33[ ![ Build Status] ( https://travis-ci.org/Mic92/cntr.svg?branch=master )] ( https://travis-ci.org/Mic92/cntr )
44
55Say no to ` $ apt install vim ` in containers!
6-
7- Cntr is a tool that allows to attach you to container from your host. It allows
8- you to use your favorite debugging tools (tcpdump, curl, htop, strace,
9- rg/ag, shell + dotfiles, $EDITOR), installed on the host within the container.
10- Under the hood it spawns a shell or user defined program that inherits the full
11- context of the container and mount itself as a fuse filesystem.
6+ ` cntr ` is a replacement for ` docker exec ` that brings all your developers tools with you.
7+ This allows to ship minimal runtime image in production and limit the surface for exploits.
128
139## Demo
1410
@@ -18,26 +14,12 @@ In this two minute recording you learn all the basics of cntr:
1814
1915## Features
2016
21- - Cntr is container-agnostic: Instead of interfacing with container engines, it
22- implements the underlying operating system API. It treats every container as a
23- group of processes, that it can inherit properties from.
24- - For user's convenience cntr also supports container names/identifier for the following container engines natively:
17+ - For convenience cntr supports container names/identifier for the following container engines natively:
2518 * docker
2619 * LXC
2720 * rkt
2821 * systemd-nspawn
29- * for other container engines cntr also takes process ids instead of identifiers.
30- - Cntr inherits the following container properties:
31- * namespaces (mount, uts, pid, net, cgroup, ipc)
32- * cgroups
33- * apparamor/selinux
34- * capabilities
35- * user/group ids
36- * environment variables
37- * the following files: /etc/passwd, /etc/hostname, /etc/hosts, /etc/resolv.conf
38- - We extensively evaluated the correctness and performance of cntr's filesystem
39- using xfstests and a wide range of filesystem performance benchmarks (iozone,
40- pgbench, dbench, fio, fs-mark, postmark, ...)
22+ - For other container engines cntr also takes process ids (PIDs) instead of container names.
4123
4224## Installation
4325
@@ -53,6 +35,14 @@ All you need for compilation is rust + cargo.
5335Checkout [ rustup.rs] ( https://rustup.rs/ ) on how to get a working rust toolchain.
5436Then run:
5537
38+ Either:
39+
40+ ``` console
41+ $ cargo install cntr
42+ ```
43+
44+ Or the latest master:
45+
5646``` console
5747$ cargo install --git https://github.com/Mic92/cntr
5848```
@@ -71,10 +61,10 @@ At a high-level cntr provides two subcommands: `attach` and `exec`:
7161 - Example: ` cntr attach <container_id> ` where ` container_id ` can be a
7262 container identifier or process id (see examples below).
7363- ` exec ` : Once you are in the container, you can also run commands from the
74- container filesystem itself. Since those might need there native mount layout
64+ container filesystem itself. Since those might need their native mount layout
7565 at ` / ` instead of ` /var/lib/cntr ` , cntr provides ` exec ` subcommand to chroot to container
7666 again and also resets the environment variables that might have been changed
77- by our shell.
67+ by the shell.
7868 - Example: ` cntr exec <command> ` where ` command ` is an executable in the container
7969
8070** Note** : Cntr needs to run on the same host as the container. It does not work
@@ -276,6 +266,29 @@ drwx------ 22 nobody nogroup 43 Mar 13 15:09 root
276266...
277267```
278268
269+ # How it works
270+
271+ Cntr is container-agnostic: Instead of interfacing with container engines, it
272+ implements the underlying operating system API. It treats every container as a
273+ group of processes, that it can inherit properties from.
274+
275+ Cntr inherits the following container properties:
276+ * Namespaces (mount, uts, pid, net, cgroup, ipc)
277+ * Cgroups
278+ * Apparamor/selinux
279+ * Capabilities
280+ * User/group ids
281+ * Environment variables
282+ * The following files: /etc/passwd, /etc/hostname, /etc/hosts, /etc/resolv.conf
283+
284+ Under the hood it spawns a shell or user defined program that inherits the full
285+ context of the container and mount itself as a fuse filesystem.
286+
287+ We extensively evaluated the correctness and performance of cntr's filesystem
288+ using [ xfstests] ( https://github.com/Mic92/xfstests-cntr ) and a wide range of
289+ filesystem performance benchmarks (iozone, pgbench, dbench, fio, fs-mark,
290+ postmark, ...)
291+
279292# Related projects
280293- [ nsenter] ( https://manpages.debian.org/testing/manpages-de/nsenter.1.de.html )
281294 - Only covers linux namespaces and the user is limited to tools installed in the
0 commit comments