Docker run script in host on docker-compose up

Asked 4/4, 2017 at 13:41 Answered 5/4, 2017 at 13:54

Solved bash docker docker-compose dockerfile docker-machine

My question relates to best practices on how to run a script on a docker-compose up directive.

Currently I'm sharing a volume between host and container to allow for the script changes to be visible to both host and container. Similar to a watching script polling for changes on configuration file. The script has to act on host on changes according to predefined rules.

How could I start this script on a docker-compose up directive or even from the Dockerfile of the service, so that whenever the container goes up the "watcher" can find any changes being made and writing to.

The container in question will always run over a Debian / Ubuntu OS and should be architecture independent, meaning it should be able to run on ARM as well.

I wish to run a script on the Host, not inside the container. I need the Host to change its network interface configurations to easily adapt any environment The HOST needs to change I repeat.. This should be seamless to the user, and easily editable on a Web interface running Inside a CONTAINER to adapt to new environments.

I currently do this with a script running on the host based on crontab. I just wish to know the best practices and examples of how to run a script on HOST from INSIDE a CONTAINER, so that the deploy can be as easy for the installing operator to just run docker-compose up.

Uric answered 4/4, 2017 at 13:41 Comment(4)

Have you taken a look at this: "How to run shell script on host from docker container?"? – Duntson 5/4, 2017 at 10:50

yes, I've had, but either im just not understanding the command, or it just won't work. Try the following if you have docker in hand with an ubuntu image: $ docker run --rm --privileged -v /sbin/:/sbin ubuntu /sbin/ifconfig then $ ifconfig Am I missing something here? – Uric 5/4, 2017 at 11:29

The first command prints information about the container (at my case eth0 gets 172.17.0.2) and the second one prints information about the host machine. What's the problem? – Duntson 5/4, 2017 at 11:47

So , how is that different from just having a running container and run docker exec -it container bash ifconfig , how can I have it run the command on the host using the directive --priviliged , I don't mean the ifconfig but any shell / bash script? – Uric 5/4, 2017 at 11:49

I just wish to know the best practices and examples of how to run a script on HOST from INSIDE a CONTAINER, so that the deploy can be as easy for the installing operator to just run docker-compose up

It seems that there is no best practice that can be applied to your case. A workaround proposed here: How to run shell script on host from docker container? is to use a client/server trick.

The host should run a small server (choose a port and specify a request type that you should be waiting for)
The container, after it starts, should send this request to that server
The host should then run the script / trigger the changes you want

This is something that might have serious security issues, so use at your own risk.

Duntson answered 5/4, 2017 at 13:54 Comment(5)

Well I'll mark your answer as correct, for actually bringing a different approach to my current approach to use a script on host, polling for changes on shared volume and given the fact that there doesn't seem to be a concrete answer to the subject, however regarding the security issues, I will have to disagree with you. Docker is not meant to create a security layer, but for easy portability (Ship it right?), if your container is compromised, you are in deep trouble already, man the docker daemon runs as root on your host, you run docker without root access giving it root access... – Uric 5/4, 2017 at 14:6

There is just too much concern regarding something that was not built as a design in docker. These days even bare-metal hypervisors are not safe and leak information across VM's. The idea of docker is essentially to avoid dependencies hell and allow fast deployments. Systems are compromised all the time, Humans are in the loop, giving the container the ability to speak to the host is no different than having your webservice compromised in any other way. – Uric 5/4, 2017 at 14:9

Thanks, docker evolves and this answer here might be outdated quite soon. We can keep an eye on it and see what options will be added in the future... – Duntson 5/4, 2017 at 14:13

I will just leave a link for people trying to run docker containers from other containers inside the docker host, reaching this page trying to find useful information. Run docker commands in host from inside docker container tdeheurles.github.io/acting-on-docker-from-inside-docker – Uric 5/4, 2017 at 17:56

A simple hook infrastructure in docker-compose would have really helped with some developer-environment type scenarios like this. (e.g vagrant has a way to run custom scripts during vagrant up, etc). – Geriatric 21/11, 2020 at 2:42

-1

The script needs to run continuously in the foreground.

In your Dockerfile use the CMD directive and define the script as the parameter.

When using the cli, use docker run -d IMAGE SCRIPT

Bokbokhara answered 5/4, 2017 at 3:28 Comment(2)

Im not entirely sure you understood the question. What I meant is, I need to run a script on the Host, when the containers go up. So that the container and host can communicate between each other so I can change current network configurations on the host. The CMD directive, will run the script inside the running container, not inside the hosting machine, nor should it run. – Uric 5/4, 2017 at 9:42

Your question wasn't very clear. Containers aren't intended to interact with the host. You can work around this using docker run --network=host to directly expose the container using the host's network stack. You could mount the host's filesystem inside the container as well. It sounds like you need a wrapper script or to rethink how you're using docker. – Bokbokhara 5/4, 2017 at 16:1

-4

You can create an alias for docker-compose up. Put something like this in ~/.bash_aliases (in Ubuntu):

alias up="docker-compose up; ~/your_script.sh"

I'm not sure if running scripts on the host from a container is possible, but if it's possible, it's a severe security flaw. Containers should be isolated, that's the point of using containers.

Roz answered 5/4, 2017 at 9:58 Comment(3)

Thank you for answering, its a step frorward, but It wouldn't differ much from having a script calling both the compose up and the sript to run. Regarding the security concerns it's the same as if you were to run any web application or any application connected to the internet. The isolation aspect is not as needed for this use case as it is the deploy across all platforms aspect. The script is predefined and its not user editable. nor character injectable, and would not give user shell access. Only to signal the invocation of the script, avoiding the active polling and such. Thank you – Uric 5/4, 2017 at 10:6

My concern is about executing code in the host. Suppose that one user adds something in the container that can be executed on the host. A simple ssh -R could expose your infrastructure. Anyway, it's up to you to assume the risk, I only wanted to point it out for you to know. Also, I recommend you to read the link provided by @Duntson – Roz 5/4, 2017 at 10:59

I've seen it @Roz long before posting this question as the topic on allowing containers to run something on host seems like taboo for the majority, but as I answered tgogos , maybe Im missing the command , but the script always runs on container and not on host. But I might be misunderstanding the command, if you guys could point me the right direction I would greatly appreciate. – Uric 5/4, 2017 at 11:32

Recommended topics

Hot tags