Reading network connections for processes in a separate net namespaces from /proc/[pid]/net/tcp|tcp6

Reading network connections for processes in a separate net namespaces from /proc/[pid]/net/tcp|tcp6

[dariusz ostolski]

Hello,

My name is Darek Ostolski, I'm computer enthusiast and hobbyst (also a
developer).
If this is incorrect mailing list excuse me and please point to
the appropriate place to ask this kind of question. I couldn't find
any other more
appropriate place.

I have a process that is in the separate net namespace (basically a
container) and I want to check opened connections for that process. I
have a kernel 4.3.3.
My experiments showed that this information is available in
/proc/[pid]/net/tcp|tcp6 files. For example for a global
/proc/net/tcp6 shows following opened ports:

root at host:~# cat /proc/net/tcp6
  sl  local_address                         remote_address
           st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout
inode
   0: 00000000000000000000000000000000:01BD
00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
00000000     0        0 22882 1 ffff88040de7b240 100 0 0 10 0
   1: 00000000000000000000000000000000:008B
00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
00000000     0        0 22883 1 ffff88040de7a9c0 100 0 0 10 0
   2: 00000000000000000000000000000000:0050
00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
00000000     0        0 1214363 1 ffff880077ed9340 100 0 0 10 0
   3: 00000000000000000000000000000000:0016
00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
00000000     0        0 21933 1 ffff880400a33140 100 0 0 10 0
   4: 00000000000000000000000000000000:445C
00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
00000000  1000        0 29904 1 ffff880400a32040 100 0 0 10 0

And for a process running in container I have:
root at host:~# cat /proc/30518/net/tcp6
  sl  local_address                         remote_address
           st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout
inode
   0: 0000000000000000FFFF00000100007F:1F45
00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
00000000     0        0 1211206 1 ffff880364fcb380 100 0 0 10 0
   1: 00000000000000000000000000000000:1F49
00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
00000000     0        0 1215425 1 ffff8802befd0200 100 0 0 10 0
   2: 00000000000000000000000000000000:1F90
00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
00000000     0        0 1215421 1 ffff880077ed8240 100 0 0 10 0


So I see that there are opened ports that are not visible on host
level but are visible at a container level for example 1F90 -> which
is basically 8080.


I'd like to ask following questions:
1. Where can I find documentation for /proc/[pid]/net/tcp|tcp6 files?
All I could find was documentation about global file(i.e.
/proc/net/tcp|tcp6) and there is no information about network
namespaces at all (google, stackoverflow, man pages, kernel docs)
2. Could You confirm that in these files I'll see all connections that
are specific for a given process even if this process is in separate
network namespace? (so I dont have to enter target net/pid namespace
to read their global /proc/net/tcp|tcp6 files)
3. I've grep kernel source code and tried to find where
/proc/[pid]/net/tcp|tcp6 files are created but I couldn't (I've found
functions for global files, maybe they are the same). I'd like to
check when these files where introduced (from what kernel version they
are available) and if I can confirm my findings directly from kernel
sources (that I'll see connections from separate net namespace without
actually entering that namespace). This is source code that I've found:
http://lxr.free-electrons.com/source/net/ipv4/tcp_ipv4.c?v=4.3#L2261

But as I wrote I don't know how it is related to to files from
/proc/[pid]/net/tcp|tcp6


Thank You in advance for your help.

-- 
Regards,
Darek

Reading network connections for processes in a separate net namespaces from /proc/[pid]/net/tcp|tcp6

[Rami Rosen]

Hi,Darek,

>I've found
>functions for global files, maybe they are the same). I'd like to
>check when these files where introduced (from what kernel version they
>are available)

Support for kernel network namesapces was added with kernel 2.6.29.
It is basically based on adding an object called "net_ns" to the
process descriptor, and instance of struct net, which represents a
network namesapce. You can think of such object as representing the
network state of a process, including all stats, sockets, devices,
tables, and so on. This net_ns is a member of an object called
nsproxy, which includes pointers to 4 other namesapces (uts, mnt, pid
and ipc).


