Identify processes running inside Docker, in Process List

Question

I realize that processes that run inside Docker containers appear on the hosts' process list:

# ps aux | grep mariadb
root     12486  0.0  0.0 112812   976 pts/0    S+   14:47   0:00 grep --color=auto mariadb

Is there a way to identify whether a process is running on the Host or on a Docker container, or a way to filter the Docker processes out?

You can check the following post: https://stackoverflow.com/questions/26659129/docker-processes-shown-on-host-process-list — basekat, Feb 27 '21 at 14:57
@basekat Thank you. I did try Googling several expressions hoping to find my answer, but I was only getting results of "docker ps" and other unhelpful stuff. That post does not seem to answer my question, however :) just explains what I already know. — Nuno, Feb 27 '21 at 15:01
`cat /proc/PID/cgroup`, where PID is a process' PID on the host, tells you if a given process runs in a Docker container (from https://blog.stangroome.com/2017/12/05/inspecting-docker-container-processes-from-the-host/). — berndbausch, Feb 27 '21 at 15:01
@berndbausch Very interesting! I may have the answer there! Thank you very much. — Nuno, Feb 27 '21 at 15:02

score 4 · Answer 1 · answered Feb 27 '21 at 16:14

Found the answer.

To filter processes that are not running in Docker processes, we can use this:

ps -e -o pid,comm,cgroup | grep -v "/docker/"

So, for example, if I want to kill all "php-fpm" processes that are not running inside Docker, I can do:

kill -9 $(ps -e -o pid,comm,cgroup | grep -v "/docker/" | awk '$2 == "php-fpm" {print $1}')

score 0 · Answer 2 · answered Feb 27 '21 at 15:48

If I quickly want to see what processes were started by what, I typically use a tool like htop (in tree mode by pressing F5), or pstree.

The output from pstree will look a bit like this:

systemd─┬─VGAuthService
        ├─abrt-dbus───3*[{abrt-dbus}]
        ├─abrt-watch-log
        ├─abrtd
        ├─chronyd
        ├─crond
        ├─dockerd─┬─docker-containe─┬─4*[docker-containe─┬─pause]
        │         │                 │                    └─9*[{docker-containe}]]
        │         │                 ├─docker-containe─┬─kube-apiserver───16*[{kube-apiserver}]
        │         │                 │                 └─9*[{docker-containe}]
        │         │                 ├─docker-containe─┬─kube-scheduler───14*[{kube-scheduler}]
        │         │                 │                 └─10*[{docker-containe}]
        │         │                 ├─docker-containe─┬─kube-controller───13*[{kube-controller}]
        │         │                 │                 └─10*[{docker-containe}]
        │         │                 ├─4*[docker-containe─┬─pause]
        │         │                 │                    └─10*[{docker-containe}]]
        │         │                 ├─docker-containe─┬─kube-proxy───12*[{kube-proxy}]
        │         │                 │                 └─9*[{docker-containe}]
        │         │                 ├─docker-containe─┬─node_exporter───31*[{node_exporter}]
        │         │                 │                 └─10*[{docker-containe}]
        │         │                 └─29*[{docker-containe}]
        │         └─47*[{dockerd}]

Which easily shows what processes are started by what.

htop lives within the in EPEL Repo, on RHEL.
pstree is installed by the psmisc package.

This isn't the most technical answer, but the best answer seems to already exist in a comment.

Thank you. I appreciate the tips (I upvoted you). However, I'm looking for a way to do it straight with "ps", so I can easily get a list of PIDs, to pass to `kill`, for example. — Nuno, Feb 27 '21 at 16:15

score -1 · Answer 3 · answered Sep 27 '22 at 17:40

-1

cgroup 2.0 doesn't indicate that you're running in a docker container, nor does it work under Docker Desktop on Mac.

root@8a1d175a0b6c:/# ps -e -o pid,comm,cgroup PID COMMAND CGROUP 1 tini - 7 java - 3081 bash - 3282 ps -

You can look for /.dockerenv, but it's an empty file, so there's no unified, reliable way to get your own docker container Id. The Docker team really dropped the ball on this one.

answered Sep 27 '22 at 17:40

Ron

1

That's not what is asked. – Gerald Schneider Sep 27 '22 at 17:50
This does not provide an answer to the question. Once you have sufficient [reputation](https://serverfault.com/help/whats-reputation) you will be able to [comment on any post](https://serverfault.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/531201) – Giovanni Toraldo Sep 30 '22 at 10:55

Identify processes running inside Docker, in Process List

3 Answers3