There is a utility called nsenter in ubuntu. nsenter is a small tool allowing to enter into namespaces. It will enter into your docker container. I want to control the host machine from the docker container. How do I connect the host machine from the container using the nsenter utility?
How to connect host machine from container using nsenter utility
Asked Answered
nsenter allows you to join the Linux namespaces of a targeted process id (PID).
First, run a container that shares your hosts PID namespace with --pid=host. The container has to be privileged with --privileged, otherwise executing nsenter will fail with an "Operation not permitted" error. The container is kept running indefinitely by executing tail -f /dev/null.
docker run --pid=host --privileged --name admin-container ubuntu:latest tail -f /dev/null
Then exec into the container with nsenter, entering the file system, ipc, utc and network namespace of the host machine's very first init process (PID = 1):
docker exec -it admin-container nsenter --target 1 --mount --uts --ipc --net /bin/bash
Have a look around and you will notice, you are on the host machine.
("If you disable Docker's security controls, then you can escape the container.") –
Complete
I guess the whole purpose of using nsenter is to escape the container (for admin purposes), right? –
Klinger
@FritzDuchardt Thank you for your answer. Could you please explain what is the meaning of "tail -f /dev/null" in the above command. –
Furnary
@AshokKumar sure - I have added a short explanation to my answer: it's to keep the container running. –
Klinger
© 2022 - 2024 — McMap. All rights reserved.
docker exec -it CONTAINER_NAME /bin/bashis a superior way for such task compare tonsenter. Ref: github.com/jpetazzo/nsenter – Phillips