Use nsenter to enter netns to capture packets

background

We use Kubernetes Some network problems are inevitable , It is often necessary to enter the network namespace of the container (netns) in , Do some network debugging to locate the problem , This article describes how to enter the container netns.

Get the container ID

Use kubectl obtain pod In any cotnainer Of id:

kubectl -n test describe pod debug-685b48bcf5-ggn5d

Output sample clip 1 (containerd Runtime ):

Containers:
  debug:
    Container ID:   containerd://529bbd5c935562a9ba66fc9b9ffa95d486c6324f26d8253d744ffe3dfd728289

Output sample clip 2 (dockerd Runtime ):

Containers:
  debug:
    Container ID:   docker://e64939086488a9302821566b0c1f193b755c805f5ff5370d5ce5e6f154ffc648 

obtain PID

Get container id after , We log in to pod Get its main process from the node pid.

containerd Run time usage crictl Command acquisition :

$ crictl inspect 529bbd5c935562a9ba66fc9b9ffa95d486c6324f26d8253d744ffe3dfd728289 | grep -i pid
    "pid": 2266462,
            "pid": 1
            "type": "pid"

In this case pid by 2266462

dockerd Run time usage docker Command acquisition :

$ docker inspect e64939086488a9302821566b0c1f193b755c805f5ff5370d5ce5e6f154ffc648 | grep -i pid
            "Pid": 910351,
            "PidMode": "",
            "PidsLimit": 0,

In this case pid by 910351

Use nsenter Into the container netns

Use... On nodes nsenter Get into pod Of netns:

nsenter -n --target 910351

Debug network

Successfully entered the netns, You can use the network tools on the node to debug the network , You can use... First ip a To validate the ip Whether the address is pod ip:

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth0[email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 6a:c6:6f:67:dd:6c brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.18.0.67/26 brd 172.18.0.127 scope global eth0
       valid_lft forever preferred_lft forever

Original address ：https://imroc.cc/kubernetes/troubleshooting/skill/network/enter-netns-with-nsenter.html#%E4%BD%BF%E7%94%A8-nsenter-%E8%BF%9B%E5%85%A5-netns-%E6%8A%93%E5%8C%85