How do I access host network namespaces from inside a container deployed in a swarm?

kaysond · January 16, 2021, 8:39pm

I’d like to globally deploy a container on my swarm that applies some iptables rules to the host’s networks. Specifically, I want to add rules to some overlay networks, which appear to be in a unique namespace per overlay network.

Here is my docker-compose:

version: '3.8'

services:
  test:
    image: docker
    volumes:
     - /var/run/docker.sock:/var/run/docker.sock
     - /var/run/docker/netns:/var/run/netns
    cap_add:
      - NET_ADMIN
      - SYS_ADMIN
    networks:
      host_netns:
    deploy:
      mode: global
    command: sleep infinity

networks:
  host_netns:
   external:
     name: "host"

If I exec into the container and install iproute2, I can see the network namespaces:

/ # ip netns ls
default
1-n57c2x71vc (id: 0)
ingress_sbox (id: 1)

However, if I try to run iptables, I get a mounting error:

/ # ip netns exec 1-n57c2x71vc iptables -L
"mount --make-rslave /" failed: Permission denied

I’m stumped. Why is something trying to remount my root as a slave?

It may be worth mentioning that if I do a simple iptables -L, I do correctly see all of the iptables rules for my host.

Topic		Replies	Views
Docker Overlay run on Host? Swarm	0	520	August 29, 2019
IPtables inside container in Swarm mode Swarm swarm	0	994	October 11, 2018
How to check the network namespace with overlay networking General	7	11632	July 9, 2016
Host Network on Swarm: Service Discovery and Communication with other Services Swarm docker , swarm	8	3852	July 10, 2023
Access services running on the host machine inside a Swarm-managed container Swarm networking , linux	1	13	November 13, 2024

How do I access host network namespaces from inside a container deployed in a swarm?

Related topics