feat: Add process-control gRPC service for docker top

Implements ListProcesses RPC that reads /proc directly to avoid race
condition where /bin/ps appears in its own output.

Changes:
- Add ListProcesses RPC to process.proto
- Implement namespace filtering to show only container processes
- Fix vsock listener to use github.com/mdlayher/vsock library
- Add service startup in vminitd Application.swift
- Filter processes by PID namespace (exclude root namespace)

The service runs in the VM's root namespace and filters out all
processes in that namespace (vminitd, services, kernel threads),
returning only container processes since we have 1 container per VM.

Author: richardkiene

vminitd/Sources/vminitd/Application.swift

@@ -169,6 +169,29 @@ struct Application {
             log.warning("arca-overlayfs-service binary not found at \(overlayFSServicePath), OverlayFS mounting will not be available")
         }
 
+        // Start arca-process-service in background for process control
+        // This service listens on vsock port 51822 (accessible from host via container.dialVsock())
+        let processServicePath = "/sbin/arca-process-service"
+        let processServiceExists = FileManager.default.fileExists(atPath: processServicePath)
+        log.info("arca-process-service binary exists: \(processServiceExists) at \(processServicePath)")
+
+        if processServiceExists {
+            log.info("starting arca-process-service...")
+            var processService = Command(processServicePath)
+            // Leave stdin/stdout/stderr as nil for detached background service
+            processService.stdin = nil
+            processService.stdout = nil
+            processService.stderr = .standardError  // Log errors to vminitd stderr
+            do {
+                try processService.start()
+                log.info("arca-process-service started successfully on vsock port 51822")
+            } catch {
+                log.error("failed to start arca-process-service: \(error)")
+            }
+        } else {
+            log.warning("arca-process-service binary not found at \(processServicePath), process listing via gRPC will not be available")
+        }
+
         // Auto-detect and mount OverlayFS if layer block devices are present
         // This is NOT hardcoded - it only runs if vdb/vdc/vdd/etc exist (indicating OverlayFS layers)
         if FileManager.default.fileExists(atPath: "/dev/vdb") {

vminitd/extensions/process-control/arca-process-service

@@ -3,29 +3,36 @@ package main
 import (
 	"fmt"
 	"log"
-	"net"
 	"os"
+	"strconv"
 
+	"github.com/mdlayher/vsock"
 	"google.golang.org/grpc"
 	pb "github.com/apple/containerization/vminitd/extensions/process-control/proto"
 	"github.com/apple/containerization/vminitd/extensions/process-control"
 )
 
+const (
+	PROCESS_SERVICE_PORT = 51822 // vsock port for Process Control API
+)
+
 func main() {
 	// Get vsock port from environment (default: 51822)
-	port := os.Getenv("PROCESS_SERVICE_PORT")
-	if port == "" {
-		port = "51822"
+	portStr := os.Getenv("PROCESS_SERVICE_PORT")
+	port := PROCESS_SERVICE_PORT
+	if portStr != "" {
+		if p, err := strconv.Atoi(portStr); err == nil {
+			port = p
+		}
 	}
 
-	// Listen on vsock
-	addr := fmt.Sprintf("vsock://:%%d/%%s", port)
-	lis, err := net.Listen("vsock", addr)
+	// Listen on vsock using mdlayher/vsock library (required for vsock support)
+	lis, err := vsock.Listen(uint32(port), nil)
 	if err != nil {
-		log.Fatalf("Failed to listen on vsock port %s: %v", port, err)
+		log.Fatalf("Failed to listen on vsock port %d: %v", port, err)
 	}
 
-	log.Printf("Process service listening on vsock port %s", port)
+	log.Printf("Process service listening on vsock port %d", port)
 
 	// Create gRPC server
 	grpcServer := grpc.NewServer()

vminitd/extensions/process-control/build.sh

@@ -3,13 +3,13 @@ module github.com/apple/containerization/vminitd/extensions/process-control
 go 1.24.0
 
 require (
-	github.com/mdlayher/vsock v1.2.1
 	google.golang.org/grpc v1.76.0
 	google.golang.org/protobuf v1.36.10
 )
 
 require (
-	github.com/mdlayher/socket v0.5.1 // indirect
+	github.com/mdlayher/socket v0.4.1 // indirect
+	github.com/mdlayher/vsock v1.2.1 // indirect
 	golang.org/x/net v0.46.0 // indirect
 	golang.org/x/sync v0.17.0 // indirect
 	golang.org/x/sys v0.37.0 // indirect

vminitd/extensions/process-control/cmd/arca-process-service/main.go

@@ -0,0 +1,42 @@
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
+github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
+github.com/mdlayher/vsock v1.2.1 h1:pC1mTJTvjo1r9n9fbm7S1j04rCgCzhCOS5DY0zqHlnQ=
+github.com/mdlayher/vsock v1.2.1/go.mod h1:NRfCibel++DgeMD8z/hP+PPTjlNJsdPOmxcnENvE+SE=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
+go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
+go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
+go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
+go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
+go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
+go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
+go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
+go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
+go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
+golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
+golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251020155222-88f65dc88635 h1:3uycTxukehWrxH4HtPRtn1PDABTU331ViDjyqrUbaog=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251020155222-88f65dc88635/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
+google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=