Difference between revisions of "Processes scope and visibility"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
m (fixed template:forum usage)
(fix using template:warning)
 
(12 intermediate revisions by 6 users not shown)
Line 1: Line 1:
This [[:Category:HOWTO|HOWTO]] shows how OpenVZ [[hardware node]] administrator can see a processes belonging to the host system only, or to a particular [[VE]].
+
This [[:Category:HOWTO|HOWTO]] shows how OpenVZ [[hardware node]]
 +
administrator can see a processes belonging to the host system only, or to a
 +
particular [[container]].
  
 
== Problem ==
 
== Problem ==
From [[VE0]] one can see all the processes running on the system; that includes all the processes of all [[VE]]s and the processes of the [[host system]] itself. Sometimes you just want to see the processes from the host system only. Sometimes you just want to see the processes from a particular VE.
+
From [[CT0]] one can see all the processes running on the system; that
 +
includes all the processes of all [[container]]s and the processes of the
 +
[[host system]] itself. Sometimes you just want to see the processes from the host system only. Sometimes you just want to see the processes from a
 +
particular container.
  
 
There are many ways to achieve it.
 
There are many ways to achieve it.
  
 
== Solutions ==
 
== Solutions ==
 +
 +
=== Hide container processes from host completely ===
 +
 +
It is possible to hide other CT's processes from [[CT0]]. For this just enable kernel.pid_ns_hide_child sysctl parameter:
 +
 +
<pre>
 +
sysctl -w 'kernel.pid_ns_hide_child=1'
 +
</pre>
 +
 +
and restart all containers. To make setting permanent put into /etc/sysctl.conf following line:
 +
 +
<pre>
 +
kernel.pid_ns_hide_child=1
 +
</pre>
 +
 +
After this ps or htop or top will not show other container processes.
 +
 +
{{Warning|If you use checkpointing and/or live migration, note they are not compatible with this feature and will stop working.}}
  
 
=== "Poor man's vzps in bash" ===
 
=== "Poor man's vzps in bash" ===
Use the following script by aistis, modified by kir.
+
Use the following script by aistis, broken by [[User:Kir|Kir]], fixed by [[User:Hvdkamer|Hvdkamer]].
  
First argument is VE ID (0 for the host system), all the remaining arguments are passed to <code>ps(1)</code> utility.
+
First argument is CT ID (0 for the host system), all the remaining arguments are passed to <code>ps(1)</code> utility.
  
 
<pre>
 
<pre>
 
#!/bin/bash
 
#!/bin/bash
# Usage: ./ovzps VEID [ps flags ...]
+
# Usage: ./ovzps CTID [ps flags ...]
  
function find_ve_pids(){
+
function find_container_pids(){
 
       local pid
 
       local pid
       local myveid=$1
+
       local myctid=$1
       local vepids=
+
       local ctpids=
  
 
       for pid in $ALLPIDS; do
 
       for pid in $ALLPIDS; do
 
               [ -f /proc/$pid/status ] || continue
 
               [ -f /proc/$pid/status ] || continue
               veid=`grep envID /proc/$pid/status | awk -F: '{print $2}'`
+
               ctid=`grep envID /proc/$pid/status | awk -F: '{print $2}'`
               if [ ${veid} = ${myveid} ]; then
+
               if [ ${ctid} = ${myctid} ]; then
                       VEPIDS="$VEPIDS $pid"
+
                       ctpids="$ctpids $pid"
 
               fi
 
               fi
 
       done
 
       done
       echo "$vepids"
+
       echo "$ctpids"
 
}
 
}
  
 
ALLPIDS=`ps -A -o pid --no-headers`
 
ALLPIDS=`ps -A -o pid --no-headers`
VEPIDS=`find_ve_pids $1`
+
CTPIDS=`find_container_pids $1`
 
shift
 
shift
  
if [ "${VEPIDS}" ]; then
+
if [ -n "${CTPIDS}" ]; then
         ps $* -p "$VEPIDS"
+
         ps $* -p $CTPIDS
 
else
 
else
 
         exit 0
 
         exit 0
 
fi
 
fi
 +
</pre>
 +
 +
A faster version:
 +
 +
<pre>
 +
#! /bin/bash
 +
# Usage: ovzps <CTID> [ps flags ...]
 +
 +
ctid=${1:-0}
 +
shift
 +
 +
ps $* -p $(grep -l "^envID:[[:space:]]*$ctid\$" /proc/[0-9]*/status |
 +
sed -e 's=/proc/\([0-9]*\)/.*=\1=')
 
</pre>
 
</pre>
  
 
=== Use vzprocps tools ===
 
=== Use vzprocps tools ===
 
Take <code>vzprocps</code> tools from http://download.openvz.org/contrib/utils/.
 
