1

I'd like to globally deploy a container on my swarm that applies some iptables rules to the host's networks. Specifically, I want to add rules to some overlay networks, which appear to be in a unique namespace per overlay network.

Here is my docker-compose:

version: '3.8'

services:
  test:
    image: docker
    volumes:
     - /var/run/docker.sock:/var/run/docker.sock
     - /var/run/docker/netns:/var/run/netns
    cap_add:
      - NET_ADMIN
      - SYS_ADMIN
    networks:
      host_netns:
    deploy:
      mode: global
    command: sleep infinity

networks:
  host_netns:
   external:
     name: "host"

If I exec into the container and install iproute2, I can see the network namespaces:

/ # ip netns ls
default
1-n57c2x71vc (id: 0)
ingress_sbox (id: 1)

However, if I try to run iptables, I get a mounting error:

/ # ip netns exec 1-n57c2x71vc iptables -L
"mount --make-rslave /" failed: Permission denied

I'm stumped. Why is something trying to remount my root as a slave?

It may be worth mentioning that if I do a simple iptables -L, I do correctly see all of the iptables rules for my host.

Kayson
  • 199
  • 10
  • "I'd like to globally deploy a container on my swarm that applies some iptables rules to the host's networks." I don't think this is possible (or advisable). Also, have a look at the existing `iptables` rules that docker uses, they are already pretty complicated. Even if you could add non-local rules from inside a container, you'd likely break lots of things. If this is an XY-question (I want to to X, and I think I need Y, which is custom iptables rules), please explain which problem X you really want to solve. – dirkt Jan 17 '21 at 09:35
  • 1
    Well its certainly possible in the default namespace (just running `iptables -L` in that container setup shows the host's iptables). You're correct that docker already adds its own iptables rules, and the rules I'm adding are on their own chain to which the DOCKER-USER chain jumps.This avoids any problems with docker-managed rules. The container already works without swarm, and doesn't break anything. It just needs `--privileged` which isn't currently supported by swarm. – Kayson Jan 17 '21 at 20:04

1 Answers1

0

It seems like a workaround is to use nsenter -n /var/run/netns/<namespace> -- iptables rather than ip netns exec. nsenter just sets the process namespace, which will work in a container that just has the two cap adds above. ip netns exec appears to do some fancier re-mounting of stuff in /etc and /sys so that the process finds network namespace links in the conventional location. For whatever reason, without --privileged, that mounting is not possible. I did try unmounting all of the ro mounts, but that didn't help.

Kayson
  • 199
  • 10