How to use nsenter on CentOS
Introduction
The nsenter command is a command that can run a specified program in a specified process’s command namespace. It is located in the util-linux package.
Purpose
A most typical use is to enter the network command namespace of a container. Many containers, for the sake of being lightweight, do not include basic commands such as ip address, ping, telnet, ss, tcpdump, etc. This brings considerable difficulties to debugging the container network: only the container IP can be obtained through the docker inspect ContainerID command, and testing and connectivity with other networks cannot be tested. At this point, you can use the nsenter command to enter only the network namespace of the container, and debug the container network using the host machine’s command.
Usage
[root@nacos1 ~]# nsenter --help
Usage:
nsenter [options] <program> [<argument>...]
Run a program with namespaces of other processes.
Options:
-t, --target <pid> target process to get namespaces from
-m, --mount[=<file>] enter mount namespace # Enter the mount command namespace. If file is specified, enter the command namespace of the file
-u, --uts[=<file>] enter UTS namespace (hostname etc) # Enter the UTS command namespace. If file is specified, enter the command namespace of the file
-i, --ipc[=<file>] enter System V IPC namespace # Enter the ipc command namespace. If file is specified, enter the command namespace of the file
-n, --net[=<file>] enter network namespace # Enter the net command namespace. If file is specified, enter the command namespace of the file
-p, --pid[=<file>] enter pid namespace # Enter the pid command namespace. If file is specified, enter the command namespace of the file
-U, --user[=<file>] enter user namespace # Enter the user command namespace. If file is specified, enter the command namespace of the file
-S, --setuid <uid> set uid in entered namespace # Set the uid of the program to be run
-G, --setgid <gid> set gid in entered namespace # Set the gid of the program to be run
--preserve-credentials do not touch uids or gids
-r, --root[=<dir>] set the root directory # Set the root directory
-w, --wd[=<dir>] set the working directory # Set the working directory
-F, --no-fork do not fork before executing <program>
-Z, --follow-context set SELinux context according to --target PID
-h, --help display this help and exit
-V, --version output version information and exit
For more details see nsenter(1).
Installation
util-linux is an open source software package that is a basic tool suite for any Linux system. It contains some standard Unix tools, such as login. The util-linux software package contains many tools. Among the more important are loading, unloading, formatting, partitioning, and managing hard drives, opening tty ports, and getting kernel messages.
yum installation
yum install -y util-linux
Example
Run an openjdk:8-jdk-alpine container and check the pid of the container:
# Query the pid of the container
[root@nacos1 ~]# docker inspect -f {{.State.Pid}} 61716a014554
26654
# Use the nsenter command to enter the network command namespace of the container
[root@nacos1 ~]# nsenter -n -t26654
[root@nacos1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2277: eth0@if2278: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@nacos1 ~]# exit
Logout
In Kubernetes, before obtaining the container pid, you need to obtain the container ID, which can be obtained using the following command:
kubectl get pod test -o yaml |grep containerID
- containerID: docker://2bdaa26f378b8162482f94bbee636c09fd9c31e6c365e3af595ef4c32346b16b