in DevOps

How to know you are inside a Docker container

How to know that you are living in the Matrix? Well, I do not know, but at least I know how to tell you if you are inside a Docker container or not.

The Docker Matrix

Docker provides virtualization based on Linux Containers (LXC). LXC is a technology to provide operating system virtualization for processes on Linux. This means, that processes can be executed in isolation without starting a real and heavy virtual machine. All processes will be executed on the same Linux kernel, but will still have their own namespaces, users and file system.

An important feature of such virtualization is that applications inside a virtual environment do not know that they are not running on real hardware. An application will see the same environment, no matter if it is running on real or virtual resources.

/proc

However, there are some tricks. The /proc file system provides an interface to kernel data structures of processes. It is a pseudo file system and most of it is read-only. But every process on Linux will have an entry in this file system (named by its PID):

In this directory, we find information about the executed program, its command line arguments or working directory. And since the Linux kernel 2.6.24, we also find a file called cgroup:

This file contains information about the control group the process belongs to. Normally, it looks something like this:

But since LXC (and therefore Docker) makes use of cgroups, this file looks different inside a container:

As you can see, some resources (like the CPU) are belonging to a control group with the name of the container. We can make this a little bit easier if we use the keyword self instead of the PID. The keyword self will always reference the folder of the calling process:

And we can wrap this into a function (thanks to Henk Langeveld from StackOverflow):

More

Best regards,
Thomas

Write a Comment

Comment

  1. I know you go this. But if you are using ansible. You can look for this fact.

    ansible_virtualization_type

    On LXC, it will provide lxc.

  2. This doesn’t work with cgroup 2.0, and it doesn’t work inside Docker Desktop on Mac.

    root@8a1d175a0b6c:/# cat /proc/self/cgroup
    0::/

    The presence of a /.dockerenv file on the root filesystem in Linux is probably a more reliable way to know that you’re running inside a Docker container, but that doesn’t give you your container Id; it’s just an empty file.

    There needs to be a less fragile way to 1) detect when you’re running in a container, and 2) get your own container Id. The Docker team really dropped the ball on this. At a minimum, they should have put the container Id inside /.dockerenv.

Webmentions

  • [SOLVED] How does Java application know it is running within a Docker container – BugsFixing September 27, 2022

    This doesn’t work with cgroup 2.0, and it doesn’t work inside Docker Desktop on Mac.

    root@8a1d175a0b6c:/# cat /proc/self/cgroup
    0::/

    The presence of a /.dockerenv file on the root filesystem in Linux is probably a more reliable way to know that you’re running inside a Docker container, but that doesn’t give you your container Id; it’s just an empty file.

    There needs to be a less fragile way to 1) detect when you’re running in a container, and 2) get your own container Id. The Docker team really dropped the ball on this. At a minimum, they should have put the container Id inside /.dockerenv.

  • Privilege Escalation Reference – My WordPress September 27, 2022

    This doesn’t work with cgroup 2.0, and it doesn’t work inside Docker Desktop on Mac.

    root@8a1d175a0b6c:/# cat /proc/self/cgroup
    0::/

    The presence of a /.dockerenv file on the root filesystem in Linux is probably a more reliable way to know that you’re running inside a Docker container, but that doesn’t give you your container Id; it’s just an empty file.

    There needs to be a less fragile way to 1) detect when you’re running in a container, and 2) get your own container Id. The Docker team really dropped the ball on this. At a minimum, they should have put the container Id inside /.dockerenv.

  • Java应用程序如何知道它正在Docker容器中运行 – FIXBBS September 27, 2022

    This doesn’t work with cgroup 2.0, and it doesn’t work inside Docker Desktop on Mac.

    root@8a1d175a0b6c:/# cat /proc/self/cgroup
    0::/

    The presence of a /.dockerenv file on the root filesystem in Linux is probably a more reliable way to know that you’re running inside a Docker container, but that doesn’t give you your container Id; it’s just an empty file.

    There needs to be a less fragile way to 1) detect when you’re running in a container, and 2) get your own container Id. The Docker team really dropped the ball on this. At a minimum, they should have put the container Id inside /.dockerenv.