简介:
nsenter命令是一个可以在指定进程的命令空间下运行指定程序的命令。它位于util-linux包中。
用途:
一个最典型的用途就是进入容器的网络命令空间。相当多的容器为了轻量级,是不包含较为基础的命令的,比如说 ip address,ping,telnet,ss,tcpdump 等等命令,这就给调试容器网络带来相当大的困扰:只能通过 docker inspect ContainerID 命令获取到容器IP,以及无法测试和其他网络的连通性。这时就可以使用nsenter命令仅进入该容器的网络命名空间,使用宿主机的命令调试容器网络。此外,nsenter也可以进入 mnt, uts, ipc, pid, user 命令空间,以及指定根目录和工作目录。
原理
namespace是Linux中一些进程的属性的作用域,使用命名空间,可以隔离不同的进程。
Linux在不断的添加命名空间,目前有:
mount:挂载命名空间,使进程有一个独立的挂载文件系统,始于Linux 2.4.19
ipc:ipc命名空间,使进程有一个独立的ipc,包括消息队列,共享内存和信号量,始于Linux 2.6.19
uts:uts命名空间,使进程有一个独立的hostname和domainname,始于Linux 2.6.19
net:network命令空间,使进程有一个独立的网络栈,始于Linux 2.6.24
pid:pid命名空间,使进程有一个独立的pid空间,始于Linux 2.6.24
user:user命名空间,是进程有一个独立的user空间,始于Linux 2.6.23,结束于Linux 3.8
cgroup:cgroup命名空间,使进程有一个独立的cgroup控制组,始于Linux 4.6
Linux的每个进程都具有命名空间,可以在/proc/PID/ns目录中看到命名空间的文件描述符。
使用
nsenter [options] [program [arguments]]
options:
-t, --target pid:指定被进入命名空间的目标进程的pid
-m, --mount[=file]:进入mount命令空间。如果指定了file,则进入file的命令空间
-u, --uts[=file]:进入uts命令空间。如果指定了file,则进入file的命令空间
-i, --ipc[=file]:进入ipc命令空间。如果指定了file,则进入file的命令空间
-n, --net[=file]:进入net命令空间。如果指定了file,则进入file的命令空间
-p, --pid[=file]:进入pid命令空间。如果指定了file,则进入file的命令空间
-U, --user[=file]:进入user命令空间。如果指定了file,则进入file的命令空间
-G, --setgid gid:设置运行程序的gid
-S, --setuid uid:设置运行程序的uid
-r, --root[=directory]:设置根目录
-w, --wd[=directory]:设置工作目录
如果没有给出program,则默认执行$SHELL。
示例
切换宿主机网络为nginx容器网络
1、使用 docker inspect 命令查看docker容器的元数据
[root@chenshifengdeLinuxServer ~]# docker inspect nginx
[
{
"Id": "658a885b6cf2061571f9ed0501ac3f78a57fa27e7415e867f378e51dba836b71",
"Created": "2020-12-10T17:11:28.119940264Z",
"Path": "/docker-entrypoint.sh",
"Args": [
"nginx",
"-g",
"daemon off;"
],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 25102,
"ExitCode": 0,
"Error": "",
"StartedAt": "2020-12-10T17:11:28.335837918Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "sha256:2562b6bef9769b637d47ec31284ac0f1a7facef498ab97753623b13c502cddce",
"ResolvConfPath": "/var/lib/docker/containers/658a885b6cf2061571f9ed0501ac3f78a57fa27e7415e867f378e51dba836b71/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/658a885b6cf2061571f9ed0501ac3f78a57fa27e7415e867f378e51dba836b71/hostname",
"HostsPath": "/var/lib/docker/containers/658a885b6cf2061571f9ed0501ac3f78a57fa27e7415e867f378e51dba836b71/hosts",
"LogPath": "",
"Name": "/nginx",
"RestartCount": 0,
"Driver": "overlay2",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": [
"/root/nginx/html:/usr/share/nginx/html"
],
"ContainerIDFile": "",
"LogConfig": {
"Type": "journald",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {
"80/tcp": [
{
"HostIp": "",
"HostPort": "80"
}
]
},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "docker-runc",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DiskQuota": 0,
"KernelMemory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": -1,
"OomKillDisable": false,
"PidsLimit": 0,
"Ulimits": null,
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0
},
"GraphDriver": {
"Name": "overlay2",
"Data": {
"LowerDir": "/var/lib/docker/overlay2/a818c938a6f697f3faf90b9f4230247d9d816916d010e221129884ef14aea81f-init/diff:/var/lib/docker/overlay2/04a83ee244f02ebd992152c91ed5685b194a41f23f6175df47e1b3e72d7f9bf7/diff:/var/lib/docker/overlay2/10171c09dcf802d7d43c5b1fd6f60252d367fcdd745ceb2c45da4e104c101681/diff:/var/lib/docker/overlay2/edd89c4a5d470635c2e42301c01c025cf4f8883743ae093bad635d68741f3f69/diff:/var/lib/docker/overlay2/d5ec2c2adb123fcf2d682c1856d147a413d0bafdc6151b46ef74cd015784d8a2/diff:/var/lib/docker/overlay2/c7ad6967e5e5e3bd0b8404ebd3f035c8f74f87c5aa6358e208c255c3cde91ba7/diff",
"MergedDir": "/var/lib/docker/overlay2/a818c938a6f697f3faf90b9f4230247d9d816916d010e221129884ef14aea81f/merged",
"UpperDir": "/var/lib/docker/overlay2/a818c938a6f697f3faf90b9f4230247d9d816916d010e221129884ef14aea81f/diff",
"WorkDir": "/var/lib/docker/overlay2/a818c938a6f697f3faf90b9f4230247d9d816916d010e221129884ef14aea81f/work"
}
},
"Mounts": [
{
"Type": "bind",
"Source": "/root/nginx/html",
"Destination": "/usr/share/nginx/html",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
}
],
"Config": {
