1

I'd like to globally deploy a container on my swarm that applies some iptables rules to the host's networks. Specifically, I want to add rules to some overlay networks, which appear to be in a unique namespace per overlay network.

Here is my docker-compose:

version: '3.8'

services:
  test:
    image: docker
    volumes:
     - /var/run/docker.sock:/var/run/docker.sock
     - /var/run/docker/netns:/var/run/netns
    cap_add:
      - NET_ADMIN
      - SYS_ADMIN
    networks:
      host_netns:
    deploy:
      mode: global
    command: sleep infinity


networks:
  host_netns:
   external:
     name: "host"

If I exec into the container and install iproute2, I can see the network namespaces:

/ # ip netns ls
default
1-n57c2x71vc (id: 0)
ingress_sbox (id: 1)

However, if I try to run iptables, I get a mounting error:

/ # ip netns exec 1-n57c2x71vc iptables -L
"mount --make-rslave /" failed: Permission denied

I'm stumped. Why is something trying to remount my root as a slave?

It may be worth mentioning that if I do a simple iptables -L, I do correctly see all of the iptables rules for my host.

Kayson
  • 219

1 Answers1

0

It seems like a workaround is to use nsenter -n /var/run/netns/<namespace> -- iptables rather than ip netns exec. nsenter just sets the process namespace, which will work in a container that just has the two cap adds above. ip netns exec appears to do some fancier re-mounting of stuff in /etc and /sys so that the process finds network namespace links in the conventional location. For whatever reason, without --privileged, that mounting is not possible. I did try unmounting all of the ro mounts, but that didn't help.

Kayson
  • 219