Linux nsenter 命令简介及 切换宿主机网络为docker容器网络实践
简介:
nsenter命令是一个可以在指定进程的命令空间下运行指定程序的命令。它位于util-linux包中。
用途:
一个最典型的用途就是进入容器的网络命令空间。相当多的容器为了轻量级,是不包含较为基础的命令的,比如说 ip address,ping,telnet,ss,tcpdump 等等命令,这就给调试容器网络带来相当大的困扰:只能通过 docker inspect ContainerID 命令获取到容器IP,以及无法测试和其他网络的连通性。这时就可以使用nsenter命令仅进入该容器的网络命名空间,使用宿主机的命令调试容器网络。此外,nsenter也可以进入 mnt, uts, ipc, pid, user 命令空间,以及指定根目录和工作目录。
原理
namespace是Linux中一些进程的属性的作用域,使用命名空间,可以隔离不同的进程。
Linux在不断的添加命名空间,目前有:
mount:挂载命名空间,使进程有一个独立的挂载文件系统,始于Linux 2.4.19
ipc:ipc命名空间,使进程有一个独立的ipc,包括消息队列,共享内存和信号量,始于Linux 2.6.19
uts:uts命名空间,使进程有一个独立的hostname和domainname,始于Linux 2.6.19
net:network命令空间,使进程有一个独立的网络栈,始于Linux 2.6.24
pid:pid命名空间,使进程有一个独立的pid空间,始于Linux 2.6.24
user:user命名空间,是进程有一个独立的user空间,始于Linux 2.6.23,结束于Linux 3.8
cgroup:cgroup命名空间,使进程有一个独立的cgroup控制组,始于Linux 4.6
Linux的每个进程都具有命名空间,可以在/proc/PID/ns目录中看到命名空间的文件描述符。
使用
nsenter [options] [program [arguments]] options: -t, --target pid:指定被进入命名空间的目标进程的pid -m, --mount[=file]:进入mount命令空间。如果指定了file,则进入file的命令空间 -u, --uts[=file]:进入uts命令空间。如果指定了file,则进入file的命令空间 -i, --ipc[=file]:进入ipc命令空间。如果指定了file,则进入file的命令空间 -n, --net[=file]:进入net命令空间。如果指定了file,则进入file的命令空间 -p, --pid[=file]:进入pid命令空间。如果指定了file,则进入file的命令空间 -U, --user[=file]:进入user命令空间。如果指定了file,则进入file的命令空间 -G, --setgid gid:设置运行程序的gid -S, --setuid uid:设置运行程序的uid -r, --root[=directory]:设置根目录 -w, --wd[=directory]:设置工作目录
如果没有给出program,则默认执行$SHELL。
示例
切换宿主机网络为nginx容器网络
1、使用 docker inspect 命令查看docker容器的元数据
[root@chenshifengdeLinuxServer ~]# docker inspect nginx [ { "Id": "658a885b6cf2061571f9ed0501ac3f78a57fa27e7415e867f378e51dba836b71", "Created": "2020-12-10T17:11:28.119940264Z", "Path": "/docker-entrypoint.sh", "Args": [ "nginx", "-g", "daemon off;" ], "State": { "Status": "running", "Running": true, "Paused": false, "Restarting": false, "OOMKilled": false, "Dead": false, "Pid": 25102, "ExitCode": 0, "Error": "", "StartedAt": "2020-12-10T17:11:28.335837918Z", "FinishedAt": "0001-01-01T00:00:00Z" }, "Image": "sha256:2562b6bef9769b637d47ec31284ac0f1a7facef498ab97753623b13c502cddce", "ResolvConfPath": "/var/lib/docker/containers/658a885b6cf2061571f9ed0501ac3f78a57fa27e7415e867f378e51dba836b71/resolv.conf", "HostnamePath": "/var/lib/docker/containers/658a885b6cf2061571f9ed0501ac3f78a57fa27e7415e867f378e51dba836b71/hostname", "HostsPath": "/var/lib/docker/containers/658a885b6cf2061571f9ed0501ac3f78a57fa27e7415e867f378e51dba836b71/hosts", "LogPath": "", "Name": "/nginx", "RestartCount": 0, "Driver": "overlay2", "MountLabel": "", "ProcessLabel": "", "AppArmorProfile": "", "ExecIDs": null, "HostConfig": { "Binds": [ "/root/nginx/html:/usr/share/nginx/html" ], "ContainerIDFile": "", "LogConfig": { "Type": "journald", "Config": {} }, "NetworkMode": "default", "PortBindings": { "80/tcp": [ { "HostIp": "", "HostPort": "80" } ] }, "RestartPolicy": { "Name": "no", "MaximumRetryCount": 0 }, "AutoRemove": false, "VolumeDriver": "", "VolumesFrom": null, "CapAdd": null, "CapDrop": null, "Dns": [], "DnsOptions": [], "DnsSearch": [], "ExtraHosts": null, "GroupAdd": null, "IpcMode": "", "Cgroup": "", "Links": null, "OomScoreAdj": 0, "PidMode": "", "Privileged": false, "PublishAllPorts": false, "ReadonlyRootfs": false, "SecurityOpt": null, "UTSMode": "", "UsernsMode": "", "ShmSize": 