The Docker container operation exits after entering the solution
- 2020-05-17 07:15:34
- OfStack
When we operate on the Docker container, sometimes we accidentally exit the container we are working on by mistake or for other reasons. You may be worried that some of your operations have not been saved. Don't worry. In this article, we will discuss five (4+1) ways to connect and interact with the Docker container. All of the code in the example can be found in GitHub, and you can test them yourself.
1.nsenter
The installation
The nsenter tool is included after version 2.23 of the util-Linux package. If the util-linux package does not have this command on your system, you can install it from the source as follows.
You can also click on the link to download http: / / pan baidu. FEt8y com s / 1
$ cd /tmp; curl https://www.kernel.org/pub/linux/utils/util-linux/v2.24/util-linux-2.24.tar.gz | tar -zxf-; cd util-linux-2.24;
$ ./configure --without-ncurses
$ make nsenter && sudo cp nsenter /usr/local/bin
use
nsenter can access the namespace of another process. nsenter requires root permissions to work properly. Unfortunately, Ubuntu 14.4 still USES util-linux 2.20. To install the latest version of util-linux (2.24), follow these steps:
$ wget https://www.kernel.org/pub/linux/utils/util-linux/v2.24/util-linux-2.24.tar.gz; tar xzvf util-linux-2.24.tar.gz
$ cd util-linux-2.24
$ ./configure --without-ncurses && make nsenter
$ sudo cp nsenter /usr/local/bin
The nsenter tool has been included since version 2.23 of util-linux. It is used to access the namespace of another process. nsenter requires root permissions to work properly. Unfortunately, Ubuntu 14.4 still USES version 2.20 of util-linux. To install the latest version of util-linux (2.24), follow these steps:
cd /tmp
In order to connect to the container, you also need to find the PID of the first process of the container, through which you can connect to the container:
$ docker inspect --format "{{ .State.Pid }}" <container-id>
//or run 'docker inspect -f "{{ .State.Pid }}" <container-id>'
$ nsenter --target $PID --mount --uts --ipc --net --pid
2.nsinit
Starting with version 0.9, Docker itself has a library for managing containers, called libcontainer. The nsinit tool in libcontainer allows users direct access to the linux namespace and the cgroup kernel. Before installing nsinit, you first need to install the Go runtime environment:
$ apt-get installgit golang-go
$ mkdir-p $HOME/go-dev/binmkdir-p $HOME/go-dev/src
$ echo"export GOPATH=\$HOME/go-dev" >> ~/.profileecho "PATH=\$PATH:\$GOPATH/bin">> ~/.profile
$ source~/.profile
Next, install nsinit:
$ apt-get installgit golang-go
$ mkdir-p $HOME/go-dev/binmkdir-p $HOME/go-dev/src
$ echo"export GOPATH=\$HOME/go-dev" >> ~/.profileecho "PATH=\$PATH:\$GOPATH/bin">> ~/.profile
$ source~/.profile
nsinit read is to be located in/var lib/docer/execdriver native / < Container-id > Configuration data in the container directory. To run nsinit, you need to switch to the container directory. Since the /var/lib/docker directory is read-only for root users, you will also need root permissions. By docker's ps command, you can determine the container ID. Once you enter the /var/lib/docker directory, you can connect the containers:
nsinit exec /bin/bash
3.lxc(-attach)
Until Docker 0.8.1, LXC1 was the basic tool for managing containers, and Docker1 supports it. But starting with version 0.9.0, Docker USES the libcontainer administrative container by default and no longer relies on LXC. So by default, you can't use lxc-attach.
If you still want to use lxc-attach, then you need to use the -e lxc option to restart the Docker service process. Using this option, Docker's internals will again use the LXC admin container. The easiest way to do this is to create the /etc/default/docker file (if it still doesn't exist) and add the following:
DOCKER_OPTS=" -e lxc"
Now you can restart the Docker service. To connect containers, you need to know the full container ID:
docker ps --no-trunc
Next, you can connect the container. You will also need root permissions to complete the following tasks:
lxc-attach -n < container-id > -- /bin/bash
4.sshd
All three methods above require the root permission of the host system. In order not to have root access, it would be a good choice to access the container through ssh.
