Find docker container by their process


I have identified a process that is suspicious and I am running in a CoreOs (cause that what I am running :D) containerized environment, how to find which container the process is coming from.

My need was introduced because i am using Topbeat to gather system metrics from our AWS clusters and i needed to find some processes that consumed memory. So which container was running this process?


1. PS from within the machine (ssh)

To find for a given process what is the pid and ppid and you have access to the remote terminal of the machine you can ssh into the machine and run

$ ps  xao pid,ppid,comm |grep <proc name>

for example to find one php-fpm processes on which container is running

$ ps  xao pid,ppid,comm |grep fpm
4595  4580 php5-fpm
4639  4595 php5-fpm
5297  5279 php5-fpm

and then we can find ether from the pid or ppid the related container.

2. Topbeat

From the topbeat log event (i am ommiting some fields to make reading easier)

"proc": {
      "cmdline": "php-fpm: pool www",
      "cpu": {
      "mem": {
      "name": "php-fpm",
      "pid": 30717,
      "ppid": 15479,
      "state": "sleeping",
      "username": "82"

We find the ppid which is the parent process id, we can get also the pid if this is not a forked processes.

After we ssh into the machine then with this in mind we find the container.

docker ps -q | xargs \
                  docker inspect --format '{{.State.Pid}}, {{.ID}}' |grep <ppid>

this will output something like this

<ppid>, <container Id>

Then we can inspect the container Id and get all the information about the container

docker inspect <container Id> 


The solution for the docker command come from

Alexandros Sapranidis

Software engineer, keen on wearing many hat, current Senior Software Engineer @Elastic cloud

Athens, Greece