2

I would like to access iptables, ufw and reboot running on host OS (Snappy Ubuntu Core 18.04) from Docker container (running on the same host).

What volumes or Docker container parameters are required to make this possible? Container can be run with root user and privileged access.

I´m totally aware of the security implications here, but security is not a concern in this context.

Ismar Slomic
  • 5,315
  • 6
  • 44
  • 63

1 Answers1

4

Using SSH

You can run the container with --net=host option, then it's possible to connect to the host from the container using ssh.

in the host mode, connecting to the port 22 on the host from the container is possible.

Without SSH

if you don't want to use ssh, one way is explained in this post. You need to run the container with --privileged and --pid=host and then use nsenter command. Using this command you get an interactive shell form the host. You can also only run desired command.

$ sudo docker run --privileged --pid=host -it alpine:3.8 \
nsenter -t 1 -m -u -n -i sh

$ sudo docker run --privileged --pid=host -it alpine:3.8 \
nsenter -t 1 -m -u -n | sudo iptables -S

note that if you are using MacOS or Windows, the docker is running in a hypervisor, so using this, you would be in the shell of the hypervisor.

Vahid
  • 1,265
  • 10
  • 20
  • SSH is disabled on host, so that would not be an option. Should have informed about that in my original post. Sorry! – Ismar Slomic Mar 14 '20 at 23:27
  • @IsmarSlomic If only the port is closed it should still work. It's not the case? – Vahid Mar 15 '20 at 00:21
  • SSH port is not allowed in the firewall (iptables/ufw) on the host. I guess if Im not able to SSH to the host from other machine, then it would be the same result trying SSH from Docker container? – Ismar Slomic Mar 15 '20 at 09:08
  • I think I need to avoid using SSH, but rather try to execute ufw/iptables command directly from the container if possible – Ismar Slomic Mar 15 '20 at 09:16
  • 1
    If you want to avoid it, that's another story and you could have good reasons, but if you use host mode for the network, connecting with ssh from the container would be the same as connecting to localhost with ssh. Firewalls usually close the port for other IPs and not the host itself. If you haven't see this check it out, the first few answers are ssh, but there a couple of other answers with lots of upvotes. https://stackoverflow.com/q/32163955/2596409 – Vahid Mar 15 '20 at 14:01
  • @IsmarSlomic Check the new edit, using the new approach you can do it without ssh. – Vahid Mar 15 '20 at 16:50
  • Thanks a lot, @vahid! Really appreciating your time and support! You were correct regarding ssh from localhost, I managed to get it work, even firewall has denied it for external IPs! `--pid=host` worked as well! – Ismar Slomic Mar 15 '20 at 22:12