Feature #5182
open
Easier identification of the process at the other end of a UnixStream face
Added by Davide Pesavento about 3 years ago.
Updated over 2 years ago.
Description
Currently the remote FaceUri of a Unix face contains the file descriptor number of the NFD-side socket, e.g.: fd://42
. This is not very useful to quickly determine which application is at the other end of an NFD face, or, conversely, which face corresponds to a given application.
We can do better by using (on Linux) the SO_PEERCRED
socket option and extracting the pid
field of the returned structure. I tested this on Ubuntu 21.04 and it seems to work as expected. A similar mechanism is available on macOS (LOCAL_PEERPID
) and on recent versions of FreeBSD (LOCAL_PEERCRED
).
Of course the PID value would need to be exposed somehow. For instance, we could define a new pid://
FaceUri scheme for this purpose. I'm open to suggestions on this point.
Davide Pesavento wrote:
For instance, we could define a new pid://
FaceUri scheme for this purpose.
One potential downside of this is that the remote FaceUri may no longer be used to uniquely identify a UnixStream face, e.g. in case the same process opens multiple faces toward NFD (should be uncommon). I don't think we promise anywhere that the remote FaceUri is unique, or even that the local+remote combination is unique, so this shouldn't be a problem. Hopefully no apps or management tools make any assumptions on this.
Also note that the pid
returned by getsockopt
will be that of the process that created/connected the socket, which may be different from the pid of the process currently using the socket, e.g. in case the original process forked or passed the open fd to another process. These are also quite unusual scenarios, so I'm not too concerned.
If nfd.sock
is shared across containers in different PID namespaces, would SO_PEERCRED
retrieve the original PID or is it translated in some way?
If it's the original PID, is it possible to also retrieve the PID namespace of that process, and then the FaceUri can identify both the PID namespace and the PID within.
Also available in: Atom
PDF