Debugging in the container: how to resolve a host when you don’t have the tools

We've all been there. You are curious what container-A resolves container-B to. But, since you believe in security, you have carefully made sure container-A is as close to 'distroless' as possible. You've made the filesystem read-only, no privilege is present, and no tools.

You now come along later, run 'kubectl exec -it ... sh'. And then you curse past-you for those short-sighted security descisions! How can you find out what it thinks the IP of container-B is without recompiling?

Well, here's a tip for you. 'getent' is part of libc.

# dpkg -S /usr/bin/getent 
libc-bin: /usr/bin/getent

This means you can simply run:

getent hosts rabbitmq-7c5fbf778d-mrqmt

and it will tell you how it resolves. Magic! No need to install dig/hosts/nslookup. No need to try and write a DNS packet with bash and use /dev/udp.

root@rabbitmq-7c5fbf778d-mrqmt:/$ apt-get update
E: List directory /var/lib/apt/lists/partial is missing. - Acquire (30: Read-only file system)
E: Could not open lock file /var/lib/dpkg/lock - open (2: No such file or directory)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?
root@rabbitmq-7c5fbf778d-mrqmt:/$ host front-end-74698f5fc7-zxfzb
bash: host: command not found
root@rabbitmq-7c5fbf778d-mrqmt:/$ nslookup front-end-74698f5fc7-zxfzb
bash: nslookup: command not found
root@rabbitmq-7c5fbf778d-mrqmt:/$ dig front-end-74698f5fc7-zxfzb
bash: dig: command not found
root@rabbitmq-7c5fbf778d-mrqmt:/$ getent hosts front-end-74698f5fc7-zxfzb
10.244.0.91 front-end-74698f5fc7-zxfzb

Leave a Reply

Your email address will not be published. Required fields are marked *

*