I know I can use nsenter to execute host machine program, e.g. netstat, inside the running docker container like this:
sudo nsenter -t namespace_id -n netstat -putan
but for that I first need to figure out that namespace id.
I'm supposed to be able to do it like this:
# get container top level process id
$ docker inspect -f '{{.State.Pid}}' container_id
# use it to find the namespace id
$ lsns -t container_top_level_process_id
but when I do that lsns -t ... gives me empty output. What could be the reason for that? Is it possible that running the container through docker copmose somehow affects this?
but for that I first need to figure out that namespace id.
No you don't; using the -t argument to nsenter you only need the PID of a process in the namespace. From the nsenter` man page:
`-t`, `--target` *PID*
Specify a target process to get contexts from. The paths to the contexts specified by pid are:
So once you have the main process pid:
pid=$(docker inspect -f '{{.State.Pid}}' container_id)
You can use that directly with nsenter:
nsenter -t $pid -n netstat -tln