Getting a Shell in the Docker Desktop Mac VM

docker-for-mac.md

2021 Update: Easiest option is Justin's repo and image

Just run this from your Mac terminal and it'll drop you in a container with full permissions on the Docker VM. This also works for Docker for Windows for getting in Moby Linux VM (doesn't work for Windows Containers).

docker run -it --rm --privileged --pid=host justincormack/nsenter1

more info: https://github.com/justincormack/nsenter1

---

Option 1 (hard way): use netcat

nc -U ~/Library/Containers/com.docker.docker/Data/debug-shell.sock

Exit the shell with exit.

Option 2 (easier): Use nsenter in priviledged container

docker run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh

Phil Estes (Docker Maintainer) says:

it’s running a container (using the debian image. nothing special about it other than it apparently has nsenter installed), with pid=host (so you are in the process space of the mini VM running Docker4Mac), and then nsenter says “whatever is pid 1, use that as context, and enter all the namespaces of that, and run a shell there"

Option 3 (easist): run nsenter from a pre-built image. From Justin Cormack (Docker Maintainer)

docker run -it --rm --privileged --pid=host justincormack/nsenter1

I get "permission denied" when trying to run screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty.
MacOS 11.15.6, docker desktop 2.3.0.4.
docker run -it --rm --privileged --pid=host justincormack/nsenter1 works though.

I get "permission denied" when trying to run screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty.
MacOS 11.15.6, docker desktop 2.3.0.4.
docker run -it --rm --privileged --pid=host justincormack/nsenter1 works though.

So do I.

I get "permission denied" when trying to run screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty.
MacOS 11.15.6, docker desktop 2.3.0.4.
docker run -it --rm --privileged --pid=host justincormack/nsenter1 works though.

Same issue. After some trials, able to connect to the the vm using `screen /dev/ttys000. You have to check the where does the tty file (~/Library/Containers/com.docker.docker/Data/vms/0/tty) points to?

+1 and thanks to @HKITYAN. It seems like docker this recently. I updated docker yesterday and screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty stopped connecting.

To fix screen tty:

• Make the tty file readable: chmod 400 ~/Library/Containers/com.docker.docker/Data/vms/0/tty
• Do not try to execute that file, but read its contents: screen $(cat ~/Library/Containers/com.docker.docker/Data/vms/0/tty)

@mjaverto the cat suggestion seems to no longer work with the latest 2.4.0.0 (48506) version of Docker Desktop. :-(

@mjaverto the cat suggestion seems to no longer work with the latest 2.4.0.0 (48506) version of Docker Desktop. :-(

Yes, the new version has changed some things around. We need to figure out a new way. Hopefully, as simple as with minikube.

Here is one way to get a shell in v2.4.0.0+:

$ nc -U ~/Library/Containers/com.docker.docker/Data/debug-shell.sock .

I get a shell. But how can ich change a file with vi? When I press the "Esc"-Key I get signs like "^[" this. And I have no statusline at the bottom. Or any other method to change a file in this shell?

I can use the debug shell normally in this way

1. Open debug-shell.sock by socat command with pty endpoint
2. Open the pty with screen command

$ socat -d -d ~/Library/Containers/com.docker.docker/Data/debug-shell.sock pty,rawer # it should show "PTY is /dev/ttys0xx" like line.
$ screen /dev/ttys0xx

thanks for this. i went through a deep rabbit hole due to broken, dead containers and really felt like it was important to delete them and was finally able to do that with this available.

EDIT: TIL about colima I might give that a shot as an alternative to Docker Desktop to see if that works better for me.

Just like to poke around. Put this in a shell script.

TTY_TMP=$(mktemp)
$(socat -d -d ~/Library/Containers/com.docker.docker/Data/debug-shell.sock pty,rawer 2>&1 | grep -Eo --line-buffered "/dev/tty\w+" > ${TTY_TMP} ) &
sleep 2
TTY=$(tail -n 1 "${TTY_TMP}")
picocom $TTY 2>/dev/null

I have an image for sql on mac
then i create a volume :dbdata
now I want to mount it with this command:
docker run -v /var/folders:/var/opt/mssql/data mcr.microsoft.com/mssql/server:2019-latest

but i see this error :
SQL Server 2019 will run as non-root by default.
This container is running as user mssql.

how do i do ?

