Docker exec versus nsenter: Any gotchas?

Asked 10/1, 2015 at 5:52 Answered 1/1, 2016 at 23:19

I've been using nsenter for the last few months to get a shell running on a container for debugging purposes. I have heard about and used docker exec which was introduced in version 1.3. Docker exec seems to be the new best practice for the purpose of getting inside a container for debugging purposes, but I'm wondering if there are any drawbacks to using docker exec versus nsenter. Information comparing the two is scant. Are there any specific problems I should watch out for or avoid when using docker exec versus nsenter?

Ingenious answered 10/1, 2015 at 5:52 Comment(2)

If using docker 1.3 or later, I would go only with docker exec as it is now the supported way, and I suppose nsenter is no longer maintained. – Carcinoma 10/1, 2015 at 10:0

Yes, I agree it's what was intended to fill that particular hole, and I have been and will continue using it, but I am wondering if there are any specific drawbacks to it versus nsenter. – Ingenious 10/1, 2015 at 10:2

That is not entirely clear right now. But I would support the view that since docker exec is the official way, to go with that. The author of nsenter actually recommends using docker exec. If you encounter any drawbacks, he encourages you to report them though.

Chalet answered 11/1, 2015 at 20:17 Comment(3)

Nice! That's an excellent link I hadn't found, the author recommending docker exec. – Ingenious 11/1, 2015 at 22:58

That does not answer the "docker exec versus nsenter" question. – Therine 1/1, 2016 at 23:18

@user31986: OP seems happy, nsenter is obsolete, case closed. – Chalet 23/3, 2016 at 20:33

Docker Exec vs. Nsenter

nsenter does not provide resource-limits as it does not use cgroups unlike docker
nsenter only works on x86-64 arch
nsenter cannot run inside a container (only on host)

There are differences between nsenter and docker exec; namely, nsenter doesn't enter the cgroups, and therefore evades resource limitations. The potential benefit of this would be debugging and external audit. But for remote access, docker exec is the current recommended approach.

nsenter only works on Intel 64 bits platforms.

nsenter still needs to run from the host; it cannot run inside a container.

ref: https://github.com/jpetazzo/nsenter/blob/master/README.md

Therine answered 1/1, 2016 at 23:19 Comment(3)

A rather technical side note than an answer. OP asked for "specific problems […] to watch out for or avoid when using". You come to the same conclusion that docker exec is the recommended way for access and describe no "specific problems" for either approach. What's the reason for this post? – Chalet 2/1, 2016 at 15:26

Well those are useful details if you are looking from an engineer's perspective (and not a sysadmin's). – Therine 23/3, 2016 at 0:51

I for one appreciate the 110% @user31986. There's always an edge-case hiding in the shadows that'll bite you, but then you just might remember ... – Nonmoral 12/4, 2017 at 9:56

Recommended topics

Hot tags