This post has been republished via RSS; it originally appeared at: ITOps Talk Blog articles.
This is another blog post idea coming from discussions on Forums - sometimes, you need to check the processes running on a Windows container so you can troubleshoot your environment, or simply monitor its state. After some testing, I figured out a way to find the processes that are running inside the container – without having to actually open an interactive session to it, which let’s be honest – is such as pain. So, here’s how all this works:
Windows containers and Windows container host processes
To get started, it’s important to understand the following concept: When you have a Windows container running in process isolation mode, all processes are isolated between the containers so they have no influence on each other. However, the security boundary between container host and containers is simply the process isolation itself, which means the container host has visibility into the processes running inside the container. Of course, you don’t want to run your multi-tenant, production environment with processes isolation and that’s where Hyper-V isolation comes in. For more details on the isolation methods for Windows containers you can check the documentation that explains its differences and when to use each.
If you want to try this out, you can simply run a Get-Process command on a container host and check the results:
Notice on the image above that the container host shows multiple “csrss” processes but with different Session Identifiers. This is because I have 4 Windows containers running, plus the container host with that process instantiated.
How do I know which process is from which container?
Let’s say you need to identify a specific process from a specific container, so you can attach a debugger, check the username on which the process was instantiated, or any other troubleshooting process you might need to run. One way to achieve that is to open a interactive session to the container, but that’s not exactly trivial if the container is already running – And let’s be honest, not exactly the simplest way to achieve this.
So, that’s where the trick comes in. Let’s get started by identifying all containers running on the container host:
The docker ps -a command shows all containers on your container host and their “Container ID”. With that information, we can run:
So, now we know the entry point of the container has instantiated the process ID number 4492. With that, we can check the Session Identifier of that process:
Now we know the Session Identifier being used to run all the processes of this container is the number 6. With that, we can then see all processes for that specific container:
Voilá! Notice the process ID #4492 above is the Service Monitor running inside the IIS container image. Also, notice the w3wp process at the bottom which represents IIS itself. If you want, you can even play with this a little bit:
The above command returns only the IIS process from the container. But you can go even further:
This command returns the IIS process from two different containers.
Conclusion
It is much easier to check the processes from a running container from its container host. While not possible to do that on Hyper-V isolated containers, you can simply check the process ID for a container and use that information – alongside its Session Identifier – to query all processes on Process isolated Windows containers.
Hopefully this information helps you better troubleshoot your applications on Windows containers! Let us know what you think in the comments section below!