[Lxc-users] Refreshing for 2013: LXC hiding container processes from Host/HN's 'ps'

[Serge Hallyn]

No.  However, you should be able to hack it up pretty easily in
userspace by comparing /proc/$$/ns/pid.  It requires privilege,
but a very simple, easy-to-verify helper which simply takes one
argument and returns 0 if /proc/$1/ns/pid is the same as
/proc/self/ns/pid should be trustable with setuid-root or
file capabilities.

-serge

Quoting ian sison (mailing list) (ian.sison at gmail.com):
> Hi - i'm re forwarding this email from 2011 in the hope that there's
> been some work done on the mainline LXC code regarding hiding
> container processes from the hardware node's process list.  Back then
> there was no option available in LXC to implement this.  How about
> today?
> 
> - Ian
> 
> 
> ---------- Forwarded message ----------
> From: ian sison (mailing list) <ian.sison at gmail.com>
> Date: Tue, May 3, 2011 at 6:53 PM
> Subject: Hiding container processes from Host/HN's 'ps'
> To: lxc-users at lists.sourceforge.net
> 
> 
> Hi all -
> 
> In openvz, a certain sysctl parameter,
> 
> kernel.pid_ns_hide_child = 1
> 
> when executed at HN system startup will hide any processes that run
> inside the running containers from appearing in the output of 'ps'.
> This makes for a cleaner 'ps' output in the hardware node, and
> prevents inadvertent container malfunctions when something like
> 'killall -9 httpd' is executed in the command line of the HN.
> 
> How can i do the same with LXC?  My google searches draw up a blank.
> 
> - Ian
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users