Regarding the "2021 Update":
It's no longer necessary to use Justin Cormack's modification; the outstanding issue he mentions seems to be resolved. The first option he gives in his repo works just fine:
docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i sh

how do we exit out of the terminal opened by the screen command ? I keep getting a new shell prompt in docker desktop

The shell obtained by opening debug-shell.sock is very limited as it's a busybox executable. You can try to access the regular VM console with: socat ~/Library/Containers/com.docker.docker/Data/vms/0/console.sock -,rawer (exit by closing the terminal window as the prompt is configured to auto login).

Here's an example of how to install packages on the VM (htop in this case):

docker run -it --rm --privileged --pid=host justincormack/nsenter
$ mount -o remount,rw /
$ mkdir /var/cache/apk
$ apk add htop

docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i sh as suggested in justincormack/nsenter seems to work just fine with Docker Desktop 4.10.1 on macOS.

I just want to say thanks to @BretFisher and also everyone who commented, because using these suggested commands helped me to understend Docker Desktop more. I started to use console.sock, because I didn't know what was the difference between that and the debug shell. Then I realized when I intentionally broke my Docker Desktop and started to see logs in the console, but not in the debug shell. :) It was useful while I was working on a new tutorial.

Thanks very much. Very useful

nc -U ~/Library/Containers/com.docker.docker/Data/debug-shell.sock

It's nice, but commond prompt / # ^[[61;5R

Regarding the "2021 Update": It's no longer necessary to use Justin Cormack's modification; the outstanding issue he mentions seems to be resolved. The first option he gives in his repo works just fine: docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i sh

docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i sh ==> This worked like a charm on Macbook Air Ventura 13.0.1 with Docker Desktop Version 4.16.2 (95914). Thanks a lot.

Inspired by : https://github.com/jpetazzo/nsenter

/usr/local/bin/docker-enter :

#!/bin/sh

if [ -z "$1" ]; then
  echo "Usage: `basename "$0"` CONTAINER [COMMAND [ARG]...]"
  echo ""
  echo "Enters the Docker CONTAINER and executes the specified COMMAND."
  echo "If COMMAND is not specified, runs an interactive shell in CONTAINER."
  exit
fi

PID=$(docker inspect --format "{{.State.Pid}}" "$1")
[ -z "$PID" ] && exit 1
shift

# Prepare nsenter flags
OPTS="--target $PID --mount --uts --ipc --net --pid --"

docker run -it --rm --privileged --pid=host alpine:edge nsenter -t 1 -m -u -n -i nsenter $OPTS bash

To use it : docker-enter <container id>

It is different from docker exec -it CONTAINER_NAME /bin/bash as you enter in the container as root ;)

I've made a repo :) https://github.com/jbox-web/docker-enter

@n-rodriguez

It is different from docker exec -it CONTAINER_NAME /bin/bash as you enter in the container as root ;)

You could just use

docker exec --user root -it CONTAINER_NAME /bin/bash

:) But writing a script like yours is a good way to learn how containers work.

I would like to make persistent changes to the VM, but after I restart the container they are gone. More specifically, I'm trying to change the proxy environment variables inside the VM. Any chance to make these changes persistent?

When making the changes in the first place, I get Read-only file system on save and fixed it like so.

@rob-weiss that doesn't sound like the best way to set proxy ENVs. 1st, you should be setting those in the Docker Desktop settings under Resources. Then, you should change them in your docker CLI config: https://docs.docker.com/network/proxy/

I am running with userns. It seems that as a result, none of the --privileged solutions work. I receive:
docker: Error response from daemon: privileged mode is incompatible with user namespaces. You must run the container in the host namespace when running privileged mode.

I tried all other solutions in this thread. None work.

Any thoughts on how to get into the underlying VM while in userns mode?

Remove the control sequence like ^[[5;5R from the nc solution: (https://x.com/developerguyba/status/1458109231169691654)

stty -echo -icanon && nc -U ~/Library/Containers/com.docker.docker/Data/debug-shell.sock && stty sane