nsenter使用

获取进程或者容器ID

根据容器 id 获取进程

1	crictl inspect -o go-template --template='{{index .info "pid"}}' ef80e5fd299001c62a1b039797c74cb9cac8bfc88488edd576ea64396c6b93ba

根据进程获取容器信息

1
2
3

ContainerID=`cat /proc/34056/cgroup   |  awk -F '/' '{print $NF}' | sed 's/cri-containerd-\(.*\).scope/\1/' |uniq`
podName=crictl inspect -o go-template --template='{{index .status.labels "io.kubernetes.pod.name"}}' $ContainerID
# crictl inspect $ContainerID # 查看容器信息

nsenter 使用

默认都有安装 yum install util-linux -y 自行安装

nsenter --help

用法：
 nsenter [options] <program> [<argument>...]

Run a program with namespaces of other processes.

选项：
 -t, --target <pid>     要获取名字空间的目标进程
 -m, --mount[=<file>]   enter mount namespace
 -u, --uts[=<file>]     enter UTS namespace (hostname etc)
 -i, --ipc[=<file>]     enter System V IPC namespace
 -n, --net[=<file>]     enter network namespace
 -p, --pid[=<file>]     enter pid namespace
 -U, --user[=<file>]    enter user namespace
 -S, --setuid <uid>     set uid in entered namespace
 -G, --setgid <gid>     set gid in entered namespace
 --preserve-credentials do not touch uids or gids
 -r, --root[=<dir>]     set the root directory
 -w, --wd[=<dir>]       set the working directory
 -F, --no-fork          执行 <程序> 前不 fork
 -Z, --follow-context   set SELinux context according to --target PID

 -h, --help     显示此帮助并退出
 -V, --version  输出版本信息并退出

eg: 进入容器的网路空间 pause 容器会共享网络等资源，进入 pause 一样的

[root@test-61 ~]# ps -ef |grep pause
65535    13324 13157  0 Aug24 ?        00:00:00 /pause

[root@test-61 ~]# nsenter -t 13324 -n
[root@test-61 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if66: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 32:89:55:bc:d8:f6 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.69.0.58/24 brd 10.69.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::3089:55ff:febc:d8f6/64 scope link 
       valid_lft forever preferred_lft forever

nsenter -t $PID -m -u -i -n -p /bin/sh 相当于 docker exec -it $container /bin/sh