There are several processes running in a Docker container, their PIDs are isolated in the container namespace, is there a way to figure out what are their PIDs on the Docker host?

For example there is an Apache web server running inside a Docker container, (I use Apache+PHP image from Docker Hub), and the Apache, when it starts, creates more worker processes inside the container. Those worker processes are actually handling incoming requests. To view these processes I run pstree inside the docker container:

# pstree -p 1
apache2(1)-+-apache2(8)
           |-apache2(9)
           |-apache2(10)
           |-apache2(11)
           |-apache2(12)
           `-apache2(20)

The parent Apache process runs on PID 1 inside of the container process namespace. However from the host's perspective it can be also accessed, but its PID on the host is different and can be determined by running docker compose command:

 $ docker inspect --format '{{.State.Pid}}' container
 17985

From this we can see that the PID 1 from within the container process namespace maps to PID 17985 on the host. So I can run pstree on the host, to list the children of the Apache process:

$ pstree -p 17985
apache2(17985)─┬─apache2(18010)
               ├─apache2(18011)
               ├─apache2(18012)
               ├─apache2(18013)
               ├─apache2(18014)
               └─apache2(18164)

From this I assume that the same way how PID 1 in the container maps to PID 17985 on the host, it also maps:

• PID 8 in container to PID 18010 on host, and
• PID 9 to PID 18011;
• PID 10 to PID 18012 and so on...

(This allows me to debug the processes from docker container, using tools that are only available only on the host, and not the in the container, like strace)

The problem is that I don't know how safe is to assume that pstree lists the processes in the same order both in the container and in the host.

Would be great if someone could suggest a more reliable way to detect what is a PID on the host of a specific process running inside the Docker container.

You can look at the /proc/<pid>/status file to determine the mapping between the namespace PID and the global PID. For example, if in a docker container I start several sleep 900 processes, like this:

# docker run --rm -it alpine sh
/ # sleep 900 &
/ # sleep 900 &
/ # sleep 900 &

I can see them running in the container:

/ # ps -fe
PID   USER     TIME   COMMAND
    1 root       0:00 sh
    7 root       0:00 sleep 900
    8 root       0:00 sleep 900
    9 root       0:00 sleep 900
   10 root       0:00 ps -fe

I can look at these on the host:

# ps -fe | grep sleep
root     10394 10366  0 09:11 pts/10   00:00:00 sleep 900
root     10397 10366  0 09:12 pts/10   00:00:00 sleep 900
root     10398 10366  0 09:12 pts/10   00:00:00 sleep 900

And for any one of those, I can look at the status file to see the namespace pid:

# grep -i pid /proc/10394/status
Pid:    10394
PPid:   10366
TracerPid:  0
NSpid:  10394   7

Looking at the NSpid line, I can see that within the PID namespace this process has pid 7. And indeed, if I kill process 10394 on the host:

# kill 10394

Then in the container I see that PID 7 is no longer running:

/ # ps -fe
PID   USER     TIME   COMMAND
    1 root       0:00 sh
    8 root       0:00 sleep 900
    9 root       0:00 sleep 900
   11 root       0:00 ps -fe