A handy way of troubleshooting containers lacking a shell and/or debugging tools
4
+
(e.g, scratch, slim, or distroless).
2
5
3
-
Mostly for troubleshooting slim & distroless containers that lack a shell and other debugging tools. The technique is based on the ideas from this [blog post](https://iximiuz.com/en/posts/docker-debug-slim-containers).
6
+
The `cdebug exec` command is some sort of crossbreeding of `docker exec` and `kubectl debug` commands.
7
+
You point the tool at a running container, say what toolkit image to use, and it starts
8
+
a debugging "sidecar" container that _feels_ like a `docker exec` session into the target container:
9
+
10
+
- The root filesystem of the debugger **_is_** the root filesystem of the target container.
11
+
- The target container isn't recreated and/or restarted.
12
+
- No extra volumes or copying of debugging tools is needed.
13
+
- The debugging tools **_are_** available in the target container.
4
14
5
-
Work in progres...
15
+
Currently supported toolkit images:
16
+
17
+
- `busybox` - a good default choice
18
+
- `nixery.dev/shell/...` - [a very powerful way to assemble images on the fly](https://nixery.dev/).
19
+
20
+
## How it works
21
+
22
+
The technique is based on the ideas from this [blog post](https://iximiuz.com/en/posts/docker-debug-slim-containers).
23
+
Oversimplifying, the debugger container is started like:
24
+
25
+
```sh
26
+
docker run [-it] \
27
+
--network container:<target> \
28
+
--pid container:<target> \
29
+
--uts container:<target> \
30
+
<toolkit-image>
31
+
sh -c <<EOF
32
+
ln -s /proc/$$/root/bin/ /proc/1/root/.cdebug
6
33
7
-
## Demo
34
+
export PATH=$PATH:/.cdebug
35
+
chroot /proc/1/root sh
36
+
EOF
37
+
```
8
38
9
-
The command is very similar to `docker exec`. You point it to the target container,
10
-
potentially ask the session to be interactive (`-it`), and specify the debugging
11
-
toolkit image (`busybox` or anything starting from `nixery.dev/shell`).
39
+
The secret sauce is the symlink + PATH modification + chroot-ing.
12
40
13
-
**Important:** The target container isn't recreated and/or restarted. And no extra
14
-
volumes is needed.
41
+
## Demo 1: An interactive shell with busybox
15
42
16
-
Notice how the debugger's shell actually has the original distroless rootfs as its root directory:
43
+
First, a target container is needed. Let's use a distroless nodejs image for that: