Convert Figma logo to code with AI

jpetazzo logonsenter

No description available

2,594
270
2,594
0
View on GitHub

Top Related Projects

moby's avatar

moby

68,613

The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

opencontainers's avatar

runc

11,985

CLI tool for spawning and running containers according to the OCI specification

containerd's avatar

containerd

17,663

An open and reliable container runtime

kubernetes's avatar

kubernetes

111,715

Production-Grade Container Scheduling and Management

docker's avatar

cli

4,994

The Docker CLI

rancher's avatar

rancher

23,337

Complete container management platform

Quick Overview

nsenter is a small utility that allows entering Linux namespaces. It's particularly useful for Docker container debugging and management, enabling users to enter a container's namespace without using Docker's own exec command. This tool is part of the util-linux package but was separately packaged by Jérôme Petazzoni for easier distribution.

Pros

  • Provides direct access to container namespaces without relying on Docker
  • Useful for debugging and troubleshooting containers
  • Lightweight and easy to use
  • Can be used with any containerization technology that uses Linux namespaces

Cons

  • Requires root privileges or CAP_SYS_ADMIN capability
  • Limited to Linux systems only
  • May bypass container security measures if used improperly
  • Requires understanding of Linux namespaces for effective use

Code Examples

# Enter all namespaces of a process
sudo nsenter --target $PID --all

# Enter only the network namespace of a process
sudo nsenter --target $PID --net

# Execute a command in a container's namespaces
sudo nsenter --target $PID --mount --uts --ipc --net --pid -- /bin/bash

Getting Started

To use nsenter, first install it on your system:

# On Ubuntu or Debian
sudo apt-get install util-linux

# On CentOS or RHEL
sudo yum install util-linux

# Find the PID of the container you want to enter
PID=$(docker inspect --format '{{.State.Pid}}' <container_name_or_id>)

# Enter the container's namespaces
sudo nsenter --target $PID --mount --uts --ipc --net --pid

After running the last command, you'll be inside the container's namespaces, allowing you to debug or inspect the container environment directly.

Competitor Comparisons

moby logo

moby

68,613

The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

Pros of Moby

  • Comprehensive container platform with a wide range of features
  • Active development with frequent updates and improvements
  • Large community support and extensive documentation

Cons of Moby

  • More complex and resource-intensive
  • Steeper learning curve for beginners
  • Requires more setup and configuration

Code Comparison

nsenter:

int main(int argc, char *argv[])
{
    int c;
    while ((c = getopt_long(argc, argv, "+m:u:i:n:p:t:h", longopts, NULL)) != -1) {
        switch (c) {
        case 'm': arg_mount = optarg; break;
        case 'u': arg_uts = optarg; break;

Moby:

func (daemon *Daemon) containerStart(container *container.Container, checkpoint string, checkpointDir string, resetRestartManager bool) (err error) {
    container.Lock()
    defer container.Unlock()
    if container.Running {
        return nil
    }

Summary

nsenter is a lightweight tool for entering Linux namespaces, while Moby is a comprehensive container platform. nsenter is simpler and more focused, making it easier to use for specific namespace-related tasks. Moby offers a full-featured container ecosystem but requires more resources and has a steeper learning curve. The choice between them depends on the specific use case and required functionality.

opencontainers logo

runc

11,985

CLI tool for spawning and running containers according to the OCI specification

Pros of runc

  • More comprehensive container runtime implementation
  • Actively maintained and widely adopted in the container ecosystem
  • Supports full container lifecycle management

Cons of runc

  • Larger codebase and more complex to understand
  • Requires more setup and configuration for basic use cases

Code comparison

nsenter:

#!/bin/sh
set -e
[ "$1" ] || { echo "Usage: $0 <PID> [command...]"; exit 1; }
nsenter --target $1 --mount --uts --ipc --net --pid -- "${@:2}"

runc:

func (r *Runc) Create(context context.Context, id, bundle string, opts *CreateOpts) error {
    args := []string{"create", "--bundle", bundle}
    if opts != nil {
        args = append(args, opts.AdditionalArgs...)
    }
    cmd := r.command(context, append(args, id)...)
    return r.runOrError(cmd)
}

Summary

nsenter is a lightweight tool for entering Linux namespaces, while runc is a full-featured container runtime. nsenter is simpler and easier to use for basic namespace operations, but runc offers more comprehensive container management capabilities. runc is more suitable for complex container orchestration scenarios, while nsenter is ideal for quick debugging and simple namespace manipulations.

containerd logo

containerd

17,663

An open and reliable container runtime

Pros of containerd

  • More comprehensive container runtime with broader functionality
  • Actively maintained and widely adopted in the container ecosystem
  • Supports multiple container image formats and registries

Cons of containerd

  • Larger codebase and more complex to understand and contribute to
  • Heavier resource footprint compared to lightweight nsenter

Code comparison

nsenter (simplified usage):

nsenter --target $PID --mount --uts --ipc --net --pid -- command

containerd (simplified usage):

client, err := containerd.New("/run/containerd/containerd.sock")
container, err := client.NewContainer(ctx, "container-id", opts...)
task, err := container.NewTask(ctx, cio.NewCreator(opts...))