>and there is no information about network
>namespaces at all (google, stackoverflow, man pages, kernel docs)

This is not really so. Look for example in the following:

Namespaces and Cgroups ? the basis of Linux Containers by Rami Rosen

http://files.meetup.com/18720713/Namespaces_Cgroups_Conatiners.pdf

"Resource management: Linux kernel Namespaces and cgroups by Rami Rosen
http://www.haifux.org/lectures/299/netLec7.pdf

Namespaces in operation, part 7: Network namespaces by Jake Edge
https://lwn.net/Articles/580893/

Introduction to Network Namepaces - David Mahler
https://www.youtube.com/watch?v=_WgUwUf1d34

(Shamless plug, I am the owner of the first two links...)

Hope this helps,

Regards,
Rami Rosen
http://ramirose.wix.com/ramirosen



On 22 January 2016 at 10:34, dariusz ostolski
<dariusz.ostolski@gmail.com> wrote:
> Hello,
>
> My name is Darek Ostolski, I'm computer enthusiast and hobbyst (also a
> developer).
> If this is incorrect mailing list excuse me and please point to
> the appropriate place to ask this kind of question. I couldn't find
> any other more
> appropriate place.
>
> I have a process that is in the separate net namespace (basically a
> container) and I want to check opened connections for that process. I
> have a kernel 4.3.3.
> My experiments showed that this information is available in
> /proc/[pid]/net/tcp|tcp6 files. For example for a global
> /proc/net/tcp6 shows following opened ports:
>
> root at host:~# cat /proc/net/tcp6
>   sl  local_address                         remote_address
>            st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout
> inode
>    0: 00000000000000000000000000000000:01BD
> 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
> 00000000     0        0 22882 1 ffff88040de7b240 100 0 0 10 0
>    1: 00000000000000000000000000000000:008B
> 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
> 00000000     0        0 22883 1 ffff88040de7a9c0 100 0 0 10 0
>    2: 00000000000000000000000000000000:0050
> 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
> 00000000     0        0 1214363 1 ffff880077ed9340 100 0 0 10 0
>    3: 00000000000000000000000000000000:0016
> 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
> 00000000     0        0 21933 1 ffff880400a33140 100 0 0 10 0
>    4: 00000000000000000000000000000000:445C
> 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
> 00000000  1000        0 29904 1 ffff880400a32040 100 0 0 10 0
>
> And for a process running in container I have:
> root at host:~# cat /proc/30518/net/tcp6
>   sl  local_address                         remote_address
>            st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout
> inode
>    0: 0000000000000000FFFF00000100007F:1F45
> 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
> 00000000     0        0 1211206 1 ffff880364fcb380 100 0 0 10 0
>    1: 00000000000000000000000000000000:1F49
> 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
> 00000000     0        0 1215425 1 ffff8802befd0200 100 0 0 10 0
>    2: 00000000000000000000000000000000:1F90
> 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000
> 00000000     0        0 1215421 1 ffff880077ed8240 100 0 0 10 0
>
>
> So I see that there are opened ports that are not visible on host
> level but are visible at a container level for example 1F90 -> which
> is basically 8080.
>
>
> I'd like to ask following questions:
> 1. Where can I find documentation for /proc/[pid]/net/tcp|tcp6 files?
> All I could find was documentation about global file(i.e.
> /proc/net/tcp|tcp6) and there is no information about network
> namespaces at all (google, stackoverflow, man pages, kernel docs)
> 2. Could You confirm that in these files I'll see all connections that
> are specific for a given process even if this process is in separate
> network namespace? (so I dont have to enter target net/pid namespace
> to read their global /proc/net/tcp|tcp6 files)
> 3. I've grep kernel source code and tried to find where
> /proc/[pid]/net/tcp|tcp6 files are created but I couldn't (I've found
> functions for global files, maybe they are the same). I'd like to
> check when these files where introduced (from what kernel version they
> are available) and if I can confirm my findings directly from kernel
> sources (that I'll see connections from separate net namespace without
> actually entering that namespace). This is source code that I've found:
> http://lxr.free-electrons.com/source/net/ipv4/tcp_ipv4.c?v=4.3#L2261
>
> But as I wrote I don't know how it is related to to files from
> /proc/[pid]/net/tcp|tcp6
>
>
> Thank You in advance for your help.
>
> --
> Regards,
> Darek
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Reading network connections for processes in a separate net namespaces from /proc/[pid]/net/tcp|tcp6

