推荐！两个有用的运维工具nsenter+cgroup（二）

线上容器有时可能缺少一些软件用于调试容器，本文举例通过nsenter 工具进入容器net namespace，使用宿主机tcpdump工具进行网络抓包演示；

在线上，若容器内缺少命令，而宿主机上又有的，亦可通过下文示例变化进行复用主机上的命令进行故障排查。

启动第一个窗口

• 获取容器进程pid
• 显示容器网络信息
• 确认容器内没有tcpdump命令
• 长ping百度用于下文抓包

1. [root@gentlewok ~]# docker inspect --format {{.State.Pid}} docker-client
2. 128342
3. [root@gentlewok ~]# docker exec -it docker-client /bin/sh
4. / # ip addr
5. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
6. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
7. inet 127.0.0.1/8 scope host lo
8. valid_lft forever preferred_lft forever
9. 695: eth0@if696: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
10. link/ether 02:42:ac:11:00:08 brd ff:ff:ff:ff:ff:ff
11. inet 172.17.0.8/16 brd 172.17.255.255 scope global eth0
12. valid_lft forever preferred_lft forever
13. / # tcpdump
14. /bin/sh: tcpdump: not found # 这里可以发现容器内是没有tcpdump命令
15. #长ping百度
16. [root@gentlewok ~]# docker exec -it docker-client /bin/sh
17. / # ping www.baidu.com
18. PING www.baidu.com (120.232.145.185): 56 data bytes
19. 64 bytes from 120.232.145.185: seq=0 ttl=127 time=12.119 ms
20. 64 bytes from 120.232.145.185: seq=1 ttl=127 time=12.559 ms
21. 64 bytes from 120.232.145.185: seq=2 ttl=127 time=13.323 ms
22. 64 bytes from 120.232.145.185: seq=3 ttl=127 time=14.684 ms
23. 64 bytes from 120.232.145.185: seq=4 ttl=127 time=11.542 ms
24. 64 bytes from 120.232.145.185: seq=5 ttl=127 time=1

启动第二个窗口抓包

• 通过nsenter进入容器
• 进入后通过ip addr查看网络信息，验证是否进入容器网络
• tcpdump抓包

1. [root@gentlewok ~]# nsenter -t 128342 -n #进入gitlab-runner容器net namespace
2. [root@gentlewok ~]# ip addr # 输出网络信息，显示与上文一致，说明已进入容器网络
3. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
4. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
5. inet 127.0.0.1/8 scope host lo
6. valid_lft forever preferred_lft forever
7. 695: eth0@if696: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
8. link/ether 02:42:ac:11:00:08 brd ff:ff:ff:ff:ff:ff link-netnsid 0
9. inet 172.17.0.8/16 brd 172.17.255.255 scope global eth0
10. valid_lft forever preferred_lft forever
11. # 这里tcpdump命令能正常执行 # 是因为没有使用 nsenter -m 参数，所用的是宿主机的文件系统
12. [root@gentlewok ~]# tcpdump -n
13. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
14. listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15. 09:20:49.230015 IP 120.232.145.185 > 172.17.0.8: ICMP echo reply, id 56, seq 204, length 64
16. 09:20:50.218314 IP 172.17.0.8 > 120.232.145.185: ICMP echo request, id 56, seq 205, length 64
17. 09:20:50.230517 IP 120.232.145.185 > 172.17.0.8: ICMP echo reply, id 56, seq 205, length 64
18. 09:20:51.218796 IP 172.17.0.8 > 120.232.145.185: ICMP echo request, id 56, seq 206, length 64
19. 09:20:51.238122 IP 120.232.145.185 > 172.17.0.8: ICMP echo reply, id 56, seq 206, length 64
20. 09:20:52.219101 IP 172.17.0.8 > 120.232.145.185: ICMP echo request, id 56, seq 207, length 64
21. 09:20:52.232337 IP 120.232.145.185 > 172.17.0.8: ICMP echo reply, id 56, seq 207, length 64
22. 09:20:53.219382 IP 172.17.0.8 > 120.232.145.185: ICMP echo request, id 56, seq 208, length 64
23. 09:20:53.232042 IP 120.232.145.185 > 172.17.0.8: ICMP echo reply, id 56, seq 208, length 64

后面再写一篇cgroup的应用及操作示例。