Key differences

  • nsenter is a focused tool for entering Linux namespaces
  • containerd is a full-featured container runtime with image management, execution, and supervision capabilities
  • nsenter is written in C, while containerd is primarily written in Go
  • containerd has a more extensive API and integration options for container orchestration systems

Use cases

  • nsenter: Debugging, entering namespaces of running processes
  • containerd: Managing container lifecycles, image distribution, and runtime operations in production environments
kubernetes logo

kubernetes

111,715

Production-Grade Container Scheduling and Management

Pros of Kubernetes

  • Comprehensive container orchestration platform for managing large-scale applications
  • Robust ecosystem with extensive tooling and community support
  • Offers advanced features like auto-scaling, load balancing, and self-healing

Cons of Kubernetes

  • Significantly more complex to set up and maintain
  • Steeper learning curve for new users
  • May be overkill for small-scale or simple container deployments

Code Comparison

nsenter:

docker run --rm -v /usr/local/bin:/target jpetazzo/nsenter

Kubernetes:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx

Summary

nsenter is a lightweight tool for entering Linux namespaces, primarily used for debugging and troubleshooting containers. It's simple to use and has a small footprint.

Kubernetes, on the other hand, is a full-fledged container orchestration platform designed for managing complex, distributed applications at scale. It offers a wide range of features and capabilities but comes with increased complexity and resource requirements.

The choice between the two depends on the specific use case and scale of the project. For simple container management or debugging tasks, nsenter may be sufficient. For large-scale, production-grade applications, Kubernetes provides a more comprehensive solution.

docker logo

cli

4,994

The Docker CLI

Pros of cli

  • More comprehensive Docker management tool with a wide range of features
  • Actively maintained and regularly updated by the Docker team
  • Integrates seamlessly with other Docker components and ecosystem

Cons of cli

  • Larger codebase and more complex to understand and modify
  • Requires full Docker installation, which may be overkill for simple container operations

Code comparison

nsenter:

#!/bin/sh
set -e
CONTAINER_ID="$1"
COMMAND="${@:2}"
PID=$(docker inspect --format "{{.State.Pid}}" "$CONTAINER_ID")
nsenter --target "$PID" --mount --uts --ipc --net --pid -- $COMMAND

cli (simplified example):

func (cli *DockerCli) CmdExec(args ...string) error {
    execConfig, err := cli.parseExec(args...)
    if err != nil {
        return err
    }
    return cli.client.ContainerExecCreate(context.Background(), execConfig)
}

Summary

nsenter is a lightweight tool focused on entering container namespaces, while cli is a full-featured Docker management tool. nsenter is simpler and more focused, but cli offers broader functionality and integration with the Docker ecosystem. The choice between them depends on specific use cases and requirements.

rancher logo

rancher

23,337

Complete container management platform

Pros of Rancher

  • Comprehensive container management platform with a user-friendly web interface
  • Supports multi-cluster management and provides advanced orchestration features
  • Offers built-in monitoring, logging, and security features for containerized environments

Cons of Rancher

  • More complex setup and resource-intensive compared to lightweight tools
  • Steeper learning curve for users new to container orchestration
  • May introduce additional overhead for small-scale deployments

Code Comparison

nsenter:

docker run --rm -v /usr/local/bin:/target jpetazzo/nsenter

Rancher:

version: '2'
services:
  rancher:
    image: rancher/rancher:latest
    ports:
      - "80:80"
      - "443:443"

Summary

nsenter is a lightweight tool for entering Linux namespaces, primarily used for debugging and troubleshooting containers. It's simple to use and has a small footprint.

Rancher, on the other hand, is a full-fledged container management platform that offers a wide range of features for orchestrating and managing containerized applications at scale. While more complex, it provides a comprehensive solution for enterprise-level container deployments.

The choice between the two depends on the specific use case and scale of the containerized environment. nsenter is ideal for quick debugging tasks, while Rancher is better suited for managing large-scale, production container deployments.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Looking to start a shell inside a Docker container?

