Troubleshooting Kubernetes and Docker with a SuperContainer

Super Powers

Super Filesystems

In order to access the target container's filesystem, I need to enter the local SuperContainer pseudo filesystem, which resides under /proc.

In Figure 4, you can see a directory listing for the path /proc/1/root.

Figure 4: Accessing the target's filesystem via the local /proc pseudo filesystem in the SuperContainer.

It's agreed, however, that the file listing in Figure 4 could potentially be from the local container and not the target container. In Figure 5, you can see the proof of the pudding. The figure shows the index.html file. The full path from the SuperContainer directory /proc/1/root is accessed at usr/share/nginx/html/index.html.

Figure 5: Blimey, that looks suspiciously like a default web server index.html page, and I'm still logged into the SuperContainer.

Super Network Stacks

Next I'll check to see if I can access the target container's network. I'll run a couple of the networking tools I chucked into the Dockerfile earlier (see Figure 6).

Figure 6: I use the netstat and lsof tools to view TCP port 80 and also check the internal eth0 interface IP address, which reports that IP address 172.17.0.2 is bound.

I used the networking tools in Figure 6 to check the internal IP address. I could see TCP port 80, which HTTP runs on, but I need to confirm that I am actually seeing the correct network stack from outside the target container. This time I work from the host with the following command:

$ docker inspect nginx | grep IPAddress | tail -1

Figure 7 shows the output from the docker inspect command after querying the container, which is named nginx.

Figure 7: I did indeed see TCP port 80 running on the container called nginx.

Step Away

With a smattering of lateral thinking, I am certain that this tool can be extremely useful in a number of differing scenarios. Using debugging tools like strace (carefully) on production services is just one suggestion.

If you use the concept creatively, a SuperContainer might just save the day sometime in the future.

I for one will enjoy experimenting with SuperContainers across different use cases. You don't necessarily need access to a remote registry to pull the prebuilt image. Once you've memorized the command-line switches, you can create that simple Dockerfile with ease.

The Author

Chris Binnie is a DevSecOps consultant. His latest book, Linux Server Security: Hack and Defend shows how hackers launch sophisticated attacks to compromise servers, steal data, and crack complex passwords. In the book, he also talks about how to make servers invisible, perform penetration testing, and mitigate unwelcome attacks. You will find more about DevSecOps and Linux security at his website: http://www.devsecops.cc]

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus