From ba1871dac033783ab0329c9b3c9113a34a90992f Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Thu, 19 Jul 2018 14:41:58 +0200 Subject: podman-top: use containers/psgo Use github.com/containers/psgo instead of execing `ps (1)`. The psgo library enables a much more flexible interface with respect to which data to be printed (e.g., capabilities, seccomp mode, PID, PCPU, etc.) while the output can be parsed reliably. The library does not use ps (1) but parses /proc and /dev instead. To list the processes of a given container, psgo will join the mount namespace of the given container and extract all data from there. Notice that this commit breaks compatibility with docker-top. Signed-off-by: Valentin Rothberg Closes: #1113 Approved by: rhatdan --- docs/podman-top.1.md | 58 +++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 46 insertions(+), 12 deletions(-) (limited to 'docs') diff --git a/docs/podman-top.1.md b/docs/podman-top.1.md index a9abd8baf..d95d4df7f 100644 --- a/docs/podman-top.1.md +++ b/docs/podman-top.1.md @@ -4,10 +4,10 @@ podman\-top - Display the running processes of a container ## SYNOPSIS -**podman top** [*options*] *container* [*ps-options*] +**podman top** [*options*] *container* [*format-descriptors*] ## DESCRIPTION -Display the running process of the container. *ps-options* can be any of the options you would pass to `ps(1)`. +Display the running process of the container. The *format-descriptors* are ps (1) compatible AIX format descriptors but extended to print additional information, such as the seccomp mode or the effective capabilities of a given process. ## OPTIONS @@ -20,25 +20,59 @@ Display the running process of the container. *ps-options* can be any of the opt Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. +## FORMAT DESCRIPTORS + +The following descriptors are supported in addition to the AIX format descriptors mentioned in ps (1): + +**capinh** + + Set of inheritable capabilities. See capabilities (7) for more information. + +**capprm** + + Set of permitted capabilities. See capabilities (7) for more information. + +**capeff** + + Set of effective capabilities. See capabilities (7) for more information. + +**capbnd** + + Set of effective capabilities. See capabilities (7) for more information. + +**seccomp** + + Seccomp mode of the process (i.e., disabled, strict or filter). See seccomp (2) for more information. + +**label** + + Current security attributes of the process. + ## EXAMPLES +By default, `podman-top` prints data similar to `ps -ef`: + ``` # podman top f5a62a71b07 - UID PID PPID %CPU STIME TT TIME CMD - 0 18715 18705 0.0 10:35 pts/0 00:00:00 /bin/bash - 0 18741 18715 0.0 10:35 pts/0 00:00:00 vi -# +USER PID PPID %CPU ELAPSED TTY TIME COMMAND +root 1 0 0.000 20.386825206s pts/0 0s sh +root 7 1 0.000 16.386882887s pts/0 0s sleep +root 8 1 0.000 11.386886562s pts/0 0s vi ``` +The output can be controlled by specifying format descriptors as arguments after the container: + ``` -#podman --log-level=debug top f5a62a71b07 -o pid,fuser,f,comm,label - PID FUSER F COMMAND LABEL -18715 root 4 bash system_u:system_r:container_t:s0:c429,c1016 -18741 root 0 vi system_u:system_r:container_t:s0:c429,c1016 -# +# sudo ./bin/podman top -l pid seccomp args %C +PID SECCOMP COMMAND %CPU +1 filter sh 0.000 +8 filter vi /etc/ 0.000 ``` + ## SEE ALSO -podman(1), ps(1) +podman(1), ps(1), seccomp(2), capabilities(7) ## HISTORY December 2017, Originally compiled by Brent Baude + +July 2018, Introduce format descriptors by Valentin Rothberg -- cgit v1.2.3-54-g00ecf