nsenter on Alpine 3.6 won't enter namespaces for a specified PID
JakeWarner opened this issue · 5 comments
Steps to reproduce:
- Start container with Alpine 3.6
- Start a container within that container.
- "nsenter -p -i -u -m -n -t CONTAINER_PID /bin/sh"
Expected result:
A new /bin/sh session inside of container pid.
Actual result:
nsenter shows the help display again without an error.
Command I ran:
/ # nsenter -m -u -i -n -p -t 46 /bin/sh
BusyBox v1.26.2 (2017-10-04 13:37:41 GMT) multi-call binary.
Usage: nsenter [OPTIONS] [PROG [ARGS]]
-t, --target=PID Target process to get namespaces from
-m, --mount[=FILE] Enter mount namespace
-u, --uts[=FILE] Enter UTS namespace (hostname etc)
-i, --ipc[=FILE] Enter System V IPC namespace
-n, --net[=FILE] Enter network namespace
-p, --pid[=FILE] Enter pid namespace
-U, --user[=FILE] Enter user namespace
-S, --setuid=UID Set uid in entered namespace
-G, --setgid=GID Set gid in entered namespace
--preserve-credentials Don't touch uids or gids
-r, --root[=DIR] Set root directory
-w, --wd[=DIR] Set working directory
-F, --no-fork Don't fork before exec'ing PROG
Changing the order, omitting, or even specifying the direct paths to the namespaces doesn't yield a different result.
If I run "apk add --update util-linux" then try to run the above command, I get:
.: applet not found
Thank you
Looks like this may be the same issue referenced in: linuxkit/linuxkit#567
Option parsing for the -t, -S and -G options seems to be broken in BusyBox's nsenter. I've sent a patch to the mailing list: http://lists.busybox.net/pipermail/busybox/2018-May/086409.html If it's accepted upstream I'll make a pull request to the Alpine package.
This problem is fixed as of Busybox 1.28.3r0 in Alpine Edge.
Seems the issue remains if you try to pass arguments to the command like:
docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i sh -c echo 'hello world'
@lots0logs This is not an issue with alpine, but an issue with nsenter. Use -- to tell nsenter to stop trying to parse options. The following (with the -- separator and appropriate quotes) should work for you:
docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i -- sh -c "echo 'hello world'"
I believe this issue can be closed now (works for both alpine:edge and alpine:latest).
$ docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i -- sh -c "ls -lAF"
total 10564
drwxr-xr-x 1 root root 2048 May 7 14:01 EFI/
drwxr-xr-x 1 root root 12288 Jul 10 2018 bin/
drwxr-xr-x 1 root root 2048 May 7 14:01 boot/
drwxr-xr-x 1 root root 2048 Apr 18 2017 containers/
drwxr-xr-x 11 root root 2960 May 27 23:19 dev/
drwx------ 1 root root 6144 Apr 18 2017 etc/
drwxr-xr-x 1 root root 2048 Jul 10 2018 home/
-rwxr-xr-x 1 root root 1884480 Jul 10 2018 init*
drwxr-xr-x 1 root root 4096 Sep 7 2018 lib/
drwxr-xr-x 1 root root 2048 Jul 10 2018 media/
drwxr-xr-x 1 root root 2048 Jul 10 2018 mnt/
drwx------ 1 root root 2048 Apr 18 2017 opt/
dr-xr-xr-x 183 root root 0 May 27 23:19 proc/
drwx------ 1 root root 2048 Jul 10 2018 root/
drwxr-xr-x 9 root root 620 May 27 23:20 run/
drwxr-xr-x 1 root root 12288 Jul 10 2018 sbin/
-rwxr-xr-x 1 root root 8876696 May 7 13:59 sendtohost*
drwxr-xr-x 1 root root 2048 Jul 10 2018 srv/
dr-xr-xr-x 13 root root 0 May 27 23:19 sys/
drwxrwxrwt 2 root root 40 May 27 23:20 tmp/
drwx------ 1 root root 2048 Jul 10 2018 usr/
drwxr-xr-x 11 root root 260 May 27 23:19 var/
$ docker image ls alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest 055936d39205 2 weeks ago 5.53MB
alpine edge 43cffc6f84a4 2 weeks ago 5.56MB