Particular Process?

linuxnamespaceprocess

I already asked a question about how to list all namespaces in Linux, but there wasn't any correct and exact answers, so I want to find out a method which can help me to find out the namespace of PID of some process or group of processes. How can it be done in Linux?

Best Answer

I'll try and answer both this and your earlier question as they are related.

The doors to namespaces are files in /proc/*/ns/* and /proc/*/task/*/ns/*.

A namespace is created by a process unsharing its namespace. A namespace can then be made permanent by bind-mounting the ns file to some other place.

That's what ip netns does for instance for net namespaces. It unshares its net namespace and bind-mounts /proc/self/ns/net to /run/netns/netns-name.

In a /proc mounted in the root pid namespace, you can list all the namespaces that have a process in them by doing:

# readlink /proc/*/task/*/ns/* | sort -u
ipc:[4026531839]
mnt:[4026531840]
mnt:[4026531856]
mnt:[4026532469]
net:[4026531956]
net:[4026532375]
pid:[4026531836]
pid:[4026532373]
uts:[4026531838]

The number in square brackets is the inode number.

To get that for a given process:

# ls -Li /proc/1/ns/pid
4026531836 /proc/1/ns/pid

Now, there may be permanent namespaces that don't have any process in them. Finding them out can be a lot trickier AFAICT.

First, you have to bear in mind that there can be several mount namespaces.

# awk '$9 == "proc" {print FILENAME,$0}' /proc/*/task/*/mountinfo | sort -k2 -u
/proc/1070/task/1070/mountinfo 15 19 0:3 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
/proc/19877/task/19877/mountinfo 50 49 0:3 / /run/netns/a rw,nosuid,nodev,noexec,relatime shared:2 - proc proc rw
/proc/19877/task/19877/mountinfo 57 40 0:3 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
/proc/1070/task/1070/mountinfo 66 39 0:3 / /run/netns/a rw,nosuid,nodev,noexec,relatime shared:2 - proc proc rw
/proc/19877/task/19877/mountinfo 68 67 0:3 / /mnt/1/a rw,nosuid,nodev,noexec,relatime unbindable - proc proc rw

Those /mnt/1/a, /run/netns/a may be namespace files.

We can get an inode number:

# nsenter --mount=/proc/19877/task/19877/ns/mnt -- ls -Li /mnt/1/a
4026532471 /mnt/1/a

But that doesn't tell us much other than it's not in the list computed above.

We can try and enter it as any of the different types:

# nsenter --mount=/proc/19877/task/19877/ns/mnt -- nsenter --pid=/mnt/1/a true
nsenter: reassociate to namespace 'ns/pid' failed: Invalid argument
# nsenter --mount=/proc/19877/task/19877/ns/mnt -- nsenter --mount=/mnt/1/a true
nsenter: reassociate to namespace 'ns/mnt' failed: Invalid argument
# nsenter --mount=/proc/19877/task/19877/ns/mnt -- nsenter --net=/mnt/1/a true
#

OK, that was a net namespace file.

So it would seem we have a method to list the name spaces: list the ns directories of all the tasks, then find all the proc mountpoints in all the /proc/*/task/*/mountinfo and figure out their type by trying to enter them.

Related Solutions

Linux – How to list namespaces in Linux

Utilities for working with namespaces have improved since this question was asked in 2013.

lsns from the util-linux package can list all of the different types of namespaces, in various useful formats.

# lsns --help

Usage:
 lsns [options] [<namespace>]

List system namespaces.

Options:
 -J, --json             use JSON output format
 -l, --list             use list format output
 -n, --noheadings       don't print headings
 -o, --output <list>    define which output columns to use
 -p, --task <pid>       print process namespaces
 -r, --raw              use the raw output format
 -u, --notruncate       don't truncate text in columns
 -t, --type <name>      namespace type (mnt, net, ipc, user, pid, uts, cgroup)

 -h, --help     display this help and exit
 -V, --version  output version information and exit

Available columns (for --output):
          NS  namespace identifier (inode number)
        TYPE  kind of namespace
        PATH  path to the namespace
      NPROCS  number of processes in the namespace
         PID  lowest PID in the namespace
        PPID  PPID of the PID
     COMMAND  command line of the PID
         UID  UID of the PID
        USER  username of the PID

For more details see lsns(8).

lsns only lists the lowest PID for each process - but you can use that PID with pgrep if you want to list all processes belonging to a namespace.

e.g. if I'm running gitlab in docker and want to find all the processes running in that namespace, I can:

# lsns  -t pid -o ns,pid,command  | grep gitlab
  4026532661   459 /opt/gitlab/embedded/bin/redis-server 127.0.0.1:0

and, then use that pid (459) with pgrep:

# pgrep --ns 459 -a
459 /opt/gitlab/embedded/bin/redis-server 127.0.0.1:0
623 postgres: gitlab gitlabhq_production [local] idle
[...around 50 lines deleted...]
30172 nginx: worker process

I could also use the namespace id (4026532661) with ps, e.g.:

ps -o pidns,pid,cmd | awk '$1==4026532661'
[...output deleted...]

Linux – How to Move Process Between Namespaces

You don't need to run process in some control groups if you already in certain namespace, instead you have to manipulate with namespaces. All new process in new namespace will «inherit» all control groups related to that namespace.

Moving processes between different namespaces can be done with setns() function or you can use nsenter command from util-linux to enter new namespace and then run new tasks in it. All you need is to know PID of process, which already is new namespace, then you can use (in case you want to run links):

# nsenter --PID --target pid_in_ns_you_want_to_enter && links

It's some cheat, because you don't moving processes, you just entered in namespace and running new processes, but with this possibility you can enter in certain NS and then fork in it already running in other NS process.

Best Answer

Related Solutions

Linux – How to list namespaces in Linux

Linux – How to Move Process Between Namespaces

Related Question