Take <code>vzprocps</code> tools from http://download.openvz.org/contrib/utils/.
These are usual <code>ps</code> and <code>top</code> utilities (named <code>vztop</code> and <code>vzps</code> to not conflict with the standard ones) with an <code>-E</code> option added. You can use <code>-E <i>VEID</i></code> option to limit the output to the selected VEID (use 0 for the host system), or just <code>-E</code> without an argument to just add VEID column to output.
+
These are usual <code>ps</code> and <code>top</code> utilities (named <code>vztop</code> and <code>vzps</code> to not conflict with the standard ones) with an <code>-E</code> option added. You can use <code>-E <i>CTID</i></code> option to limit the output to the selected CTID (use 0 for the host system), or just <code>-E</code> without an argument to just add CTID column to output.
 +
 
 +
=== Use vzprocps-perl tools ===
 +
Take <code>vzprocps-perl</code> tools from http://sourceforge.net/p/vzprocpsperl/wiki/vzprocps-perl/.
 +
Write in Perl with basics functions.
 +
Can be used in x86_64 architecture.  
  
 
== See also ==
 
== See also ==

Latest revision as of 20:41, 29 May 2013

This HOWTO shows how OpenVZ hardware node administrator can see a processes belonging to the host system only, or to a particular container.

Problem[edit]

From CT0 one can see all the processes running on the system; that includes all the processes of all containers and the processes of the host system itself. Sometimes you just want to see the processes from the host system only. Sometimes you just want to see the processes from a particular container.

There are many ways to achieve it.

Solutions[edit]

Hide container processes from host completely[edit]

It is possible to hide other CT's processes from CT0. For this just enable kernel.pid_ns_hide_child sysctl parameter:

sysctl -w 'kernel.pid_ns_hide_child=1'

and restart all containers. To make setting permanent put into /etc/sysctl.conf following line:

kernel.pid_ns_hide_child=1

After this ps or htop or top will not show other container processes.

Warning.svg Warning: If you use checkpointing and/or live migration, note they are not compatible with this feature and will stop working.

"Poor man's vzps in bash"[edit]

Use the following script by aistis, broken by Kir, fixed by Hvdkamer.

First argument is CT ID (0 for the host system), all the remaining arguments are passed to ps(1) utility.

#!/bin/bash
# Usage: ./ovzps CTID [ps flags ...]

function find_container_pids(){
       local pid
       local myctid=$1
       local ctpids=

       for pid in $ALLPIDS; do
               [ -f /proc/$pid/status ] || continue
               ctid=`grep envID /proc/$pid/status | awk -F: '{print $2}'`
               if [ ${ctid} = ${myctid} ]; then
                       ctpids="$ctpids $pid"
               fi
       done
       echo "$ctpids"
}

ALLPIDS=`ps -A -o pid --no-headers`
CTPIDS=`find_container_pids $1`
shift

if [ -n "${CTPIDS}" ]; then
        ps $* -p $CTPIDS
else
        exit 0
fi

A faster version:

#! /bin/bash
# Usage: ovzps <CTID> [ps flags ...]

ctid=${1:-0}
shift

ps $* -p $(grep -l "^envID:[[:space:]]*$ctid\$" /proc/[0-9]*/status | 
	sed -e 's=/proc/\([0-9]*\)/.*=\1=')

Use vzprocps tools[edit]

Take vzprocps tools from http://download.openvz.org/contrib/utils/. These are usual ps and top utilities (named vztop and vzps to not conflict with the standard ones) with an -E option added. You can use -E CTID option to limit the output to the selected CTID (use 0 for the host system), or just -E without an argument to just add CTID column to output.

Use vzprocps-perl tools[edit]

Take vzprocps-perl tools from http://sourceforge.net/p/vzprocpsperl/wiki/vzprocps-perl/. Write in Perl with basics functions. Can be used in x86_64 architecture.

See also[edit]