Process owner of a docker program

Question

I have started an nginx container bound on the host network as follows:

docker run --rm -d --network host --name mynginx nginx

However, when querying process information with the ss command, this seems to be a pure nginx but not a docker process:

$ ss -tuap 'sport = :80'
Netid               State                  Recv-Q                 Send-Q                                  Local Address:Port                                 Peer Address:Port                
tcp                 LISTEN                 0                      128                                           0.0.0.0:http                                      0.0.0.0:*                    users:(("nginx",pid=16563,fd=6),("nginx",pid=16524,fd=6))

why is that?

Answer 1

You configured the nginx process to run in the host networking namespace --net host. In that mode you do not setup port forwarding from the host to the container network (e.g. -p 80:80). Had you done the port forwarding, you would see a docker process on the host which is forwarding to the same port in the container namespace for the nginx process.

Keep in mind that containers are a method to run an application with kernel options for things like namespacing, it is not a VM running under a separate OS, so you will see processes running and ports opened directly on the host.

Here's an example of what it would look like if you forwarded the port instead of using the host network namespace, and how you can also look at the network namespace inside the container:

$ docker run --rm -d -p 8000:80 --name mynginx nginx                                                                                
d177bc43166ad59f5cdf578eca819737635c43b2204b2f75f2ba54dd5a9cffbb

$ sudo ss -tuap 'sport = :8000'              
Netid State      Recv-Q Send-Q Local Address:Port                 Peer Address:Port 
tcp   LISTEN     0      128        :::8000                     :::* users:(("docker-proxy",pid=25229,fd=4))

$ docker run -it --rm --net container:mynginx --pid container:mynginx nicolaka/netshoot ss -tuap 'sport = :80'                      
Netid  State      Recv-Q Send-Q Local Address:Port                 Peer Address:Port 
tcp    LISTEN     0      128     *:http                  *:*                     users:(("nginx",pid=1,fd=6))

The docker-proxy process there is the default way that docker forwards a port to the container.

Answer 2

I am afraid there is some misunderstanding here about so-called docker process.

First of all, ss command doesn’t show what kind of process it is. It may show the application name(nginx here). But we could not say it’s so-called pure nginx process.

You could try pwdx nginx_pid. Otherwise, each running container is a process which we could check with ps -ef on its host machine.

Above all, you could use ps -ef|grep nginx and pwdx nginx_pid to find out what kind of process it is.