To do this, you need to build a base image that supports the SSH service. At this point, we might have a problem: should we just run one command using Docker CMD or ENTRYPOINT? If we have an sshd process running at this point, we don't want to run another process. The next step is to create a script or use a process management tool like supervisord to start all the other processes that need to be started. Excellent documentation on how to use supervisord can be found at Docker's web site. Once you have started the container with the sshd process, you can connect the container through the ssh client as before.
conclusion
The sshd method is probably the easiest way to connect containers, and most users are used to connecting virtual machines through ssh. Also, you don't need to use the root permission to connect to the container. However, there is still much debate about whether a container should manage more than one process. This approach ends up adding one sshd process per container, which is fundamentally not what process virtualization advocates.
The other three methods all require root permissions. Until version 0.8.1, Docker used LXC to manage containers. It is for this reason that it is very easy to connect containers using lxc-attach. However, starting from version 0.9.0, the Docker service must be started using the -e lxc option to support the LXC administrative container internally. However, with this option set, Docker will again rely on LXC, while LXC may be dropped depending on the release or installation.
nsenter and nsinit are generally the same. The main difference between the two tools is that nsinit creates a new process in its own container, while nsenter simply accesses the namespace. Jerome Petazzoni makes this point very clear in the Docker blog post.
I have tried several of the above methods, and they basically enter the running container. nsenter can also implement multi-terminal operation on one container. If you go into a container that has been terminated, you can get PID for the first installation, but you can get PID for 0 for the second installation, and then you can get PID for 0 for the second installation
< del > nsenter --target $PID --mount --uts --ipc --net --pid < /del >
You will notice that you have switched to the host's super admin privileges.
The correct method is described below, beginning with the meaning of the following command parameters:
Look at mirror
docker images: list images
docker images -a: lists all images (including history)
docker images --tree: show all the layers of the mirror (layer)
docker rmi < image ID > : delete 1 or more image
Check the container
docker ps: lists all currently running container
docker ps-l: lists the most recent container startup
docker ps-a: lists all container (including history, container that has been run)
docker ps-q: lists container ID from the last run
5. Here's the key:
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9cff554fb6d7 ubuntuold:14.04 /bin/bash About an hour ago Up About an hour condescending_blackwell
e5c5498881ed ubuntuold:14.04 /bin/bash About an hour ago Exited (0) 55 minutes ago backstabbing_bardeen
From the above information, you can see the difference between the two: the former is a running container; The latter is the terminated container (Exited(0)).
docker start/stop/restart
<
container
>
: start/stop/restart container
docker start [container_id] : run container again (including history container)
docker attach [container_id] : connect 1 running container instance (i.e. the instance must be in start state, and multiple Windows can be used to simultaneously attach1 container instance)
docker start -i
<
container
>
: start 1 container and enter interactive mode (equivalent to start first, attach later)
Take for example the latter e5c5498881ed: executed first
$ docker start e5c5498881ed
// then 1 At the second check Exited(0) No longer exists, indicating that the container has changed from a terminated state to a running state
$docker attach e5c5498881ed
// You will find that you have entered the container and that the previous operation file still exists
// If there is no response, again 1 Click enter again
docker run -i -t
<
image
>
bin/bash: use image to create container and enter interactive mode. login shell is /bin/bash
docker run -i -t -p
<
host_port:contain_port
>: mapping HOST port to the container to facilitate external access to services in the container. host_port can be omitted, which means mapping container_port to a dynamic port.
Note: start is used to launch container already created, and run is used to open a new container via image.
Additional:
Check the root password
The password for the root user when the docker container is started is randomly assigned. Thus, the password of the root user of the container can be obtained in this way.
docker logs 5817938c3f6e 2 > &1 | grep 'User: ' | tail -n1
Thank you for reading, I hope to help you, thank you for your support of this site!