A tool suite that lets you freely manipulate files and network of a container, image, or even the host, with a tool container.
Although you can use docker exec or nsenter to run commands on behalf of a container, sometimes it is painful to do things in a container or its host which does not have many tools installed.
This is why docker-geek comes up.
The basic idea is starting a tool container, then
- mount rootfs of the container or host to the tool container
- switch to network namespace of the host or target container
then you can
- freely use tools in the tool container to manipulate target container or its host.
- install more things without worry of polluting target container or host.
It also provides some extra features, although not necessary normally.
- cross-containers mounting
- view an image a container even it is stopped without starting it
This tool starts a workbench in which you can freely manipulate files and network of the host. It will initially do following things:
- it mounts the host's rootfs to
/host-rootfs - it switches to the host's network namespace You can further run other docker-geek related commands or even
dockercli itself in this workbench.
Note: the host's rootfs, strictly speaking, means the rootfs of the filesystem namespace of dockerd, maybe different with the real host. Also, the workbench will also switch to pid,ipc,user namespaces. This is also true for other docker-*-geek tools.
docker-geek [OPTIONS] [COMMAND [ARGS...]] $ docker-geek root@GEEK:/host-rootfs# ls /host-rootfs Users bin etc lib libau.so.2 media opt private root sbin srv tmp var Volumes dev home libau.so libau.so.2.9 mnt port proc run sendtohost sys usr root@GEEK:/host-rootfs# ip address show ...network info of the host... Note: on Windows Command Prompt, please run:
docker run --rm --interactive --tty ^ --privileged --userns=host --pid=host --ipc=host ^ --network=host --hostname=GEEK --add-host GEEK:127.0.0.1 ^ -v /run/desktop/docker.sock:/var/run/docker.sock ^ -v /run/desktop/docker.pid:/var/run/docker.pid ^ -v /:/host-rootfs ^ -v /var/lib/docker:/var/lib/docker:rshared ^ --workdir /host-rootfs ^ osexp2000/docker-geek docker-container-geek Start a docker-geek in which mount a container to /rootfs and switch to its network namespace
You can freely manipulate files and network of target container.
docker-container-geek [OPTIONS] CONTAINER_ID_OR_NAME [COMMAND [ARGS...]] $ docker-container-geek cae89cdb65cd root@GEEK-cae89cdb65cd:/rootfs# ls /rootfs ...contents of the container's rootfs... root@GEEK-cae89cdb65cd:/rootfs# ip address show ...network info of target container... You can freely view (or even change) an image or container without running it.
docker-image-geek [OPTIONS] IMAGE_ID_OR_NAME [COMMAND [ARGS...]] $ docker-image-geek nginx root@GEEK-cd5239a0906a:/rootfs# ...contents of the image's rootfs... Notes:
- only works when dockerd is using overlay type of storage.
- by default, the image will be mounted as readonly. You can specify
--writableoption to make it writable. - you can specify a container id or name as the image id or name.
docker-mount-image [OPTIONS] IMAGE_ID_OR_NAME MOUNT_POINT See notes of docker-image-geek.
docker-mount [OPTIONS] [CONTAINER:]SOURCE_PATH [CONTAINER:]MOUNT_POINT A typical usage is that you might want to mount some files into a running container.
- To mount Windows's C:\a\dir_or_file to a container's /a/mountpoint
$ docker-mount /host_mnt/c/a/dir_or_file CONTAINER_ID_OR_NAME:/a/mountpoint - To mount MacOS's /a/dir_or_file to a container's /a/mountpoint
$ docker-mount /host_mnt/a/dir_or_file CONTAINER_ID_OR_NAME:/a/mountpoint It enters the host's dockerd or init's all namespaces. (Option -1 means use init process's namespace)
$ docker-host linuxkit-025000000001:/# ls Users bin etc lib libau.so.2 media opt private root sbin srv tmp var Volumes dev home libau.so libau.so.2.9 mnt port proc run sendtohost sys usr linuxkit-025000000001:/# linuxkit-025000000001:/# which crictl docker mount.cifs /usr/bin/crictl /usr/local/bin/docker /sbin/mount.cifs $ docker-layers-of-image cae89cdb65cd /var/lib/docker/overlay2/a064c9b385fb9c0eb620ae321e11c38325d4f4b2166ec2fd2e661aa8a0c8049d/diff /var/lib/docker/overlay2/a064c9b385fb9c0eb620ae321e11c38325d4f4b2166ec2fd2e661aa8a0c8049d-init/diff /var/lib/docker/overlay2/80c7824a3012f56122d75283c90b85f2eb733d62889e5bbe956035d77720c554/diff or use it in a pipe:
$ docker ps | docker-layers-of-container CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 999999999999 nginx ... layer: /var/lib/docker/overlay2/c6212d8523d5f5250b80c7c6daa29c3d57327b2e9adec345555d2d2fb404fdf1/diff layer: /var/lib/docker/overlay2/c6212d8523d5f5250b80c7c6daa29c3d57327b2e9adec345555d2d2fb404fdf1-init/diff layer: /var/lib/docker/overlay2/a68ea16a5b16b4c3b8bd659cd53ebe1095ecda2e6fee5ccb5521a156da486cdb/diff layer: /var/lib/docker/overlay2/43b4f1b48efb892b151bd3a901c981fc1f03f7e0c3a7e960998d0db0e3a70468/diff layer: /var/lib/docker/overlay2/8f74ae7349f0cc8b54cd5201b93bcf89432986bae680b879a12ba0d43a937aa5/diff cae89cdb65cd busybox ... layer: /var/lib/docker/overlay2/a064c9b385fb9c0eb620ae321e11c38325d4f4b2166ec2fd2e661aa8a0c8049d/diff layer: /var/lib/docker/overlay2/a064c9b385fb9c0eb620ae321e11c38325d4f4b2166ec2fd2e661aa8a0c8049d-init/diff layer: /var/lib/docker/overlay2/80c7824a3012f56122d75283c90b85f2eb733d62889e5bbe956035d77720c554/diff $ docker images | docker-layers-of-image ... The result can be further piped to other similar commands of this tool suite.
