19

Is there any way posible to exec command from inside one docker container in the linked docker container? I don't want to exec command from the host.

Vladimir Fejsov
  • 579
  • 3
  • 7
  • 16

3 Answers3

5

As long as you have access to something like the docker socket within your container, you can run any command inside any docker container, doesn't matter whether or not it is linked. For example:

# run a container and link it to `other`
docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock \
           --link other:other myimage bash -l
bash$ docker exec --it other echo hello

This works even if the link was not specified.

Abdullah Jibaly
  • 53,220
  • 42
  • 124
  • 197
  • 2
    Doing this allows anything running in the container to take control of the host machine. – Chris Pitman Apr 28 '15 at 05:13
  • 1
    @ChrisPitman yeah, obviously containers are just like any other binaries, don't run something you don't trust. I don't think that's relevant in any way. – Abdullah Jibaly Apr 28 '15 at 05:34
  • 5
    There is a difference between "be careful about what you run" and "we implemented a trivial container escape vulnerability". This is equivalent to allowing users anonymous ssh to your servers because no one unauthorized should have access to your network. – Chris Pitman Apr 28 '15 at 05:37
  • This is a common practice, it's even endorsed by docker engineers: http://nathanleclaire.com/blog/2014/07/12/10-docker-tips-and-tricks-that-will-make-you-sing-a-whale-song-of-joy/ – Abdullah Jibaly Apr 28 '15 at 05:42
  • There is a problem with this approach. By mounting a docker socket on a container, a container will immediately see all exposed ports from other containers (the same as host does), which is not ideal for things like dockerize and wait-for-it since you loose the ability to wait for the ports to get "ready". – Dziamid Jun 12 '17 at 16:26
1

With docker-compose:

version: '2.1'

services:

  site:
    image: ubuntu
    container_name: test-site
    command: sleep 999999

  dkr:
    image: docker
    privileged: true
    working_dir: "/dkr"
    volumes:
      - ".:/dkr"
      - "/var/run/docker.sock:/var/run/docker.sock"
    command: docker ps -a

Then try:

docker-compose up -d site
docker-compose up dkr

result:

Attaching to tmp_dkr_1
dkr_1   | CONTAINER ID        IMAGE                             COMMAND                  CREATED                  STATUS                   PORTS                     NAMES
dkr_1   | 25e382142b2e        docker                            "docker-entrypoint..."   Less than a second ago   Up Less than a second                              tmp_dkr_1

Example Project

https://github.com/reduardo7/docker-container-access

Eduardo Cuomo
  • 17,828
  • 6
  • 117
  • 94
0

As "Abdullah Jibaly" said you can do that but there is some security issues you have to consider, also there is sdk docker to use, and for python applications can use Docker SDK for Python

Mohammad Golmoradi
  • 31
  • 5