簡介:
nsenter命令是一個可以在指定進程的命令空間下運行指定程序的命令。它位於util-linux包中。
用途:
一個最典型的用途就是進入容器的網絡命令空間。相當多的容器為了輕量級,是不包含較為基礎的命令的,比如說 ip address,ping,telnet,ss,tcpdump 等等命令,這就給調試容器網絡帶來相當大的困擾:只能通過 docker inspect ContainerID 命令獲取到容器IP,以及無法測試和其他網絡的連通性。這時就可以使用nsenter命令僅進入該容器的網絡命名空間,使用宿主機的命令調試容器網絡。此外,nsenter也可以進入 mnt, uts, ipc, pid, user 命令空間,以及指定根目錄和工作目錄。
原理
namespace是Linux中一些進程的屬性的作用域,使用命名空間,可以隔離不同的進程。
Linux在不斷的添加命名空間,目前有:
mount:掛載命名空間,使進程有一個獨立的掛載文件系統,始於Linux 2.4.19
ipc:ipc命名空間,使進程有一個獨立的ipc,包括消息隊列,共享內存和信號量,始於Linux 2.6.19
uts:uts命名空間,使進程有一個獨立的hostname和domainname,始於Linux 2.6.19
net:network命令空間,使進程有一個獨立的網絡棧,始於Linux 2.6.24
pid:pid命名空間,使進程有一個獨立的pid空間,始於Linux 2.6.24
user:user命名空間,是進程有一個獨立的user空間,始於Linux 2.6.23,結束於Linux 3.8
cgroup:cgroup命名空間,使進程有一個獨立的cgroup控制組,始於Linux 4.6
Linux的每個進程都具有命名空間,可以在/proc/PID/ns目錄中看到命名空間的文件描述符。
使用
nsenter [options] [program [arguments]]
options:
-t, --target pid:指定被進入命名空間的目標進程的pid
-m, --mount[=file]:進入mount命令空間。如果指定了file,則進入file的命令空間
-u, --uts[=file]:進入uts命令空間。如果指定了file,則進入file的命令空間
-i, --ipc[=file]:進入ipc命令空間。如果指定了file,則進入file的命令空間
-n, --net[=file]:進入net命令空間。如果指定了file,則進入file的命令空間
-p, --pid[=file]:進入pid命令空間。如果指定了file,則進入file的命令空間
-U, --user[=file]:進入user命令空間。如果指定了file,則進入file的命令空間
-G, --setgid gid:設置運行程序的gid
-S, --setuid uid:設置運行程序的uid
-r, --root[=directory]:設置根目錄
-w, --wd[=directory]:設置工作目錄
如果沒有給出program,則默認執行$SHELL。
示例
切換宿主機網絡為nginx容器網絡
1、使用 docker inspect 命令查看docker容器的元數據
[root@chenshifengdeLinuxServer ~]# docker inspect nginx
[
{
"Id": "658a885b6cf2061571f9ed0501ac3f78a57fa27e7415e867f378e51dba836b71",
"Created": "2020-12-10T17:11:28.119940264Z",
"Path": "/docker-entrypoint.sh",
"Args": [
"nginx",
"-g",
"daemon off;"
],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 25102,
"ExitCode": 0,
"Error": "",
"StartedAt": "2020-12-10T17:11:28.335837918Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "sha256:2562b6bef9769b637d47ec31284ac0f1a7facef498ab97753623b13c502cddce",
"ResolvConfPath": "/var/lib/docker/containers/658a885b6cf2061571f9ed0501ac3f78a57fa27e7415e867f378e51dba836b71/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/658a885b6cf2061571f9ed0501ac3f78a57fa27e7415e867f378e51dba836b71/hostname",
"HostsPath": "/var/lib/docker/containers/658a885b6cf2061571f9ed0501ac3f78a57fa27e7415e867f378e51dba836b71/hosts",
"LogPath": "",
"Name": "/nginx",
"RestartCount": 0,
"Driver": "overlay2",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": [
"/root/nginx/html:/usr/share/nginx/html"
],
"ContainerIDFile": "",
"LogConfig": {
"Type": "journald",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {
"80/tcp": [
{
"HostIp": "",
"HostPort": "80"
}
]
},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "docker-runc",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DiskQuota": 0,
"KernelMemory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": -1,
"OomKillDisable": false,
"PidsLimit": 0,
"Ulimits": null,
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0
},
"GraphDriver": {
"Name": "overlay2",
"Data": {
"LowerDir": "/var/lib/docker/overlay2/a818c938a6f697f3faf90b9f4230247d9d816916d010e221129884ef14aea81f-init/diff:/var/lib/docker/overlay2/04a83ee244f02ebd992152c91ed5685b194a41f23f6175df47e1b3e72d7f9bf7/diff:/var/lib/docker/overlay2/10171c09dcf802d7d43c5b1fd6f60252d367fcdd745ceb2c45da4e104c101681/diff:/var/lib/docker/overlay2/edd89c4a5d470635c2e42301c01c025cf4f8883743ae093bad635d68741f3f69/diff:/var/lib/docker/overlay2/d5ec2c2adb123fcf2d682c1856d147a413d0bafdc6151b46ef74cd015784d8a2/diff:/var/lib/docker/overlay2/c7ad6967e5e5e3bd0b8404ebd3f035c8f74f87c5aa6358e208c255c3cde91ba7/diff",
"MergedDir": "/var/lib/docker/overlay2/a818c938a6f697f3faf90b9f4230247d9d816916d010e221129884ef14aea81f/merged",
"UpperDir": "/var/lib/docker/overlay2/a818c938a6f697f3faf90b9f4230247d9d816916d010e221129884ef14aea81f/diff",
"WorkDir": "/var/lib/docker/overlay2/a818c938a6f697f3faf90b9f4230247d9d816916d010e221129884ef14aea81f/work"
}
},
"Mounts": [
{
"Type": "bind",
"Source": "/root/nginx/html",
"Destination": "/usr/share/nginx/html",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
}
],
"Config": {