Note that the layers will be displayed in order of upper -> lower.
$ docker-rootfs-of-container cae89cdb65cd /var/lib/docker/overlay2/a064c9b385fb9c0eb620ae321e11c38325d4f4b2166ec2fd2e661aa8a0c8049d/merged or use it in a pipe:
$ docker ps | docker-rootfs-of-container CONTAINER ID IMAGE 999999999999 ... rootfs: /var/lib/docker/overlay2/c6212d8523d5f5250b80c7c6daa29c3d57327b2e9adec345555d2d2fb404fdf1/merged cae89cdb65cd ... rootfs: /var/lib/docker/overlay2/a064c9b385fb9c0eb620ae321e11c38325d4f4b2166ec2fd2e661aa8a0c8049d/merged The result can be further piped to other similar commands of this tool suite.
$ docker-pid-of-container cae89cdb65cd 2788 or use it in a pipe:
$ docker ps | docker-pid-of-container CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 999999999999 ... pid: 2868 cae89cdb65cd ... pid: 2788 The result can be further piped to other similar commands of this tool suite.
$ docker-cap-of-container cae89cdb65cd AUDIT_WRITE CHOWN DAC_OVERRIDE FOWNER FSETID KILL MKNOD NET_BIND_SERVICE NET_RAW SETFCAP SETGID SETPCAP SETUID SYS_CHROOT $ docker-cap-of-container cae89cdb65cd -f 00000000a80425fb=[AUDIT_WRITE CHOWN DAC_OVERRIDE FOWNER FSETID KILL MKNOD NET_BIND_SERVICE NET_RAW SETFCAP SETGID SETPCAP SETUID SYS_CHROOT] $ docker-cap-of-container cae89cdb65cd -n 00000000a80425fb or use it in a pipe:
$ docker ps | docker-cap-of-container CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 999999999999 ... cap: AUDIT_WRITE CHOWN DAC_OVERRIDE FOWNER FSETID KILL MKNOD NET_BIND_SERVICE NET_RAW SETFCAP SETGID SETPCAP SETUID SYS_CHROOT cae89cdb65cd ... cap: AUDIT_WRITE CHOWN DAC_OVERRIDE FOWNER FSETID KILL MKNOD NET_BIND_SERVICE NET_RAW SETFCAP SETGID SETPCAP SETUID SYS_CHROOT The result can be further piped to other similar commands of this tool suite.
$ docker-execsnoop [...arguments of execsnoop...] $ docker-execsnoop Tracing exec()s. Ctrl-C to end. Instrumenting sys_execve PID PPID ARGS 17603 17601 cat -v trace_pipe 17602 17598 gawk -v o=1 -v opt_name=0 -v name= -v opt_duration=0 [...] $ docker-opensnoop [...arguments of opensnoop...] $ docker-opensnoop Tracing open()s. Ctrl-C to end. COMM PID FD FILE opensnoop 17605 0x3 opensnoop 17610 0x3 /etc/ld.so.cache opensnoop 17610 0x3 /lib/x86_64-linux-gnu/libc.so.6 opensnoop 17609 0x3 /etc/ld.so.cache docker-strace-in-container CONTAINER_ID_OR_NAME [NSENTER_OPTIONS] COMMAND [ARGS...] $ docker-strace-in-container cae89cdb65cd ping -c 1 www.google.com ... [pid 34323] execve("/bin/ping", ["ping", "-c", "1", "www.google.com"], [/* 4 vars */]) = 0 ...