Debug a container with nsenter

Introduction

Most of modern applications are running in containers, it’s a good way to isolate the application from the host.

Containers are running in a specific namespace, it’s a way to isolate the process from the host.

Containers are built with a minimal set of tools, it’s a way to reduce the attack surface.

This is great, but sometimes we need to debug a container, it can be a bit tricky.

  rails@f2fd8c5ddea9:/rails$ netstat -atn
  bash: netstat: command not found

Let’s see how to debug a container with nsenter.

Troubleshooting

In order to debug a container, we need to have some information:

• We need to have nsenter available on the host
• We need to have the container ID
• We need to have the PID of the container

Get the container ID

  sudo docker ps -a

Get the PID of the container

  sudo docker inspect -f '{{.State.Pid}}' <container_id>

Debug the container

  sudo nsenter --target <container_pid> -n netstat -atn

Here we are running the netstat -atn command in the container network namespace context (-n option).

You can also run a shell in the container:

  sudo nsenter --target <container_pid> -m -u -i -n -p /bin/bash

Et voilà, you can now debug the container using tools available on the host.

References

• https://man7.org/linux/man-pages/man1/nsenter.1.html