docker attach vs lxc-attach

StackOverflow https://stackoverflow.com/questions/22310925

Question

UPDATE: Docker 0.9.0 use libcontainer now, diverting from LXC see: Attaching process to Docker libcontainer container

I'm running an istance of elasticsearch:

docker run -d -p 9200:9200 -p 9300:9300 dockerfile/elasticsearch

Checking the process it show like the following:

$ docker ps --no-trunc
CONTAINER ID                                                       IMAGE                             COMMAND                                           CREATED             STATUS              PORTS                                            NAMES
49fdccefe4c8c72750d8155bbddad3acd8f573bf13926dcaab53c38672a62f22   dockerfile/elasticsearch:latest   /usr/share/elasticsearch/bin/elasticsearch java   About an hour ago   Up 8 minutes        0.0.0.0:9200->9200/tcp, 0.0.0.0:9300->9300/tcp   pensive_morse

Now, when I try to attach the running container, I get stacked:

$  sudo docker attach 49fdccefe4c8c72750d8155bbddad3acd8f573bf13926dcaab53c38672a62f22
[sudo] password for lsoave:

the tty doesn't connect and the prompt is not back. Doing the same with lxc-attach works fine:

$ sudo lxc-attach -n 49fdccefe4c8c72750d8155bbddad3acd8f573bf13926dcaab53c38672a62f22
root@49fdccefe4c8:/# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0 49 20:37 ?        00:00:20 /usr/bin/java -Xms256m -Xmx1g -Xss256k -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMa
root        88     0  0 20:38 ?        00:00:00 /bin/bash
root        92    88  0 20:38 ?        00:00:00 ps -ef
root@49fdccefe4c8:/#

Does anybody know what's wrong with docker attach ?

NB. dockerfile/elasticsearch ends with:

ENTRYPOINT ["/usr/share/elasticsearch/bin/elasticsearch"]
Was it helpful?

Solution

You're attaching to a container that is running elasticsearch which isn't an interactive command. You don't get a shell to type in because the container is not running a shell. The reason lxc-attach works is because it's giving you a default shell. Per man lxc-attach:

If no command is specified, the current default shell of the user running lxc-attach will be looked up inside the container and executed. This will fail if no such user exists inside the container or the container does not have a working nsswitch mechanism.

docker attach is behaving as expected.

OTHER TIPS

As Ben Whaley notes this is expected behavior. It's worth mentioning though that if you want to monitor the process you can do a number of things:

  • Start bash as front process: e.g. $ES_DIR/bin/elasticsearch && /bin/bash will give you your shell when you attach. Mainly useful during development. Not so clean :)
  • Install an ssh server. Although I've never done this myself it's a good option. Drawback is of course overhead, and maybe a security angle. Do you really want ssh on all of your containers? Personally, I like to keep them as small as possible with single-process as the ultimate win.
  • Use the log files! You can use docker cp to get the logs locally, or better the docker logs $CONTAINER_ID command. The latter give you the accumulated stdin/stderr output for the entre lifetime of the container each time though.
  • Mount the log directory. Just mount a directory on your host and have elasticsearch write to a logfile in that directory. You can have syslog on your host, Logstash, or whatever turns you on ;). Of course, the drawback here is that you are now using your host more than you might like. I also found a nice experiment using logstash in this blog.

FWIW, now that Docker 1.3 is released, you can use "docker exec" to open up a shell or other process on a running container. This should allow you to effectively replace lxc-attach when using the native driver.

http://blog.docker.com/2014/10/docker-1-3-signed-images-process-injection-security-options-mac-shared-directories/

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top