"Hostname": "658a885b6cf2",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"80/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"NGINX_VERSION=1.18.0",
"NJS_VERSION=0.4.4",
"PKG_RELEASE=2~buster"
],
"Cmd": [
"nginx",
"-g",
"daemon off;"
],
"Image": "nginx:1.18.0",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": [
"/docker-entrypoint.sh"
],
"OnBuild": null,
"Labels": {
"maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>"
},
"StopSignal": "SIGQUIT"
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "8f69de828be9edda6d474c8342d8a343fd2d914507a7765c9b2d563e0ac757f8",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"80/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "80"
}
]
},
"SandboxKey": "/var/run/docker/netns/8f69de828be9",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "cce12c9d43fa3e6829b695808f8c304555638a64f2309c5c8c17d284cf815994",
"Gateway": "172.18.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.18.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:12:00:02",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "226951a6fb41ee81a97a905f8a3b9bd6b1dd54a549dd38c2b74db4bb44017770",
"EndpointID": "cce12c9d43fa3e6829b695808f8c304555638a64f2309c5c8c17d284cf815994",
"Gateway": "172.18.0.1",
"IPAddress": "172.18.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:12:00:02"
}
}
}
}
]
獲取PID為 "Pid": 25102,進入/proc/25102/ns目錄下
/proc/25102目錄下為該進程的所有信息,/proc/25102/ns目錄下為該進程的名稱空間的信息
[root@chenshifengdeLinuxServer ns]# ll
總用量 0
lrwxrwxrwx 1 root root 0 12月 28 22:00 cgroup -> cgroup:[4026531835]
lrwxrwxrwx 1 root root 0 12月 28 22:00 ipc -> ipc:[4026532219]
lrwxrwxrwx 1 root root 0 12月 11 01:11 mnt -> mnt:[4026532217]
lrwxrwxrwx 1 root root 0 12月 11 01:11 net -> net:[4026532222]
lrwxrwxrwx 1 root root 0 12月 11 01:12 pid -> pid:[4026532220]
lrwxrwxrwx 1 root root 0 12月 28 22:00 pid_for_children -> pid:[4026532220]
lrwxrwxrwx 1 root root 0 12月 28 22:00 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 12月 28 22:00 uts -> uts:[4026532218]
user:用戶名稱空間
pid:進程名稱空間
net:網絡名稱空間
mnt:掛載目錄名稱空間
ipc :ipc通信名稱空間
2、使用命令nsenter -t 25102 -n 切換為容器網絡
[root@chenshifengdeLinuxServer ~]# nsenter -t 25102 -n
[root@chenshifengdeLinuxServer ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.2 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 fe80::42:acff:fe12:2 prefixlen 64 scopeid 0x20<link>
ether 02:42:ac:12:00:02 txqueuelen 0 (Ethernet)
RX packets 34095 bytes 3109711 (2.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 25625 bytes 16668777 (15.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
使用exit命令退出容器網絡
[root@chenshifengdeLinuxServer ~]# exit
登出
[root@chenshifengdeLinuxServer ~]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 fe80::42:baff:fea1:5f8 prefixlen 64 scopeid 0x20<link>
ether 02:42:ba:a1:05:f8 txqueuelen 0 (Ethernet)
RX packets 32635 bytes 22231242 (21.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 41087 bytes 3746534 (3.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.213.9 netmask 255.255.240.0 broadcast 172.17.223.255
inet6 fe80::216:3eff:fe12:80fa prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:12:80:fa txqueuelen 1000 (Ethernet)
RX packets 1557138 bytes 1241609285 (1.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 901143 bytes 161155319 (153.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 75 bytes 6018 (5.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 75 bytes 6018 (5.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth693751f: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::9c0c:beff:fe14:ded4 prefixlen 64 scopeid 0x20<link>
ether 9e:0c:be:14:de:d4 txqueuelen 0 (Ethernet)
RX packets 25625 bytes 16668777 (15.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34095 bytes 3109711 (2.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethba13b4b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::ac08:d6ff:fe19:21f0 prefixlen 64 scopeid 0x20<link>
ether ae:08:d6:19:21:f0 txqueuelen 0 (Ethernet)
RX packets 6881 bytes 5984757 (5.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7629 bytes 659725 (644.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@chenshifengdeLinuxServer ~]#