19

Is there any way posible to exec command from inside one docker container in the linked docker container? I don't want to exec command from the host.

Improve this question
1

3 Answers 3

Reset to default
5

As long as you have access to something like the docker socket within your container, you can run any command inside any docker container, doesn't matter whether or not it is linked. For example:

# run a container and link it to `other`
docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock \
           --link other:other myimage bash -l
bash$ docker exec --it other echo hello

This works even if the link was not specified.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Doing this allows anything running in the container to take control of the host machine.
@ChrisPitman yeah, obviously containers are just like any other binaries, don't run something you don't trust. I don't think that's relevant in any way.
There is a difference between "be careful about what you run" and "we implemented a trivial container escape vulnerability". This is equivalent to allowing users anonymous ssh to your servers because no one unauthorized should have access to your network.
This is a common practice, it's even endorsed by docker engineers: nathanleclaire.com/blog/2014/07/12/…
There is a problem with this approach. By mounting a docker socket on a container, a container will immediately see all exposed ports from other containers (the same as host does), which is not ideal for things like dockerize and wait-for-it since you loose the ability to wait for the ports to get "ready".
1

With docker-compose:

version: '2.1'

services:

  site:
    image: ubuntu
    container_name: test-site
    command: sleep 999999

  dkr:
    image: docker
    privileged: true
    working_dir: "/dkr"
    volumes:
      - ".:/dkr"
      - "/var/run/docker.sock:/var/run/docker.sock"
    command: docker ps -a

Then try:

docker-compose up -d site
docker-compose up dkr

result:

Attaching to tmp_dkr_1
dkr_1   | CONTAINER ID        IMAGE                             COMMAND                  CREATED                  STATUS                   PORTS                     NAMES
dkr_1   | 25e382142b2e        docker                            "docker-entrypoint..."   Less than a second ago   Up Less than a second                              tmp_dkr_1

Example Project

https://github.com/reduardo7/docker-container-access

Improve this answer

Comments

0

As "Abdullah Jibaly" said you can do that but there is some security issues you have to consider, also there is sdk docker to use, and for python applications can use Docker SDK for Python

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.