86

Docker for Mac uses a Linux VM created by HyperKit for storing and running containers on Mac.

With Docker Toolbox, I can just open VirtualBox and access the docker-machine VM. But with Docker for Mac, how do I access the VM created by HyperKit?

Jifeng Zhang
  • 5,037
  • 4
  • 30
  • 43

6 Answers6

141

Update 2019-01-31, thanks to ru10's update, now there is a better way:

screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty

Original Answer:

After a while, I found following way to get a shell of the VM that was created by HyperKit:

Run from terminal:

screen ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/tty

You will see an empty screen, then type enter, you will get a login prompt. Login as root and hit enter, you will get a shell (no password), you will gett the shell:

enter image description here

To exit the session, type Ctrl-A k (then y to confirm).

It is a little bit hacky, but it seems to work for now (Sep 2016) (Sep 2017).

Todd Owen
  • 15,650
  • 7
  • 54
  • 52
Jifeng Zhang
  • 5,037
  • 4
  • 30
  • 43
  • 1
    This is totally broken for me. I can connect, but something is deeply wrong with the TERM settings or how data is piped through. I get a non-functional terminal session that is losing data and not formatting right. I'm trying more ways to maybe reset the session, but failing so far. – Gerry Gleason Jan 04 '17 at 19:17
  • for me it still works (feb-2017 1.13.0-beta39 using iterm2 terminal emulator) – Jauco Feb 01 '17 at 08:25
  • 1
    They need a better guide for this. I was able to follow your instructions and get into the VM. In my case, after pressing enter the first time, it simply took me to an `sh` prompt for the VM. When I ran `ls -l` on that `tty` path, it turned out there was a link to it at `/dev/ttys001`, which is much easier to type. – Spencer Williams Mar 19 '17 at 17:13
  • What can we do on this interface? I can't run node for example, I copied it somewhere else didn't work. – Inanc Gumus May 10 '17 at 14:47
  • Or does it enable me to connect to a network_mode=host container? – Inanc Gumus May 10 '17 at 14:48
  • July 2017 - Works ... Mac OS Sierra . Docker Version 17.06.0-ce-mac19 (18663) – sapy Jul 31 '17 at 11:39
  • Sep '17: Doesn't work for me (Sierra 10.12.6). The command just outputs whatever I write until I press Ctrl-Z – Mahdi Sep 18 '17 at 17:13
  • @mahdix, if press enter, you will get a prompt. I have updated the instruction. – Jifeng Zhang Sep 19 '17 at 09:36
  • @JifengZhang If I press enter, cursor just moves to the next line. Nothing else happens. Until I press Ctrl-Z which returns me to my bash prompt. – Mahdi Sep 19 '17 at 15:59
  • @GerryGleason If you, like me, connect to the TTY twice, the second screen session can cause all kinds of problems. In my case, I simply failed to quit the first session: I used Ctrl-A d, which only detached screen. I had to either use screen -r to restore the session, or quit the first session completely by Ctrl-A k. – Yongwei Wu Mar 23 '18 at 10:38
  • @GerryGleason I didn't know how to end the screen session, so I closed the terminal. When I connected for the second time, I had the exact same problem you described. I believe this happens because two screen sessions are trying to read from/write to the same tty. I was able to solve it by ending all the running screen sessions. To do so, reattach t the screen with `screen -r [screen id]`, then press CTRL a+k, confirm to kill the screen by pressing y. To find all the screens you have open use `screen -ls`. – Thiago Barcala Mar 23 '18 at 15:22
  • What I don't understand: how come this VM doesn't have the command `docker`? – Rafael Eyng Jan 16 '20 at 19:02
  • 9
    This no longer works in Docker Desktop 3. – smammy Mar 01 '21 at 16:54
47

Mac OS High Sierra Docker version 18.06.0-ce-mac70 (26399)

screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty

instead of

screen ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/tty
ru10
  • 826
  • 9
  • 10
27

According to this GitHub issue comment by a Docker maintainer, the recommended way to access the VM is through a privileged docker container.

Try logging into the VM: (I recommend this instead of using screen on the TTY)

$ docker run -it --privileged --pid=host justincormack/nsenter1
augurar
  • 12,081
  • 6
  • 50
  • 65
  • 2
    this works for me, accessing the tty in catalina did not – xenoterracide Sep 30 '20 at 22:25
  • 10
    This should be in the accepted answer in 2021, since the `tty` link has gone away in recent versions of Docker Desktop. If you're leery of using a random image from an unverified publisher, this also works: `docker run -it --rm --privileged --pid=host busybox nsenter -t1 -m -u -i -n`. – smammy Mar 01 '21 at 16:49
  • Somtimes the docker daemon is hosed and you need VM access to revive it.. In fact, this has been the only time so far in my dev where I've needed VM access. – parity3 Mar 09 '21 at 19:47
1

In fact, the answer from augurar is the only working as of 2021 as smammy says, the other options are deprecated.

So:

$ docker run -it --privileged --pid=host justincormack/nsenter1

was the right answer and worked for me in MacOS Big Sur as of July 2021.

Athalas
  • 11
  • 1
  • 2
1

I'm using docker desktop 4.7.1 on Mac. As mentioned, some of the good solutions proposed above does not work on newer docker desktop (tty link is gone).

I preferred the solution of Smammy which does not involve using image from unverified publisher (image: justincormack/nsenter1, though the image comes from a docker maintainer and the repository has a lot of stars), especially when it needs to run the docker with '--privileged' flag which grant the docker full access to the host machine.

This worked for me (using busybox image, which contains nsenter utility):

docker run -it --rm --privileged --pid=host busybox nsenter -t1 -m -u -i -n

you can find explanation of the command at
https://www.bretfisher.com/docker-for-mac-commands-for-getting-into-local-docker-vm/ (and similar suggestion, using debian image instead of busybox)

another solution proposed there (but less convenient, as it does not have auto-completion) is to use netcat

nc -U ~/Library/Containers/com.docker.docker/Data/debug-shell.sock
Eliyahu Machluf
  • 1,251
  • 8
  • 17
0

There is a universal answer to this question in Kubernetes in Action, 2nd Edition:

you can run a special container configured to use the VM’s namespaces to run a remote shell, which is virtually identical to using SSH to access a remote server. To run the container, execute the following command:

docker run --net=host --ipc=host --uts=host --pid=host --privileged \
  --security-opt=seccomp=unconfined -it --rm -v /:/host alpine chroot /host

This long command requires explanation:

  • The container is created from the alpine image.
  • The --net--ipc--uts and --pid flags make the container use the host’s namespaces instead of being sandboxed, and the --privileged and --security-opt flags give the container unrestricted access to all sys-calls.
  • The -it flag runs the container interactive mode and the --rm flags ensures the container is deleted when it terminates.
  • The -v flag mounts the host’s root directory to the /host directory in the container. The chroot /host command then makes this directory the root directory in the container.
Kirill
  • 6,762
  • 4
  • 51
  • 81