Skip to content

Usage of nsenter on CentOS Linux

Introduction

The nsenter command is a command that can run a specified program in a specified process’s command namespace. It is located in the util-linux package.

Purpose

A most typical use is to enter the network command namespace of a container. Many containers, for the sake of being lightweight, do not include basic commands such as ip address, ping, telnet, ss, tcpdump, etc. This brings considerable difficulties to debugging the container network: only the container IP can be obtained through the docker inspect ContainerID command, and testing and connectivity with other networks cannot be tested. At this point, you can use the nsenter command to enter only the network namespace of the container, and debug the container network using the host machine’s command.

Usage

[root@nacos1 ~]# nsenter --help

Usage:
 nsenter [options] <program> [<argument>...]

Run a program with namespaces of other processes.

Options:
 -t, --target <pid>     target process to get namespaces from
 -m, --mount[=<file>]   enter mount namespace # Enter the mount command namespace. If file is specified, enter the command namespace of the file
 -u, --uts[=<file>]     enter UTS namespace (hostname etc) # Enter the UTS command namespace. If file is specified, enter the command namespace of the file
 -i, --ipc[=<file>]     enter System V IPC namespace # Enter the ipc command namespace. If file is specified, enter the command namespace of the file
 -n, --net[=<file>]     enter network namespace # Enter the net command namespace. If file is specified, enter the command namespace of the file
 -p, --pid[=<file>]     enter pid namespace # Enter the pid command namespace. If file is specified, enter the command namespace of the file
 -U, --user[=<file>]    enter user namespace # Enter the user command namespace. If file is specified, enter the command namespace of the file
 -S, --setuid <uid>     set uid in entered namespace # Set the uid of the program to be run
 -G, --setgid <gid>     set gid in entered namespace # Set the gid of the program to be run
     --preserve-credentials do not touch uids or gids
 -r, --root[=<dir>]     set the root directory # Set the root directory
 -w, --wd[=<dir>]       set the working directory # Set the working directory
 -F, --no-fork          do not fork before executing <program>
 -Z, --follow-context   set SELinux context according to --target PID

 -h, --help     display this help and exit
 -V, --version  output version information and exit

For more details see nsenter(1).

Installation

util-linux is an open source software package that is a basic tool suite for any Linux system. It contains some standard Unix tools, such as login. The util-linux software package contains many tools. Among the more important are loading, unloading, formatting, partitioning, and managing hard drives, opening tty ports, and getting kernel messages.

yum installation

yum install -y util-linux

Example

Run an openjdk:8-jdk-alpine container and check the pid of the container:

# Query the pid of the container
[root@nacos1 ~]# docker inspect -f {{.State.Pid}} 61716a014554
26654

# Use the nsenter command to enter the network command namespace of the container
[root@nacos1 ~]# nsenter -n -t26654

[root@nacos1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2277: eth0@if2278: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

[root@nacos1 ~]# exit
Logout

In Kubernetes, before obtaining the container pid, you need to obtain the container ID, which can be obtained using the following command:

kubectl get pod test -o yaml |grep containerID
  - containerID: docker://2bdaa26f378b8162482f94bbee636c09fd9c31e6c365e3af595ef4c32346b16b

Buy Me a Coffee

Back to Table of Contents

Disclaimer
  1. License under CC BY-NC 4.0
  2. Copyright issue feedback me#imzye.com, replace # with @
  3. Not all the commands and scripts are tested in production environment, use at your own risk
  4. No personal information is collected
  5. Partial content rewritten by AI, verified by humans
Feedback