67108864, "Runtime": "docker-runc", "ConsoleSize": [ 0, 0 ], "Isolation": "", "CpuShares": 0, "Memory": 0, "NanoCpus": 0, "CgroupParent": "", "BlkioWeight": 0, "BlkioWeightDevice": null, "BlkioDeviceReadBps": null, "BlkioDeviceWriteBps": null, "BlkioDeviceReadIOps": null, "BlkioDeviceWriteIOps": null, "CpuPeriod": 0, "CpuQuota": 0, "CpuRealtimePeriod": 0, "CpuRealtimeRuntime": 0, "CpusetCpus": "", "CpusetMems": "", "Devices": [], "DiskQuota": 0, "KernelMemory": 0, "MemoryReservation": 0, "MemorySwap": 0, "MemorySwappiness": -1, "OomKillDisable": false, "PidsLimit": 0, "Ulimits": null, "CpuCount": 0, "CpuPercent": 0, "IOMaximumIOps": 0, "IOMaximumBandwidth": 0 }, "GraphDriver": { "Name": "overlay2", "Data": { "LowerDir": "/var/lib/docker/overlay2/a818c938a6f697f3faf90b9f4230247d9d816916d010e221129884ef14aea81f-init/diff:/var/lib/docker/overlay2/04a83ee244f02ebd992152c91ed5685b194a41f23f6175df47e1b3e72d7f9bf7/diff:/var/lib/docker/overlay2/10171c09dcf802d7d43c5b1fd6f60252d367fcdd745ceb2c45da4e104c101681/diff:/var/lib/docker/overlay2/edd89c4a5d470635c2e42301c01c025cf4f8883743ae093bad635d68741f3f69/diff:/var/lib/docker/overlay2/d5ec2c2adb123fcf2d682c1856d147a413d0bafdc6151b46ef74cd015784d8a2/diff:/var/lib/docker/overlay2/c7ad6967e5e5e3bd0b8404ebd3f035c8f74f87c5aa6358e208c255c3cde91ba7/diff", "MergedDir": "/var/lib/docker/overlay2/a818c938a6f697f3faf90b9f4230247d9d816916d010e221129884ef14aea81f/merged", "UpperDir": "/var/lib/docker/overlay2/a818c938a6f697f3faf90b9f4230247d9d816916d010e221129884ef14aea81f/diff", "WorkDir": "/var/lib/docker/overlay2/a818c938a6f697f3faf90b9f4230247d9d816916d010e221129884ef14aea81f/work" } }, "Mounts": [ { "Type": "bind", "Source": "/root/nginx/html", "Destination": "/usr/share/nginx/html", "Mode": "", "RW": true, "Propagation": "rprivate" } ], "Config": { "Hostname": "658a885b6cf2", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "ExposedPorts": { "80/tcp": {} }, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "NGINX_VERSION=1.18.0", "NJS_VERSION=0.4.4", "PKG_RELEASE=2~buster" ], "Cmd": [ "nginx", "-g", "daemon off;" ], "Image": "nginx:1.18.0", "Volumes": null, "WorkingDir": "", "Entrypoint": [ "/docker-entrypoint.sh" ], "OnBuild": null, "Labels": { "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>" }, "StopSignal": "SIGQUIT" }, "NetworkSettings": { "Bridge": "", "SandboxID": "8f69de828be9edda6d474c8342d8a343fd2d914507a7765c9b2d563e0ac757f8", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": { "80/tcp": [ { "HostIp": "0.0.0.0", "HostPort": "80" } ] }, "SandboxKey": "/var/run/docker/netns/8f69de828be9", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "cce12c9d43fa3e6829b695808f8c304555638a64f2309c5c8c17d284cf815994", "Gateway": "172.18.0.1", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "172.18.0.2", "IPPrefixLen": 16, "IPv6Gateway": "", "MacAddress": "02:42:ac:12:00:02", "Networks": { "bridge": { "IPAMConfig": null, "Links": null, "Aliases": null, "NetworkID": "226951a6fb41ee81a97a905f8a3b9bd6b1dd54a549dd38c2b74db4bb44017770", "EndpointID": "cce12c9d43fa3e6829b695808f8c304555638a64f2309c5c8c17d284cf815994", "Gateway": "172.18.0.1", "IPAddress": "172.18.0.2", "IPPrefixLen": 16, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "02:42:ac:12:00:02" } } } } ]
