Feature #5182
open
Easier identification of the process at the other end of a UnixStream face
0%
Description
Currently the remote FaceUri of a Unix face contains the file descriptor number of the NFD-side socket, e.g.: fd://42. This is not very useful to quickly determine which application is at the other end of an NFD face, or, conversely, which face corresponds to a given application.
We can do better by using (on Linux) the SO_PEERCRED socket option and extracting the pid field of the returned structure. I tested this on Ubuntu 21.04 and it seems to work as expected. A similar mechanism is available on macOS (LOCAL_PEERPID) and on recent versions of FreeBSD (LOCAL_PEERCRED).
Of course the PID value would need to be exposed somehow. For instance, we could define a new pid:// FaceUri scheme for this purpose. I'm open to suggestions on this point.
Updated by Davide Pesavento over 2 years ago
Davide Pesavento wrote:
For instance, we could define a new
pid://FaceUri scheme for this purpose.
One potential downside of this is that the remote FaceUri may no longer be used to uniquely identify a UnixStream face, e.g. in case the same process opens multiple faces toward NFD (should be uncommon). I don't think we promise anywhere that the remote FaceUri is unique, or even that the local+remote combination is unique, so this shouldn't be a problem. Hopefully no apps or management tools make any assumptions on this.
Updated by Davide Pesavento over 2 years ago
Also note that the pid returned by getsockopt will be that of the process that created/connected the socket, which may be different from the pid of the process currently using the socket, e.g. in case the original process forked or passed the open fd to another process. These are also quite unusual scenarios, so I'm not too concerned.
Updated by Junxiao Shi almost 2 years ago
If nfd.sock is shared across containers in different PID namespaces, would SO_PEERCRED retrieve the original PID or is it translated in some way?
If it's the original PID, is it possible to also retrieve the PID namespace of that process, and then the FaceUri can identify both the PID namespace and the PID within.