Automatically adjust routing table at container startup

General
1

On a debian host I create an SSH container with the following docker file :

FROM debian:latest

RUN apt-get update && \
        apt-get install --yes openssh-server

# Expose the SSH port
EXPOSE 22/tcp

# Start SSH server on container startup
CMD ["/usr/sbin/sshd", "-D", "-p 22"]

While still keeping the “exec” form of the service launch (Docker Best Practices: Choosing Between RUN, CMD, and ENTRYPOINT | Docker) is there a way to add the following additional IP route ? :

192.168.40.0/24 via 192.168.30.4 dev eth0

Currently I’m doing this by manually launch the command :

sudo ip route add 192.168.40.0/24 via 192.168.30.4

I would prefer though if this additional route would be create automatically at each restart

My docker info :

Client: Docker Engine - Community
 Version:    27.3.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.17.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.29.7
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 4
  Running: 4
  Paused: 0
  Stopped: 0
 Images: 6
 Server Version: 27.3.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7f7fdf5fed64eb6a7caf99b3e12efcf9d60e311c
 runc version: v1.1.14-0-g2c9f560
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.1.0-26-amd64
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 7.647GiB
 Name: testhost
 ID: e6ca5bef-53d1-495d-b5c9-f1102b5c10fc
 Docker Root Dir: /vmds/dockerdata
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Default Address Pools:
   Base: 192.168.30.0/24, Size: 26
2

Add the route on host or in container?

3

On the container.
As to explain why I need this : one of my containers runs a VPN service with IP address range 192.168.40.0/24. What I want is that connections which come in from this VPN network should be routed back through the VPN service (which has the local IP 192.168.30.4)

4

The exec form vs shell form is only about how you refer to a command in a Dockerfile, so the signals can be sent to the process in the container. You can still create a script in which you execute your command like this at the end:

exec /usr/sbin/sshd -D -p 22

The exec is required so the sshd process will take over PID 1 removing the shell process which would not forward stop signals.

You can have any command in the shell script before that line and use the script in the CMD instruction with the exec form.

But if you only want to make sure the SSH connection is routed through the VPN, you can reuse the VPN network in the SSH container. Just an example:

docker run --network container:vpncontainername ... sshdimagename

Or in compose

network_mode: container:vpncontainername

or

network_mode: service:vpnservicename

But I think the latter works only if the two services are in the same compose project.

But in these cases, the SSH container would not have any other network, only the VPN and the SSH container could not have port forwarding, because it doesn§'t have a network. And port forwarding would need to be defined for the VPN container even if it is to the SSH port.

Maybe this network_mode idea doesn’t make sense in your case.

What is the SSH container for?

1 Like
5

Many thx for the quick reaction !

I go with the “exec /usr/sbin/sshd -D -p 22” solution, that sounds exactly what I was looking for as I need the ssh container/service to be accessible from both networks (home & vpn)

6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.