Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jpetazzo/nsenter
https://github.com/jpetazzo/nsenter
Last synced: 3 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/jpetazzo/nsenter
- Owner: jpetazzo
- License: apache-2.0
- Archived: true
- Created: 2014-06-20T00:56:30.000Z (over 10 years ago)
- Default Branch: master
- Last Pushed: 2020-05-27T13:07:06.000Z (over 4 years ago)
- Last Synced: 2024-09-21T22:33:11.395Z (3 months ago)
- Language: Shell
- Size: 43.9 KB
- Stars: 2,591
- Watchers: 85
- Forks: 269
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-docker - ns-enter - no more ssh, enter name spaces of container by [@jpetazzo][jpetazzo] (Container Operations / User Interface)
- awesome-docker - ns-enter - :skull: no more ssh, enter name spaces of container by [@jpetazzo][jpetazzo] (Container Operations / User Interface)
README
# Looking to start a shell inside a Docker container?
Starting from Docker 1.3 you can use [Docker exec](https://docs.docker.com/reference/commandline/cli/#exec) to enter a Docker container. Example:
docker exec -it CONTAINER_NAME /bin/bash
There are differences between nsenter and docker exec; namely, nsenter doesn't enter the cgroups, and therefore evades resource limitations. The potential benefit of this would be debugging and external audit, but for remote access, **docker exec is the current recommended approach**.
**Important notice:** this repository was useful in the early days of Docker, because `nsenter` was missing from major distributions back then. `nsenter` was written in early 2013, and included in `util-linux` release 2.23. If we look at Ubuntu LTS releases, `trusty` (14.04) shipped `util-linux` 2.20, and `xenial` (16.04) shipped 2.27. In other words, if you were using Ubuntu LTS, you had to wait until 2016 to get `nsenter` through the main, official packages. That being said, all modern distros now ship with `nsenter`, and this repository is no longer useful, except for historical or curiosity purposes. **It is no longer maintained.**
## nsenter in a can
This is a small Docker recipe to build `nsenter` easily and install it in your
system.## What is `nsenter`?
It is a small tool allowing to `enter` into `n`ame`s`paces. Technically,
it can enter existing namespaces, or spawn a process into a new set of
namespaces. "What are those namespaces you're blabbering about?"
We are talking about [container namespaces].`nsenter` can do many useful things, but the main reason why I'm so
excited about it is because it lets you [enter into a Docker container].## Why build `nsenter` in a container?
This is because my preferred distros (Debian and Ubuntu) ship with an
outdated version of `util-linux` (the package that should contain `nsenter`).
Therefore, if you need `nsenter` on those distros, you have to juggle with
APT repository, or compile from source, or… Ain't nobody got time for that.I'm going to make a very bold assumption: if you landed here, it's because
you want to enter a Docker container. Therefore, you won't mind if my
method to build `nsenter` uses Docker itself.## How do I install `nsenter` with this?
If you want to install `nsenter` into `/usr/local/bin`, just do this:
docker run --rm -v /usr/local/bin:/target jpetazzo/nsenter
The `jpetazzo/nsenter` container will detect that `/target` is a
mountpoint, and it will copy the `nsenter` binary into it.If you don't trust me, and prefer to extract the `nsenter` binary,
rather than allowing my container to potentially wreak havoc into
your system's `$PATH`, you can also do this:docker run --rm jpetazzo/nsenter cat /nsenter > /tmp/nsenter && chmod +x /tmp/nsenter
Then do whatever you want with the binary in `/tmp/nsenter`.
## How do I *use* `nsenter`?
First, figure out the PID of the container you want to enter:
PID=$(docker inspect --format {{.State.Pid}} )
Then enter the container:
nsenter --target $PID --mount --uts --ipc --net --pid
## What's that docker-enter thing?
It's just a small shell script that wraps up the steps described above into
a tiny helper. It takes the name or ID of a container and optionally the name
of a program to execute inside the namespace. If no command is specified a
shell will be invoked instead.# list the root filesystem
docker-enter my_awesome_container ls -la## Docker toolbox usage for OS X or Windows user
### SSH to the Docker Toolbox virtual machine
docker-machine ssh default
### Install nsenter, docker-enter, and importenv into the VM
docker run --rm -v /usr/local/bin:/target jpetazzo/nsenter
You can also install `nsenter` to another folder. In that case, you will
need to specify the full path of `nsenter` to run it.docker run --rm -v /tmp:/target jpetazzo/nsenter
### Using nsenter
List running containers:
docker ps
Identify the ID of the container that you want to get into; and retrieve
its associated PID:PID=$(docker inspect --format {{.State.Pid}} 08a2a025e05f)
Enter the container:
sudo nsenter --target $PID --mount --uts --ipc --net --pid
Remember to run those commands in the Docker Toolbox virtual machine; not
in your host environment.### Using docker-enter
With `docker-enter`, you don't need to lookup the container PID.
You can get a shell inside the container:
docker-enter 08a2a025e05f
Or run commands directly:
docker-enter 08a2a025e05f ls /var/log
docker-enter 08a2a025e05f df -h## docker-enter with boot2docker
If you are using boot2docker, you can use the function below, to:
- install `nsenter` and `docker-enter` into boot2docker's /var/lib/boot2docker/ directory,
so they survive restarts.
- execute `docker-enter` inside of boot2docker combined with ssh```
docker-enter() {
boot2docker ssh '[ -f /var/lib/boot2docker/nsenter ] || docker run --rm -v /var/lib/boot2docker/:/target jpetazzo/nsenter'
boot2docker ssh -t sudo /var/lib/boot2docker/docker-enter "$@"
}
```You can use it directly from your host (OS X/Windows), no need to ssh into boot2docker.
## Caveats
- This only works on Intel 64 bits platforms. It should be relatively
easy to adapt to other architectures, though.
- `nsenter` still needs to run from the host; it cannot run inside a
container (yet).[container namespaces]: https://www.youtube.com/watch?v=sK5i-N34im8
[enter into a Docker container]: http://jpetazzo.github.io/2014/03/23/lxc-attach-nsinit-nsenter-docker-0-9/
[Debugging a Docker container]: http://blog.loof.fr/2014/06/debugging-docker-container.html
[Nicolas De Loof]: https://twitter.com/ndeloof