SO_PEERCRED returns pid=0 when sending socket is in sibling container

[damonbarry]

This may be by design, but I'm wondering if there's some setting I can add when I create the docker-systemd container so that it can correctly resolve the PID in this case?

If I have a daemon running on the host listening to a unix domain socket and I volume-mount the socket file into some container, then that container can communicate with the host over the socket (say, via a REST API, similar to communicating with docker engine from the container). Also, the daemon can get the host-relative PID of the client process (e.g. to authorize the client) via getsockopt() with SO_PEERCRED.

But if I move the server into the systemd container (I'm testing the end-to-end experience of installing and running the daemon), then SO_PEERCRED returns pid=0.

It makes sense that this wouldn't work since the systemd container has its own PID namespace, but I'm wondering if the systemd container can be given a read-only view of the host PIDs so that SO_PEERCRED can see the right value, without interfering with the container's own PID namespace?

Sorry I don't have a minimal, self-contained example. The daemon I'm working with is here.

Thanks!

[noidi]

Hi Damon,

I'm sorry for the late reply to your clear and well-written problem report. Unfortunately I'm not familiar enough with Linux namespaces to help you with this problem off-hand. I hope that by now you've found a workaround or another approach to testing your service.

This project has been all but unmaintained for a long time now, so I've now made it official by updating the README and archiving the project. I wish I had done this sooner to save you some time and effort. (I know from experience that writing a good issue takes both!)