如何在 Docker 中替换 lsof（本机，而不是基于 LXC）

Question

我对 Docker 容器内部lsof -i不产生任何输出感到有些困惑。

示例（来自容器内部的所有命令/输出）：

[1] root@ec016481cf5f:/# lsof -i
[1] root@ec016481cf5f:/# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -

还请注意如何不显示 PID 或程序名称netstat。fuser也给出了一些令人困惑的输出，并且也无法确定 PID。

任何人都可以对此有所了解吗？

• 我该如何替换lsof -i（还要查看进程名称！）
• 为什么输出也netstat瘫痪了？

注意：容器使用 运行"ExecDriver": "native-0.1"，即 Docker 自己的执行层，而不是 LXC。

---

[1] root@ec016481cf5f:/# fuser -a4n tcp 22
Cannot stat file /proc/1/fd/0: Permission denied
Cannot stat file /proc/1/fd/1: Permission denied
Cannot stat file /proc/1/fd/2: Permission denied
Cannot stat file /proc/1/fd/3: Permission denied
Cannot stat file /proc/1/fd/255: Permission denied
Cannot stat file /proc/6377/fd/0: Permission denied
Cannot stat file /proc/6377/fd/1: Permission denied
Cannot stat file /proc/6377/fd/2: Permission denied
Cannot stat file /proc/6377/fd/3: Permission denied
Cannot stat file /proc/6377/fd/4: Permission denied
22/tcp:

（我并不痴迷于Permission denied，因为那个数字。让我困惑的是 PID 之后的空列表22/tcp。）

---

# lsof|awk '$1 ~ /^sshd/ && $3 ~ /root/ {print}'
sshd    6377      root  cwd   unknown                        /proc/6377/cwd (readlink: Permission denied)
sshd    6377      root  rtd   unknown                        /proc/6377/root (readlink: Permission denied)
sshd    6377      root  txt   unknown                        /proc/6377/exe (readlink: Permission denied)
sshd    6377      root    0   unknown                        /proc/6377/fd/0 (readlink: Permission denied)
sshd    6377      root    1   unknown                        /proc/6377/fd/1 (readlink: Permission denied)
sshd    6377      root    2   unknown                        /proc/6377/fd/2 (readlink: Permission denied)
sshd    6377      root    3   unknown                        /proc/6377/fd/3 (readlink: Permission denied)
sshd    6377      root    4   unknown                        /proc/6377/fd/4 (readlink: Permission denied)
sshd    6442      root  cwd   unknown                        /proc/6442/cwd (readlink: Permission denied)
sshd    6442      root  rtd   unknown                        /proc/6442/root (readlink: Permission denied)
sshd    6442      root  txt   unknown                        /proc/6442/exe (readlink: Permission denied)
sshd    6442      root    0   unknown                        /proc/6442/fd/0 (readlink: Permission denied)
sshd    6442      root    1   unknown                        /proc/6442/fd/1 (readlink: Permission denied)
sshd    6442      root    2   unknown                        /proc/6442/fd/2 (readlink: Permission denied)
sshd    6442      root    3   unknown                        /proc/6442/fd/3 (readlink: Permission denied)
sshd    6442      root    4   unknown                        /proc/6442/fd/4 (readlink: Permission denied)
sshd    6442      root    5   unknown                        /proc/6442/fd/5 (readlink: Permission denied)

连接的用户还有一些输出，也可以正确识别，但仅此而已。显然不可能辨别lsof -i某个“对象”是哪种类型（对互联网套接字的限制）。

Answer 1

（注意：问题中不清楚提问者如何进入 docker 容器。我假设 docker exec -it CONTAINER bash被使用了。）

我在使用基于centos:7docker 版本的 docker 镜像时遇到了这个问题1.9.0，为了克服这个问题，我只运行了：

docker exec --privileged -it CONTAINER bash

请注意包含--privileged.

我对需要这样做的原因的天真理解：似乎 docker 努力使容器更加“安全”，如此处所述。