docker attach vs lxc-attach

Question

UPDATE: Docker 0.9.0 use libcontainer now, diverting from LXC see: Attaching process to Docker libcontainer container

I'm running an istance of elasticsearch:

docker run -d -p 9200:9200 -p 9300:9300 dockerfile/elasticsearch

Checking the process it show like the following:

$ docker ps --no-trunc
CONTAINER ID                                                       IMAGE                             COMMAND                                           CREATED             STATUS              PORTS                                            NAMES
49fdccefe4c8c72750d8155bbddad3acd8f573bf13926dcaab53c38672a62f22   dockerfile/elasticsearch:latest   /usr/share/elasticsearch/bin/elasticsearch java   About an hour ago   Up 8 minutes        0.0.0.0:9200->9200/tcp, 0.0.0.0:9300->9300/tcp   pensive_morse   

Now, when I try to attach the running container, I get stacked:

$  sudo docker attach 49fdccefe4c8c72750d8155bbddad3acd8f573bf13926dcaab53c38672a62f22
[sudo] password for lsoave:

the tty doesn't connect and the prompt is not back. Doing the same with lxc-attach works fine:

$ sudo lxc-attach -n 49fdccefe4c8c72750d8155bbddad3acd8f573bf13926dcaab53c38672a62f22
root@49fdccefe4c8:/# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0 49 20:37 ?        00:00:20 /usr/bin/java -Xms256m -Xmx1g -Xss256k -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMa
root        88     0  0 20:38 ?        00:00:00 /bin/bash
root        92    88  0 20:38 ?        00:00:00 ps -ef
root@49fdccefe4c8:/# 

Does anybody know what's wrong with docker attach ?

NB. dockerfile/elasticsearch ends with:

ENTRYPOINT ["/usr/share/elasticsearch/bin/elasticsearch"]

Answer 1

You're attaching to a container that is running elasticsearch which isn't an interactive command. You don't get a shell to type in because the container is not running a shell. The reason lxc-attach works is because it's giving you a default shell. Per man lxc-attach:

If no command is specified, the current default shell of the user running lxc-attach will be looked up inside the container and executed. This will fail if no such user exists inside the container or the container does not have a working nsswitch mechanism.

docker attach is behaving as expected.

Answer 2

As Ben Whaley notes this is expected behavior. It's worth mentioning though that if you want to monitor the process you can do a number of things:

• Start bash as front process: e.g. $ES_DIR/bin/elasticsearch && /bin/bash will give you your shell when you attach. Mainly useful during development. Not so clean :)
• Install an ssh server. Although I've never done this myself it's a good option. Drawback is of course overhead, and maybe a security angle. Do you really want ssh on all of your containers? Personally, I like to keep them as small as possible with single-process as the ultimate win.
• Use the log files! You can use docker cp to get the logs locally, or better the docker logs $CONTAINER_ID command. The latter give you the accumulated stdin/stderr output for the entre lifetime of the container each time though.
• Mount the log directory. Just mount a directory on your host and have elasticsearch write to a logfile in that directory. You can have syslog on your host, Logstash, or whatever turns you on ;). Of course, the drawback here is that you are now using your host more than you might like. I also found a nice experiment using logstash in this blog.

Answer 3

FWIW, now that Docker 1.3 is released, you can use "docker exec" to open up a shell or other process on a running container. This should allow you to effectively replace lxc-attach when using the native driver.

http://blog.docker.com/2014/10/docker-1-3-signed-images-process-injection-security-options-mac-shared-directories/