1

I have a web service (webpage) that allows the user to configure the network interfaces of the host (it is basically a webpage used to configure the host NICs). Now we are thinking of moving such service inside a docker container. That means that the sw running inside the container should be able to modify the configuration of the network interface of the host the docker is running on top of.

I tried starting a docker with --network=host and I used the ip command to modify the interfaces configuration, but all I can (obviously?!?) get is permission denied.

This probably make sense as it might be an issue from a security point of view, not to mention you are changing the network configuration seen by other potentially running containers, but I'm wondering if there is any docker configuration/setting that might allow me to perform the task entirely inside the docker container (at my own risk).

By that I mean that I can think at least of a workarond, having a service running on the host (outside the docker container) and have the docker and the service talk to each other with some IPC mecchanics. This is a solution, but not optimal, as this will brake the docker paradigm of having all your stuff running inside the container. Moreover that would mean that when we upgrade the container with a new version of the software, we might need also to upgrade the module outside the container.

Improve this question
4
  • 1
    Hey @sergico, I know it's been more than 6 years but may I ask if you figured out how to manipulate the host machine's network settings from inside Docker container? Commented Mar 6, 2023 at 9:54
  • @ybalcanci actually I succeeded using the suggestion that BMitch gave: I gave the correct Capability to my docker instances. Commented Mar 9, 2023 at 18:52
  • thanks and sorry for the unclear question. Let's say I have a docker container running in privileged mode and host network. What command/program can I use to manage network interfaces? netplan, for example, fails with an error related to systemctl. I tried mounting in some volumes etc, nothing worked so far. Commented Mar 10, 2023 at 7:27
  • 1
    @ybalcanci I just used the linux ip tool but I guess anyone allowing to manage the network configuration via cli should work, once you have the correct capabilities Commented Mar 15, 2023 at 15:37

1 Answer 1

Reset to default
5

Try running your container in privileged mode to remove the container restrictions:

docker run --net=host --privileged ...

If that solves your issue, you can likely replace the --privileged with --cap-add and various kernel capabilities. The first privilege that comes to mind is NET_ADMIN, which you could try with:

docker run --net=host --cap-add NET_ADMIN ...

See this section of the docker run docs for more details on configuring privileges.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

The proposed solution with --privileged works. Will try the fine graned karnel cap. Thanks

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.