获取PID为 "Pid": 25102,进入/proc/25102/ns目录下
/proc/25102目录下为该进程的所有信息,/proc/25102/ns目录下为该进程的名称空间的信息
[root@chenshifengdeLinuxServer ns]# ll 总用量 0 lrwxrwxrwx 1 root root 0 12月 28 22:00 cgroup -> cgroup:[4026531835] lrwxrwxrwx 1 root root 0 12月 28 22:00 ipc -> ipc:[4026532219] lrwxrwxrwx 1 root root 0 12月 11 01:11 mnt -> mnt:[4026532217] lrwxrwxrwx 1 root root 0 12月 11 01:11 net -> net:[4026532222] lrwxrwxrwx 1 root root 0 12月 11 01:12 pid -> pid:[4026532220] lrwxrwxrwx 1 root root 0 12月 28 22:00 pid_for_children -> pid:[4026532220] lrwxrwxrwx 1 root root 0 12月 28 22:00 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 12月 28 22:00 uts -> uts:[4026532218]
user:用户名称空间
pid:进程名称空间
net:网络名称空间
mnt:挂载目录名称空间
ipc :ipc通信名称空间
2、使用命令nsenter -t 25102 -n 切换为容器网络
[root@chenshifengdeLinuxServer ~]# nsenter -t 25102 -n [root@chenshifengdeLinuxServer ~]# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.18.0.2 netmask 255.255.0.0 broadcast 0.0.0.0 inet6 fe80::42:acff:fe12:2 prefixlen 64 scopeid 0x20<link> ether 02:42:ac:12:00:02 txqueuelen 0 (Ethernet) RX packets 34095 bytes 3109711 (2.9 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 25625 bytes 16668777 (15.8 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
使用exit命令退出容器网络
[root@chenshifengdeLinuxServer ~]# exit 登出 [root@chenshifengdeLinuxServer ~]# ifconfig docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.18.0.1 netmask 255.255.0.0 broadcast 0.0.0.0 inet6 fe80::42:baff:fea1:5f8 prefixlen 64 scopeid 0x20<link> ether 02:42:ba:a1:05:f8 txqueuelen 0 (Ethernet) RX packets 32635 bytes 22231242 (21.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 41087 bytes 3746534 (3.5 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.17.213.9 netmask 255.255.240.0 broadcast 172.17.223.255 inet6 fe80::216:3eff:fe12:80fa prefixlen 64 scopeid 0x20<link> ether 00:16:3e:12:80:fa txqueuelen 1000 (Ethernet) RX packets 1557138 bytes 1241609285 (1.1 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 901143 bytes 161155319 (153.6 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 75 bytes 6018 (5.8 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 75 bytes 6018 (5.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 veth693751f: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::9c0c:beff:fe14:ded4 prefixlen 64 scopeid 0x20<link> ether 9e:0c:be:14:de:d4 txqueuelen 0 (Ethernet) RX packets 25625 bytes 16668777 (15.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 34095 bytes 3109711 (2.9 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 vethba13b4b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::ac08:d6ff:fe19:21f0 prefixlen 64 scopeid 0x20<link> ether ae:08:d6:19:21:f0 txqueuelen 0 (Ethernet) RX packets 6881 bytes 5984757 (5.7 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7629 bytes 659725 (644.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@chenshifengdeLinuxServer ~]#
如果您觉得本篇文章还不错,欢迎点赞,转发分享(转发请注明出处),感谢~~
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 如何编写易于单元测试的代码
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 地球OL攻略 —— 某应届生求职总结
· 周边上新:园子的第一款马克杯温暖上架
· Open-Sora 2.0 重磅开源!
· 提示词工程——AI应用必不可少的技术
· .NET周刊【3月第1期 2025-03-02】