Docker Community Forums

Share and learn in the Docker community.

How do I access host network namespaces from inside a container deployed in a swarm?

I’d like to globally deploy a container on my swarm that applies some iptables rules to the host’s networks. Specifically, I want to add rules to some overlay networks, which appear to be in a unique namespace per overlay network.

Here is my docker-compose:

version: '3.8'

services:
  test:
    image: docker
    volumes:
     - /var/run/docker.sock:/var/run/docker.sock
     - /var/run/docker/netns:/var/run/netns
    cap_add:
      - NET_ADMIN
      - SYS_ADMIN
    networks:
      host_netns:
    deploy:
      mode: global
    command: sleep infinity

networks:
  host_netns:
   external:
     name: "host"

If I exec into the container and install iproute2, I can see the network namespaces:

/ # ip netns ls
default
1-n57c2x71vc (id: 0)
ingress_sbox (id: 1)

However, if I try to run iptables, I get a mounting error:

/ # ip netns exec 1-n57c2x71vc iptables -L
"mount --make-rslave /" failed: Permission denied

I’m stumped. Why is something trying to remount my root as a slave?

It may be worth mentioning that if I do a simple iptables -L, I do correctly see all of the iptables rules for my host.