What to do if docker image have installed no network utilities ("dig", "tcpdump", "nc", etc.) or even "shell"? We could use "namespaces" to enter one docker container isolated environment with another instead of trying to install those tools into running docker container.
Usecase
Let’s imagine following use-case: a "server" ("portainer") that is docker container without shell and a client ("busybox") which sends a http requests. Both "server" and "client" are in isolated network "backend".
Lab setup
At first create a isolated backend network, start "portainer" image as our server:
$ docker network create backend
$ docker run -d --net backend --name=portainer -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ce
Next create our client container. Keep session working for later.
$ docker run -d --rm --net backend busybox
Capture packets:
Now we’ll try to capture packets on "portainer" container.
In one console spawn nicolaka/netshoot container in "portainer" network namespace and start tcpdump.
$ docker run -it --rm --net container:portainer nicolaka/netshoot bash
# tcpdump
On the busybox session run wget:
/ # wget http://portainer:9000
Console with "tcpdump" should show request from busybox client.
20:37:34.779034 ARP, Request who-has 6c9561758f20 tell 9dbe9ea2dbf9.backend, length 28
20:37:34.779044 ARP, Reply 6c9561758f20 is-at xx:xx:xx:xx:xx:xx (oui Unknown), length 28
20:37:34.779097 IP 9dbe9ea2dbf9.backend.46548 > 6c9561758f20.9000: Flags [S], seq 4285761690, win 64240, options [mss 1460,sackOK,TS val 4087033204 ecr 0,nop,wscale 7], length 0
20:37:34.779141 IP 6c9561758f20.9000 > 9dbe9ea2dbf9.backend.46548: Flags [S.], seq 325737431, ack 4285761691, win 65160, options [mss 1460,sackOK,TS val 505550796 ecr 4087033204,nop,wscale 7], length 0
20:37:34.779205 IP 9dbe9ea2dbf9.backend.46548 > 6c9561758f20.9000: Flags [.], ack 1, win 502, options [nop,nop,TS val 4087033205 ecr 505550796], length 0
20:37:34.779311 IP 9dbe9ea2dbf9.backend.46548 > 6c9561758f20.9000: Flags [P.], seq 1:78, ack 1, win 502, options [nop,nop,TS val 4087033205 ecr 505550796], length 77
20:37:34.779327 IP 6c9561758f20.9000 > 9dbe9ea2dbf9.backend.46548: Flags [.], ack 78, win 509, options [nop,nop,TS val 505550796 ecr 4087033205], length 0
20:37:34.780354 IP 6c9561758f20.9000 > 9dbe9ea2dbf9.backend.46548: Flags [P.], seq 1:306, ack 78, win 509, options [nop,nop,TS val 505550797 ecr 4087033205], length 305
20:37:34.780417 IP 9dbe9ea2dbf9.backend.46548 > 6c9561758f20.9000: Flags [.], ack 306, win 501, options [nop,nop,TS val 4087033206 ecr 505550797], length 0
20:37:34.780512 IP 6c9561758f20.9000 > 9dbe9ea2dbf9.backend.46548: Flags [.], seq 306:7546, ack 78, win 509, options [nop,nop,TS val 505550797 ecr 4087033206], length 7240
20:37:34.780555 IP 9dbe9ea2dbf9.backend.46548 > 6c9561758f20.9000: Flags [.], ack 7546, win 479, options [nop,nop,TS val 4087033206 ecr 505550797], length 0
20:37:34.780573 IP 6c9561758f20.9000 > 9dbe9ea2dbf9.backend.46548: Flags [.], seq 7546:14786, ack 78, win 509, options [nop,nop,TS val 505550797 ecr 4087033206], length 7240
20:37:34.780608 IP 9dbe9ea2dbf9.backend.46548 > 6c9561758f20.9000: Flags [.], ack 14786, win 446, options [nop,nop,TS val 4087033206 ecr 505550797], length 0
20:37:34.780631 IP 6c9561758f20.9000 > 9dbe9ea2dbf9.backend.46548: Flags [P.], seq 14786:23486, ack 78, win 509, options [nop,nop,TS val 505550797 ecr 4087033206], length 8700
20:37:34.780665 IP 9dbe9ea2dbf9.backend.46548 > 6c9561758f20.9000: Flags [.], ack 23486, win 407, options [nop,nop,TS val 4087033206 ecr 505550797], length 0
20:37:34.780810 IP 6c9561758f20.9000 > 9dbe9ea2dbf9.backend.46548: Flags [F.], seq 23486, ack 78, win 509, options [nop,nop,TS val 505550797 ecr 4087033206], length 0
20:37:34.781350 IP 9dbe9ea2dbf9.backend.46548 > 6c9561758f20.9000: Flags [F.], seq 78, ack 23487, win 501, options [nop,nop,TS val 4087033207 ecr 505550797], length 0
20:37:34.781375 IP 6c9561758f20.9000 > 9dbe9ea2dbf9.backend.46548: Flags [.], ack 79, win 509, options [nop,nop,TS val 505550798 ecr 4087033207], length 0
20:37:39.835649 ARP, Request who-has 9dbe9ea2dbf9.backend tell 6c9561758f20, length 28
20:37:39.835708 ARP, Reply 9dbe9ea2dbf9.backend is-at xx:xx:xx:xx:xx:xx (oui Unknown), length 28
Run commands in namespace from a host
For more powerful debugging we can run commands in container namespace from host.
On the docker host just run to spawn "wireshark" inside portainer namespace:
$ export CLIENT_PID=`docker inspect --format '{{ .State.Pid }}' portainer`
$ sudo nsenter -t $CLIENT_PID -n wireshark