Abstract: This article focuses on the "network ns" perspective of entering the target process, that is, to look at the network world inside the container from the "process perspective in the container" and execute commands in that perspective.
This article is shared from Huawei Cloud Community " Learning Cloud Network with Teacher Tang" - nsenter Magic Wand , author: tsjsdbd.
Sometimes required software is missing from a Docker container. For example, basic software packages such as curl, wget, ifconfig, ip, tcpdump, etc., can't do anything, which makes people crazy.
[root@tsjsdbd home]# docker exec -it 8402 /bin/bash
root@8402d89fe04a:/# ifconfig
bash: ifconfig: command not found
root@8402d89fe04a:/# ip
bash: ip: command not found
root@8402d89fe04a:/# tcpdump
bash: tcpdump: command not found
root@8402d89fe04a:/# curl
bash: curl: command not found
root@8402d89fe04a:/# nslookup
bash: nslookup: command not found
root@8402d89fe04a:/# wget
wget: missing URL
Usage: wget [OPTION]... [URL]...Facing this kind of container image, it will be very difficult to locate the problem, because after you enter the container, you have to reinstall various basic software if you want to execute commands, which is very troublesome.
At this time, we have to pick up the magic wand "nsenter" and wave it on the host.
ns-enter, as the name suggests, is "entering various namespaces", that is, the nsenter command can enter the ns perspective of the specified target process.
So nsenter can look at the world from the "perspective" of the specified process. This article focuses on the "network ns" perspective of entering the target process, that is, from the "perspective of the process in the container" to look at the network world inside the container, and execute in that perspective Order.
First, we need to find the target process ID of the "target ns" to enter. That is: the root process in the container
[root@tsjsdbd ubuntu]# docker inspect 8402d89fe04a
[
{
"Id": "8402d89fe04a7e161faf8a01a86c47f8402d4c8d7207b6897d8e6d661d670df4",
"State": {
"Status": "running",
"Pid": 18751,
"ExitCode": 0,
"Error": "",
"StartedAt": "2023-05-10T03:12:19.221460059Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},The "boss" in the container is process number 18751.
So we track this process directly on the Host host, and enter its "perspective", and we can see the world inside the container. And since we, as the controller, are still on the host at this time, we can execute various command lines on the host.
as follows:
[root@tsjsdbd ubuntu]# nsenter -t 18751 -n ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 1688355 bytes 194318903 (185.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 138826 bytes 146246172 (139.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 0 (Local Loopback)
RX packets 13939 bytes 13140220 (12.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13939 bytes 13140220 (12.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Other commands can be executed by copying them.
For example, there is no nslookup command in the container, but only on the Host host, we can execute it in the container:
[root@tsjsdbd ubuntu]# nsenter -t 18751 -n nslookup www.baidu.com
Server: 10.129.2.34
Address: 10.129.2.34#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 14.119.104.254
Name: www.a.shifen.com
Address: 14.119.104.189Therefore, the debugging behavior that could not be executed in the container can be completed in this way.
More directly, if you do not take the last execution command parameter, you can directly enter the "target perspective" to execute the cli interactively:
[root@tsjsdbd ubuntu]# nsenter -t 18751 -n
#这里就进入交互模式,相当于没有填写cli时,默认执行[当前bash]
[root@tsjsdbd ubuntu]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
4261: eth0@if4262: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
[root@tsjsdbd ubuntu]# curl
curl: try 'curl --help' or 'curl --manual' for more information
[root@tsjsdbd ubuntu]# tcpdump
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@tsjsdbd ubuntu]# exit
#执行exit,可退出“目标视角”It can be seen that all network-related cli command lines can be executed.
Moreover, these commands are all executed from the perspective of the container, so the effect is the same as in the container (although they themselves are initiated in the Host).
Similar to the movies "Source Code" and "The Matrix", use the "people" in the outside world to control the behavior in the "inner world" . Hope you can understand the logic of this God perspective :-)
Summary usage:
(1) Find the target process PID
docker inspect xxx(2) Execute specific cli commands directly
nsenter -n -t 822647 ifconfig(3) Enter the container perspective and perform interactive cli
nsenter -n -t 822647
exit
Click to follow and learn about Huawei Cloud's fresh technologies for the first time~
Graduates of the National People’s University stole the information of all students in the school to build a beauty scoring website, and have been criminally detained. The new Windows version of QQ based on the NT architecture is officially released. The United States will restrict China’s use of Amazon, Microsoft and other cloud services that provide training AI models . Open source projects announced to stop function development LeaferJS , the highest-paid technical position in 2023, released: Visual Studio Code 1.80, an open source and powerful 2D graphics library , supports terminal image functions . The number of Threads registrations has exceeded 30 million. "Change" deepin adopts Asahi Linux to adapt to Apple M1 database ranking in July: Oracle surges, opening up the score again