Docker shell/provisioning without SSH

[rasschaert]

Currently, Vagrant can only provision or shell into a Docker container when it has an SSH daemon running.

Last month Docker's Jérôme Petazzoni wrote a post on the Docker blog titled "Why you don't need to run SSHD in your Docker containers". In it, he introduces a small tool called nsenter, which allows you to enter the namespace of a Docker container and run a program, such as a bash shell.

In the comments, Phusion's Hongi Lai, the creator of baseimage-docker, responds to the post:

Now, you are advocating nsenter. I am seriously considering this option. There is currently an ongoing discussion on the baseimage-docker bug tracker about replacing SSH with nsenter: phusion/baseimage-docker#102

Baseimage-docker is one of the more popular images to use with Vagrant, and Phusion were some of the most vocal advocates in favor of running SSHd inside docker containers.

Meanwhile, upstream, Docker is committed to creating a native mechanism to execute new processes in existing containers. It was slated for the 1.0 release but has since been delayed.

It'd be nice if Vagrant would allow for other mechanisms such as nsenter to provision or shell into containers.

[FooBarWidget]

Hongli Lai here. I think it's better to wait a while before implementing anything, because the landscape is still moving quickly. From the research I've done so far, it does not look like it's viable to completely replace SSH with nsenter. The nsenter approach requires the binary to be installed on the host, which is not always the case. There are also certain use cases where SSH is more appropriate than nsenter. Most likely, in Baseimage-docker we will support both.

The sanest approach would be to wait for Docker's native mechanism, which hasn't been implemented.

[FooBarWidget]

And another issue with nsenter is: processes started by nsenter cannot be killed from within the container, even by root inside the container. Thus, their behavior is slightly different from when they're executed from within the container, or by SSH. It's not entirely clear whether it's ok to run arbitrary commands inside the container like this. Also, nsenter requires root on the Docker host.

[peefour]

hi,
Because most of my docker containers are mostly mini servers (I like to use the docker images from turnkeylinux) I find SSH invaluable.

However it is not clear to me what the functional difference is between:

1. ssh
2. docker attach
3. nsenter

please advise why/when prefer the one above the other?

thanks!

[FooBarWidget]

docker attach is totally unrelated to the other two. docker attach reattaches a Docker container to a terminal, kind of like re-attaching a screen session. It is not a way to login to a container.

As for ssh vs nsenter, read these writeups in the baseimage-docker documentation:

• https://github.com/phusion/baseimage-docker/tree/nsenter#login_nsenter
• https://github.com/phusion/baseimage-docker/tree/nsenter#login_ssh

[peefour]

Thanks for the links, I had already read them but still have these questions:

if I need access to the docker containers on a machine, I can use both docker attach (if on the same host) as SSH, as nsenter, to change or inspect stuff on that machine.

I understand that SSH is a different beast because you use it mainly over the network.
it is still not clear to me why nsenter is different (or preferred) for this task than docker-attach?

thanks!

[mitchellh]

I think we can use docker exec now!

[frankscholten]

+1

[schmunk42]

+1 for vagrant docker-exec

[semekh]

docker exec is now a part of docker itself. Do you think it's a good idea to transparently use docker exec instead of ssh-ing into the container? It provides the same interface as SSH, and it shouldn't result in any incompatibility.

[thomaszbz]

SSH is just overhead here if you can just use docker exec which is provided by docker. Vagrant should be capable to use both scenarios.

[thatguystone]

Was this actually addressed in #7377?

[bogdando]

No, it seems not possible to use the docker-exec as a replacemant to the vm.provision :shell

[jgillich]

This should be reopened @sethvargo

[chrisroberts]

@jgillich Hi! Closed issues are not tracked. If you are still having a problem, please open a new issue. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.