About container sharing host networking (--net = host, --networking=host)

Hi everyone,

I’m using docker v17.05.0-ce on a Raspberry Pi 3 Model B, and I was wondering if there is a way for a docker container to directly access a network interface on the host. I’m running my container with the option --net=host: ‘sudo docker run -it --net=host myuser/mycontainer’, and in this way I can see the interfaces inside the container, i.e. they are listed when I run ‘ifconfig’. However, when I try to make a change in one of them, for example set a different IP address running ‘ifconfig wlan0 IP netmask mask’ I get the following error:

“SIOCSIFADDR: Operation not permitted
SIOCSIFFLAGS: Operation not permitted
SIOCSIFNETMASK: Operation not permitted”

I realize that’s the same error I get when I try to alter the interfaces configuration on the host without being root. I ran docker using sudo so I would imagine I would have the permissions for running commands like ‘ifconfig’ in it. In the docker run reference page, there’s the following sentece: “Note: --network=“host” gives the container full access to local system services such as D-bus and is therefore considered insecure.”, so I thought the container would be able to modify the settings on the hosts interface, which does not seem to be the case. My question is: Am I missing something? Is this possible at all?

Thanks in advance.

EDIT: I’ve found the answer! I needed to add one more parameter to my ‘docker run’ command. The correct way is:

  • sudo docker run -it --cap-add NET_ADMIN --net=host myuser/mycontainer

The option --cap-add NET_ADMIN adds the permissions for the container to access and configure the hosts network stack, as described in the docker run reference manual: