Tricks
ssh
Docker images should run as non-root arbitrary users, but that makes anything that uses ssh (like git) a pain in the ass. ssh expects a username for the running UID, which you might not have at runtime. Fake it out and pretend to be root with libuid-wrapper and a homedir that you can create at runtime as the running user:
Dockerfile:
RUN apt update && apt -y install ... libuid-wrapper
RUN sed -i 's|:/root:|:/var/tmp/user:|' /etc/passwdENTRYPOINT/CMD wrapper script:
export HOME=/var/tmp/user
mkdir -p "$HOME/.ssh"
chmod 700 "$HOME"
chmod 700 "$HOME"/.ssh
export LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1
/app/do-ssh-stuff.pygit
If you're pushing/pulling from ssh urls, use the ssh trick above and add this to the entrypoint/cmd wrapper script as well so ssh doesn't moan about host keys:
git config --global core.sshCommand 'ssh -o StrictHostKeyChecking=no'python
Python stdout is buffered to non-tty file handles, so watching 'docker logs -f' will be a waste of everyone's time. Switch off buffering in your wrapper script with:
export PYTHONUNBUFFERED=1
/app/blah.pyDebug
Processes
Find docker processes from system shell
# docker ps
# ps -eo pid,cgroup,cmd | grep <first 8 chars of containerID>Network
Look at the network config from a container's namespace
# nsenter -t $(docker inspect --format '{{.State.Pid}}' <containerid>) -n ip {addr|route|...}Known Issues
DNS failing in containers
I don't know why, but sometimes (just sometimes) dockerd has problems creating iptables rules for the in-daemon resolver.
Check that 127.0.0.11 is listed in the container's resolv.conf as it should be, then check:
nsenter -n -t $(docker inspect --format {{.State.Pid}} <container>) iptables -t nat -nvL
There should be two DNAT and two SNAT rules for port 53 (upd & tcp). If they're missing, you'll need to restart dockerd to make it work.
This only affects newly started containers - if DNS works at container-boot but fails later, it's something else.