docker-alpine
docker-alpine copied to clipboard
gliderlabs
nsenter on Alpine 3.6 won't enter namespaces for a specified PID
Steps to reproduce:
- Start container with Alpine 3.6
- Start a container within that container.
- "nsenter -p -i -u -m -n -t CONTAINER_PID /bin/sh"
Expected result: A new /bin/sh session inside of container pid.
Actual result: nsenter shows the help display again without an error.
Command I ran:
/ # nsenter -m -u -i -n -p -t 46 /bin/sh
BusyBox v1.26.2 (2017-10-04 13:37:41 GMT) multi-call binary.
Usage: nsenter [OPTIONS] [PROG [ARGS]]
-t, --target=PID Target process to get namespaces from
-m, --mount[=FILE] Enter mount namespace
-u, --uts[=FILE] Enter UTS namespace (hostname etc)
-i, --ipc[=FILE] Enter System V IPC namespace
-n, --net[=FILE] Enter network namespace
-p, --pid[=FILE] Enter pid namespace
-U, --user[=FILE] Enter user namespace
-S, --setuid=UID Set uid in entered namespace
-G, --setgid=GID Set gid in entered namespace
--preserve-credentials Don't touch uids or gids
-r, --root[=DIR] Set root directory
-w, --wd[=DIR] Set working directory
-F, --no-fork Don't fork before exec'ing PROG
Changing the order, omitting, or even specifying the direct paths to the namespaces doesn't yield a different result.
If I run "apk add --update util-linux" then try to run the above command, I get:
.: applet not found
Thank you
Looks like this may be the same issue referenced in: https://github.com/linuxkit/linuxkit/issues/567
Option parsing for the -t, -S and -G options seems to be broken in BusyBox's nsenter. I've sent a patch to the mailing list: http://lists.busybox.net/pipermail/busybox/2018-May/086409.html If it's accepted upstream I'll make a pull request to the Alpine package.
Seems the issue remains if you try to pass arguments to the command like:
docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i sh -c echo 'hello world'
@lots0logs This is not an issue with alpine, but an issue with nsenter. Use -- to tell nsenter to stop trying to parse options. The following (with the -- separator and appropriate quotes) should work for you:
docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i -- sh -c "echo 'hello world'"
I believe this issue can be closed now (works for both alpine:edge and alpine:latest).
$ docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i -- sh -c "ls -lAF"
total 10564
drwxr-xr-x 1 root root 2048 May 7 14:01 EFI/
drwxr-xr-x 1 root root 12288 Jul 10 2018 bin/
drwxr-xr-x 1 root root 2048 May 7 14:01 boot/
drwxr-xr-x 1 root root 2048 Apr 18 2017 containers/
drwxr-xr-x 11 root root 2960 May 27 23:19 dev/
drwx------ 1 root root 6144 Apr 18 2017 etc/
drwxr-xr-x 1 root root 2048 Jul 10 2018 home/
-rwxr-xr-x 1 root root 1884480 Jul 10 2018 init*
drwxr-xr-x 1 root root 4096 Sep 7 2018 lib/
drwxr-xr-x 1 root root 2048 Jul 10 2018 media/
drwxr-xr-x 1 root root 2048 Jul 10 2018 mnt/
drwx------ 1 root root 2048 Apr 18 2017 opt/
dr-xr-xr-x 183 root root 0 May 27 23:19 proc/
drwx------ 1 root root 2048 Jul 10 2018 root/
drwxr-xr-x 9 root root 620 May 27 23:20 run/
drwxr-xr-x 1 root root 12288 Jul 10 2018 sbin/
-rwxr-xr-x 1 root root 8876696 May 7 13:59 sendtohost*
drwxr-xr-x 1 root root 2048 Jul 10 2018 srv/
dr-xr-xr-x 13 root root 0 May 27 23:19 sys/
drwxrwxrwt 2 root root 40 May 27 23:20 tmp/
drwx------ 1 root root 2048 Jul 10 2018 usr/
drwxr-xr-x 11 root root 260 May 27 23:19 var/
$ docker image ls alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest 055936d39205 2 weeks ago 5.53MB
alpine edge 43cffc6f84a4 2 weeks ago 5.56MB
