Using external tools inside Docker containers

I often work with Docker containers which lack basic observability tools like ss (the new Linux netstat). Luckily, thanks to nsenter, it’s possible to use programs from the host inside containers.

Let’s say I started an Ubuntu container:

$ docker container ls
CONTAINER ID   IMAGE          COMMAND       CREATED         STATUS         PORTS     NAMES
91c5c431ebb0   ubuntu:20.04   "/bin/bash"   5 minutes ago   Up 5 minutes             agitated_cohen

First we need to get the PID of the main process within the container:

$ docker inspect -f '{{.State.Pid}}' 91c5c431ebb0
17802

Now we can use nsenter to run a command inside the network namespace (-n flag) of the container:

$ sudo nsenter -t 17802 -n ss -lntp
State     Recv-Q    Send-Q        Local Address:Port         Peer Address:Port    Process
LISTEN    0         1                   0.0.0.0:80                0.0.0.0:*        users:(("nc",pid=18381,fd=3))

Putting it all together:

$ sudo nsenter -t "$(docker inspect -f '{{.State.Pid}}' 91c5c431ebb0)" -n ss -lntp
State     Recv-Q    Send-Q        Local Address:Port         Peer Address:Port    Process
LISTEN    0         1                   0.0.0.0:80                0.0.0.0:*        users:(("nc",pid=18381,fd=3))

uploaded:	2024-05-27
last updated:	2024-05-27