Docker Processes Shown on Host Process List Docker Processes Shown on Host Process List docker docker

Docker Processes Shown on Host Process List


virtual-machine docker

This seems to be a common misconception about Docker being lightweight virtual machine" that is why some might expect similar behavior as VirtualBox or VMWare but just faster.

Docker does not use virtualization, so all processes run by the native host kernel just isolated from each other. Non-root user cannot kill processes inside container, but root can stop the entire container not only kill a process.

To distinguish between processes running inside container and others, run top then press shift+f and select the nsPID and nsUSER as shown in the attached screenshot.

Then you will see beside each process the namespace if it is running on the server directly this value most likely will be empty and if the process running inside a container you will see the namespace id for each container. (you can sort by the namespace to see processes in each container)

top nsPID and nsUSER

virtual-machine docker

Yes, this is as intended. Notice that the processes are started by root, so a user with root privileges can kill them, but a user with root privileges can do worse than that (e.g., uninstall docker o_O)...

This "flawed" isolation actually has some great benefits, like the ability to monitor the processes running inside all your containers from a single monitor process running on the host machine.

virtual-machine docker

Also be aware that the user on the host can kill processes in the container started by the same uid.

This is particularly of concern because there's a good chance the first user added in the container has the same uid as the first user created on the host.

$ ps -ef |grep '^install+ 26184'install+ 26184 26177  1 Oct30 ?        00:18:18 /usr/lib/plexmediaserver/Plex Media Server$ kill -9 26184$ ps -ef |grep '^install+ 26184'

Note that the first column shows my own user name because the process is running in the container with my uid, and that I killed the process without sudo or admin privileges.

So the takeaway is to either:

  • Create a new account and group on both the host and container, to ensure the same uid/gid isn't used; or
  • Enable Docker user namespaces to map the uid and gid.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last