I am working on a Docker setup using mitmproxy for network logging, to allow a containerized Docker build environment to get all its network accesses audited. In this setup, build-container is the container doing the build, and proxy-client is the container with the proxy WireGuard tunnel (and a default route sending all traffic into that tunnel).

I have been able to get it working using this kind of technique:

docker container run --detach --cap-add NET_ADMIN --tty -it --network container:proxy-client --name build-container build-container-image

This works great; the proxy-client container has the tunnelling network setup, and the build-container just uses that tunnelling network.

But I now need to deploy this in a system where build-container gets created first, before the proxy-client container. (The build-container setup is part of a pre-existing system that I can’t easily change.)

Fine, I thought, I’ll just remove the system-created build-container from its “birth network”, and I’ll add it to the proxy-client container’s network with:

docker network connect container:proxy-client build-container

Unfortunately, this doesn’t work. The error is:

Error response from daemon: network container:proxy-client not found

It seems that docker network connect doesn’t support the container:[container-name] syntax for specifying another container’s network. But I haven’t been able to find any definitive answer to this in Docker documentation.

Is it the case that the container:[container-name] network syntax only works with docker run? Is there any other way to dynamically add a container to another container’s network?

(I know I could possibly create a second bridge network, or something, but I’m not too confident in being able to make that work with the WireGuard setup I have working today.)

Thanks!

You can find out what network proxy-client is on using docker container inspect, and the connect build-container to it by using the syntax docker network connect NETWORK proxy-client. Something like this:

PCNETWORK=$(docker container inspect proxy-client --format='{{range $key, $value := .NetworkSettings.Networks}}{{$key}}{{end}}')
OLDBUILDNETWORK=$(docker container inspect build-container --format='{{range $key, $value := .NetworkSettings.Networks}}{{$key}}{{end}}')
docker network connect $PCNETWORK build-container
docker network disconnect $OLDBUILDNETWORK build-container

Thanks for the suggestion. However, when I create the build container using --network container:proxy-client and then inspect the build container, this is what it shows for its network:

        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "",
            "SandboxKey": "",
            "Ports": {},
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "MacAddress": "",
            "Networks": {}
        }

In other words, this build container – when created with docker container run --network container:proxy-client – says it has no network. So there is something special, different, and a bit puzzling about the docker container run --network container:[other-container] syntax specifically, and it doesn’t currently seem possible to achieve the same effect with docker network connect.

I confirmed this by doing as you suggest: I tried adding the build container to the same network that the proxy client container is on. But this doesn’t work. The setup here involves the proxy client container setting up default forwarding rules to send all traffic to the proxy.

• If I add the build container to the proxy container’s own internal network with docker run --network container:proxy-client, then the build container’s network traffic sees and follows those same forwarding rules, and all traffic from the build container goes through the proxy.
• But if I just add the build container to the bridge network (which the proxy client is on), the proxy client’s own network setup is ignored, and the build container doesn’t use the proxy at all.

So I appreciate the suggestion, but it doesn’t unblock me. Does anyone know what exactly docker run --network container:[other-container] does, or how to achieve the same effect after container creation?

Ah, I see the problem now. docker run --network container:[other-container] causes the new container to share the network namespace of other-container, which means that the two containers share the same network interface(s). They have the same ip address(es), and can address each other via localhost. Any rules defined in one container also applies to the other. This is more than just connecting the two containers to the same network, and can only be done at the time of container creation.

I seem to remember this feature being better documented in the past. For now, the only mention I can find is on this page, where it just says “you can attach a container to another container’s networking stack directly” (emphasis mine).

I think what you are trying to do will work even if the proxy-client container is created after the build-container. So, just create proxy-client with docker container run --detach --cap-add NET_ADMIN --network container:build-container --name proxy-client proxy-client-image, and it should work the same.