[dariusz ostolski]

Hello,


2016-01-22 10:21 GMT+01:00 Rami Rosen <roszenrami@gmail.com>:
>>I've found
>>functions for global files, maybe they are the same). I'd like to
>>check when these files where introduced (from what kernel version they
>>are available)
>
> Support for kernel network namesapces was added with kernel 2.6.29.
> It is basically based on adding an object called "net_ns" to the
> process descriptor, and instance of struct net, which represents a
> network namesapce. You can think of such object as representing the
> network state of a process, including all stats, sockets, devices,
> tables, and so on. This net_ns is a member of an object called
> nsproxy, which includes pointers to 4 other namesapces (uts, mnt, pid
> and ipc).
>
>
>>and there is no information about network
>>namespaces at all (google, stackoverflow, man pages, kernel docs)
>

Thank You for your answer it gave me some clues so I was not
completely blind when I checked kernel source code.
Nevertheless, excuse me for not being precise enough, what I meant is
that I couldn't find any docs about those 2 specific files:
1. /proc/[pid]/net/tcp
2. /proc/[pid]/net/tcp6

And how is their content related to net namespaces?

I want to read connections for a process that is in a separate net
namespace but I'd like to avoid switching to that namespace,
my experiments showed that reading /proc/[pid]/net/tcp|tcp6 should be
enough, but I'd like to find confirmation of that
 either in official docs (which I couldnt find) or in kernel source
code (I failed there too).

Again thank You in advance for your help.

Regards,
Darek

Reading network connections for processes in a separate net namespaces from /proc/[pid]/net/tcp|tcp6

[Rami Rosen]

Hi, Darek,

cat  /proc/[pid]/net/tcp
 is handled by
 http://lxr.free-electrons.com/source/net/ipv4/tcp_ipv4.c#L2230

and cat /proc/[pid]/net/tcp6
is handled by:
http://lxr.free-electrons.com/source/net/ipv6/tcp_ipv6.c#L1782

Hope it helps!

Regards,
Rami Rosen
http://ramirose.wix.com/ramirosen

On 25 January 2016 at 15:00, dariusz ostolski
<dariusz.ostolski@gmail.com> wrote:
> Hello,
>
>
> 2016-01-22 10:21 GMT+01:00 Rami Rosen <roszenrami@gmail.com>:
>>>I've found
>>>functions for global files, maybe they are the same). I'd like to
>>>check when these files where introduced (from what kernel version they
>>>are available)
>>
>> Support for kernel network namesapces was added with kernel 2.6.29.
>> It is basically based on adding an object called "net_ns" to the
>> process descriptor, and instance of struct net, which represents a
>> network namesapce. You can think of such object as representing the
>> network state of a process, including all stats, sockets, devices,
>> tables, and so on. This net_ns is a member of an object called
>> nsproxy, which includes pointers to 4 other namesapces (uts, mnt, pid
>> and ipc).
>>
>>
>>>and there is no information about network
>>>namespaces at all (google, stackoverflow, man pages, kernel docs)
>>
>
> Thank You for your answer it gave me some clues so I was not
> completely blind when I checked kernel source code.
> Nevertheless, excuse me for not being precise enough, what I meant is
> that I couldn't find any docs about those 2 specific files:
> 1. /proc/[pid]/net/tcp
> 2. /proc/[pid]/net/tcp6
>
> And how is their content related to net namespaces?
>
> I want to read connections for a process that is in a separate net
> namespace but I'd like to avoid switching to that namespace,
> my experiments showed that reading /proc/[pid]/net/tcp|tcp6 should be
> enough, but I'd like to find confirmation of that
>  either in official docs (which I couldnt find) or in kernel source
> code (I failed there too).
>
> Again thank You in advance for your help.
>
> Regards,
> Darek