6.2.2.4 Interactive Shell Access

Interactive shell access refers to obtaining a usable command-line shell session running inside a container, either at creation time or attached to an already-running container, providing the most direct and flexible way to inspect or interact with a container's environment.

Obtaining Shell Access in a New Container

A shell can be the explicit command run when creating a new container, useful for exploration or testing in a fresh, isolated environment.

docker run -it ubuntu:22.04 bash

Obtaining Shell Access in an Existing Container

For a container already running its intended main process, docker exec attaches an additional shell process without disturbing the existing one.

docker exec -it myapp bash

Choosing the Right Shell for the Image

Not every image includes bash; many minimal images only provide a more basic shell, requiring the correct shell to be specified for the access attempt to succeed.

docker exec -it myapp sh

Alpine-based images, for instance, typically include sh (via BusyBox) but not bash by default, making sh the correct choice for those images.

Why Shell Access May Not Always Be Available

Some minimal or distroless images intentionally omit any shell entirely, as part of reducing their attack surface — for these images, shell access simply isn't possible without using a separately built debug variant of the image.

docker exec -it myapp sh

exec: "sh": executable file not found in $PATH

Why Interactive Shell Access Matters

Direct shell access remains one of the most versatile tools for understanding exactly what's happening inside a container, making it worth preserving — at least in a dedicated debug image variant — even for production images that otherwise deliberately omit a shell for security reasons.