I have a very simple Ubuntu container with apache running into it. When I started the container with:
$ sudo docker run -p 192.168.189.134:80:80 -d wnoorduin/apache
where 192.168.189.134 is my IP-address and look at the processes on the docker host, I see:
$ sudo ps -ef | grep docker root 35701 1 0 13:46 ?
00:00:14 /usr/bin/docker daemon root 37825 35701 0 14:47 ?
00:00:00 docker-proxy -proto tcp -host-ip 192.168.189.134 -host-port 80 -container-ip 172.17.0.2 -container-port 80 root 37946 3465 0 14:53 pts/0 00:00:00 grep --color=auto dockerroot@willems-vm:/# ps -ef | grep apache root 37832 35701 0 14:47 ? 00:00:00 /bin/sh /usr/sbin/apache2ctl -D FOREGROUND root
37856 37832 0 14:47 ? 00:00:00 /usr/sbin/apache2 -D FOREGROUND www-data 37857 37856 0 14:47 ? 00:00:00 /usr/sbin/apache2 -D FOREGROUND www-data 37858 37856 0 14:47 ? 00:00:00 /usr/sbin/apache2 -D FOREGROUND root 37950 3465 0 14:54 pts/0
00:00:00 grep --color=auto apache
and:
root@willems-vm:/# ps -efZ | grep docker unconfined
root 35701 1 0 13:46 ? 00:00:14 /usr/bin/docker daemon unconfined root 37825 35701 0 14:47 ?
00:00:00 docker-proxy -proto tcp -host-ip 192.168.189.134 -host-port 80 -container-ip 172.17.0.2 -container-port 80 docker-default
root 37832 35701 0 14:47 ? 00:00:00 /bin/sh /usr/sbin/apache2ctl -D FOREGROUND docker-default
root 37856 37832 0 14:47 ? 00:00:00 /usr/sbin/apache2 -D FOREGROUND docker-default www-data 37857 37856 0 14:47 ? 00:00:00 /usr/sbin/apache2 -D FOREGROUND docker-default www-data 37858 37856 0 14:47 ? 00:00:00 /usr/sbin/apache2 -D FOREGROUND unconfined root 37952 3465 0 14:55 pts/0 00:00:00 grep --color=auto docker
So after putting the Z of SELinux in this, I can confirm the the apache2 process is coming from a docker container. Back in my good days, when I was configuring Solaris Containers, it was actually possible to see the zone-name (this was called a zone) in the ps listing (if I remember, it was also ps -efZ, but Z had a totally different meaning then).
When running one container this is not so disastrous, but when running 10, you cannot track the process down to the container. So: Is there a way to do that on the docker host, without the docker commnd ?