Starting from Docker 1.3 you can use Docker exec to enter a Docker container. Example:

docker exec -it CONTAINER_NAME /bin/bash

There are differences between nsenter and docker exec; namely, nsenter doesn't enter the cgroups, and therefore evades resource limitations. The potential benefit of this would be debugging and external audit, but for remote access, docker exec is the current recommended approach.

Important notice: this repository was useful in the early days of Docker, because nsenter was missing from major distributions back then. nsenter was written in early 2013, and included in util-linux release 2.23. If we look at Ubuntu LTS releases, trusty (14.04) shipped util-linux 2.20, and xenial (16.04) shipped 2.27. In other words, if you were using Ubuntu LTS, you had to wait until 2016 to get nsenter through the main, official packages. That being said, all modern distros now ship with nsenter, and this repository is no longer useful, except for historical or curiosity purposes. It is no longer maintained.

nsenter in a can

This is a small Docker recipe to build nsenter easily and install it in your system.

What is nsenter?

It is a small tool allowing to enter into namespaces. Technically, it can enter existing namespaces, or spawn a process into a new set of namespaces. "What are those namespaces you're blabbering about?" We are talking about container namespaces.

nsenter can do many useful things, but the main reason why I'm so excited about it is because it lets you enter into a Docker container.

Why build nsenter in a container?

This is because my preferred distros (Debian and Ubuntu) ship with an outdated version of util-linux (the package that should contain nsenter). Therefore, if you need nsenter on those distros, you have to juggle with APT repository, or compile from source, or… Ain't nobody got time for that.

I'm going to make a very bold assumption: if you landed here, it's because you want to enter a Docker container. Therefore, you won't mind if my method to build nsenter uses Docker itself.

How do I install nsenter with this?

If you want to install nsenter into /usr/local/bin, just do this:

docker run --rm -v /usr/local/bin:/target jpetazzo/nsenter

The jpetazzo/nsenter container will detect that /target is a mountpoint, and it will copy the nsenter binary into it.

If you don't trust me, and prefer to extract the nsenter binary, rather than allowing my container to potentially wreak havoc into your system's $PATH, you can also do this:

docker run --rm jpetazzo/nsenter cat /nsenter > /tmp/nsenter && chmod +x /tmp/nsenter

Then do whatever you want with the binary in /tmp/nsenter.

How do I use nsenter?

First, figure out the PID of the container you want to enter:

PID=$(docker inspect --format {{.State.Pid}} <container_name_or_ID>)

Then enter the container:

nsenter --target $PID --mount --uts --ipc --net --pid

What's that docker-enter thing?

It's just a small shell script that wraps up the steps described above into a tiny helper. It takes the name or ID of a container and optionally the name of a program to execute inside the namespace. If no command is specified a shell will be invoked instead.

# list the root filesystem
docker-enter my_awesome_container ls -la

Docker toolbox usage for OS X or Windows user

SSH to the Docker Toolbox virtual machine

docker-machine ssh default

Install nsenter, docker-enter, and importenv into the VM

docker run --rm -v /usr/local/bin:/target jpetazzo/nsenter

You can also install nsenter to another folder. In that case, you will need to specify the full path of nsenter to run it.

docker run --rm -v /tmp:/target jpetazzo/nsenter

Using nsenter

List running containers:

docker ps

Identify the ID of the container that you want to get into; and retrieve its associated PID:

PID=$(docker inspect --format {{.State.Pid}} 08a2a025e05f)

Enter the container:

sudo nsenter --target $PID --mount --uts --ipc --net --pid

Remember to run those commands in the Docker Toolbox virtual machine; not in your host environment.

Using docker-enter

With docker-enter, you don't need to lookup the container PID.

You can get a shell inside the container:

docker-enter 08a2a025e05f

Or run commands directly:

docker-enter 08a2a025e05f ls /var/log
docker-enter 08a2a025e05f df -h

docker-enter with boot2docker

If you are using boot2docker, you can use the function below, to:

  • install nsenter and docker-enter into boot2docker's /var/lib/boot2docker/ directory, so they survive restarts.
  • execute docker-enter inside of boot2docker combined with ssh
docker-enter() {
  boot2docker ssh '[ -f /var/lib/boot2docker/nsenter ] || docker run --rm -v /var/lib/boot2docker/:/target jpetazzo/nsenter'
  boot2docker ssh -t sudo /var/lib/boot2docker/docker-enter "$@"
}

You can use it directly from your host (OS X/Windows), no need to ssh into boot2docker.

Caveats

  • This only works on Intel 64 bits platforms. It should be relatively easy to adapt to other architectures, though.
  • nsenter still needs to run from the host; it cannot run inside a container (yet).