Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Docker Container's network interface in promiscuous mode

Tags:

docker

networking

containers

promiscuous-mode

compose a 3 services architecture and a virtual bridged network on which the three services are attached. I want one of the container to be able to listen to all the traffic within the virtual network (promiscuous mode). Is it possible? I've tried almost everything but nothing seems to be working.

What I've tried:

  • Giving full privileges to the container
  • Setting the container eth0 interface to promiscuous (ifconfig eth0 promisc)
  • restart the network manager inside the container
  • setting the veth relative to container in promiscuous mode from the host machine
  • modify the mode from "bridge" to "passthru" in the macvlan configuration from the pipework script
  • setting the container as gateway in the network properties of the docker-compose file

many of the above attempts results in the container's eth0 interface to "think" it is in promiscuous mode, in fact both ifconfig and syslog (from the host) say it is, but the container still sees only its own traffic.

I'm using Docker 1.11 and the base image inside the container is Ubuntu 14.04:latest

Below is listed my docker-compose file Thanks in advance

docker-compose.yml

version: '2'

networks:

  snort_net:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.19.0.0/24
          gateway: 172.19.0.3

services:

   mysql:
     build:
       context: .
       dockerfile: MySql/MySqlFile
     environment:
       - MYSQL_ALLOW_EMPTY_PASSWORD=yes
     networks:
       snort_net:
         ipv4_address: 172.19.0.2

   snort:
     build:
       context: .
       dockerfile: Snort/SnortFile
     depends_on:
       - snorby
     env_file:
       - Snort/snort_variables.env
     networks:
       snort_net:
         ipv4_address: 172.19.0.3
     expose:
       - "80"
       - "21"
     ports:
       - "10100:80"
       - "10101:80/udp"
       - "21:21"
     cap_add:
       - NET_ADMIN
     privileged: true


   snorby:
     build:
       context: .
       dockerfile: Snorby/SnorbyFile
     depends_on:
       - mysql
     env_file:
       - Snorby/snorby_variables.env
     networks:
       snort_net:
         ipv4_address: 172.19.0.4
     ports:
       - "3000:3000"
like image 595
Aenon Avatar asked Oct 19 '16 11:10

Aenon

People also ask

What is promiscuous mode Docker?

Promiscuous mode is a security policy which can be defined at the virtual switch or portgroup level in vSphere ESX/ESXi. A virtual machine, Service Console or VMkernel network interface in a portgroup which allows use of promiscuous mode can see all network traffic traversing the virtual switch.

Can Docker container have multiple network interfaces?

You can create multiple networks with Docker and add containers to one or more networks. Containers can communicate within networks but not across networks. A container with attachments to multiple networks can connect with all of the containers on all of those networks.

Can a Docker container use multiple threads?

Think of a Docker container as a lightweight isolated environment, akin to a virtual environment, where you can run a program/service. This service can run multiple threads, all launched from the parent program - it is still one service running on a single Docker container.

How do I create a Docker Macvlan network?

To create a macvlan network which bridges with a given physical network interface, use --driver macvlan with the docker network create command. You also need to specify the parent , which is the interface the traffic will physically go through on the Docker host.

1 Answers

i am able to get it working with below command while creating container as i decided to switch off to listen for all traffic

administrator@gitlabrunner-prod01:~$ docker run --rm --privileged -t -d -p 23:22 --name ubuntu ubuntu
like image 63
Mansur Ul Hasan Avatar answered Oct 20 '22 13:10

Mansur Ul Hasan
Sign in to Comment

Related questions

How to get docker container ID from within the container with cgroup v2
Port-forwarded Rails app in Docker seems to cause CSRF exception
JVM Memory Allocation In Docker (LXC) Container
How do I make docker-compose on OS X work with a Play app?
GitLab-CI multi runner start docker container
Docker can't write to directory mounted using -v unless it has 777 permissions
How can I attach VS Code to a node process running in a docker container
Download all dependencies, plugin dependencies, compilers, etc. with Maven?
Named pipes in docker container folder mounted to mac os x file system through boot2docker
npm install shows colors during install on Docker Hub
How to run a service on AWS ECS with container overrides?
Docker Maven Spotify plugin - Possible to switch to non-secure registry
Composer Install (own Container) with Docker missing PHP Extensions
Dockerized MongoDB on Heroku?
Device mapping to container in docker lacks info

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!