"Hostname": "658a885b6cf2",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"80/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"NGINX_VERSION=1.18.0",
"NJS_VERSION=0.4.4",
"PKG_RELEASE=2~buster"
],
"Cmd": [
"nginx",
"-g",
"daemon off;"
],
"Image": "nginx:1.18.0",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": [
"/docker-entrypoint.sh"
],
"OnBuild": null,
"Labels": {
"maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>"
},
"StopSignal": "SIGQUIT"
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "8f69de828be9edda6d474c8342d8a343fd2d914507a7765c9b2d563e0ac757f8",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"80/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "80"
}
]
},
"SandboxKey": "/var/run/docker/netns/8f69de828be9",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "cce12c9d43fa3e6829b695808f8c304555638a64f2309c5c8c17d284cf815994",
"Gateway": "172.18.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.18.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:12:00:02",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "226951a6fb41ee81a97a905f8a3b9bd6b1dd54a549dd38c2b74db4bb44017770",
"EndpointID": "cce12c9d43fa3e6829b695808f8c304555638a64f2309c5c8c17d284cf815994",
"Gateway": "172.18.0.1",
"IPAddress": "172.18.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:12:00:02"
}
}
}
}
]
获取PID为 "Pid": 25102,进入/proc/25102/ns目录下
/proc/25102目录下为该进程的所有信息,/proc/25102/ns目录下为该进程的名称空间的信息
[root@chenshifengdeLinuxServer ns]# ll
总用量 0
lrwxrwxrwx 1 root root 0 12月 28 22:00 cgroup -> cgroup:[4026531835]
lrwxrwxrwx 1 root root 0 12月 28 22:00 ipc -> ipc:[4026532219]
lrwxrwxrwx 1 root root 0 12月 11 01:11 mnt -> mnt:[4026532217]
lrwxrwxrwx 1 root root 0 12月 11 01:11 net -> net:[4026532222]
lrwxrwxrwx 1 root root 0 12月 11 01:12 pid -> pid:[4026532220]
lrwxrwxrwx 1 root root 0 12月 28 22:00 pid_for_children -> pid:[4026532220]
lrwxrwxrwx 1 root root 0 12月 28 22:00 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 12月 28 22:00 uts -> uts:[4026532218]
user:用户名称空间
pid:进程名称空间
net:网络名称空间
mnt:挂载目录名称空间
ipc :ipc通信名称空间
2、使用命令nsenter -t 25102 -n 切换为容器网络
[root@chenshifengdeLinuxServer ~]# nsenter -t 25102 -n
[root@chenshifengdeLinuxServer ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.2 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 fe80::42:acff:fe12:2 prefixlen 64 scopeid 0x20<link>
ether 02:42:ac:12:00:02 txqueuelen 0 (Ethernet)
RX packets 34095 bytes 3109711 (2.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 25625 bytes 16668777 (15.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
使用exit命令退出容器网络
[root@chenshifengdeLinuxServer ~]# exit
登出
[root@chenshifengdeLinuxServer ~]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 fe80::42:baff:fea1:5f8 prefixlen 64 scopeid 0x20<link>
ether 02:42:ba:a1:05:f8 txqueuelen 0 (Ethernet)
RX packets 32635 bytes 22231242 (21.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 41087 bytes 3746534 (3.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.213.9 netmask 255.255.240.0 broadcast 172.17.223.255
inet6 fe80::216:3eff:fe12:80fa prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:12:80:fa txqueuelen 1000 (Ethernet)
RX packets 1557138 bytes 1241609285 (1.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 901143 bytes 161155319 (153.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 75 bytes 6018 (5.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 75 bytes 6018 (5.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth693751f: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::9c0c:beff:fe14:ded4 prefixlen 64 scopeid 0x20<link>
ether 9e:0c:be:14:de:d4 txqueuelen 0 (Ethernet)
RX packets 25625 bytes 16668777 (15.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34095 bytes 3109711 (2.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethba13b4b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::ac08:d6ff:fe19:21f0 prefixlen 64 scopeid 0x20<link>
ether ae:08:d6:19:21:f0 txqueuelen 0 (Ethernet)
RX packets 6881 bytes 5984757 (5.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7629 bytes 659725 (644.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@chenshifengdeLinuxServer ~]#