I'm trying to route all traffic of a docker container through mitmproxy
running in another docker container. In order for mitmproxy
to work, I have to change the gateway IP of the original docker container.
Here is an example of what I want to do, but I want to restrict this to be entirely inside docker
containers.
Any thoughts on how I might be able to do this? Also, I want to avoid running either of the two docker containers in privileged mode.
On windows, a container defaults to using two CPUs. If hyperthreading is available this is one core and two logical processors. If hyperthreading is not available this is two cores and two logical processors. On linux, a container defaults to using all available CPUs of the host.
Singularity can also start containers directly from Docker images, opening up access to a huge number of existing container images available on Docker Hub and other registries.
Although the M1 version docker desktop allows users to run x86 docker images under emulation, it will be a more efficient solution to offer your software as a “universal” Multi-Arch docker image that can serve both your ARM (M1) and x86 users.
Users get access to free public repositories for storing and sharing images or can choose a subscription plan for private repositories. Docker Hub provides the following major features: Repositories: Push and pull container images. Teams & Organizations: Manage access to private repositories of container images.
The default capability set granted to containers does not allow a container to modify network settings. By running in privileged mode, you grant all capabilities to the container -- but there is also an option to grant individual capabilities as needed. In this case, the one you require is called CAP_NET_ADMIN (full list here: http://man7.org/linux/man-pages/man7/capabilities.7.html), so you could add --cap-add NET_ADMIN
to your docker run command.
Make sure to use that option when starting both containers, since they both require some network adjustments to enable transparent packet interception.
In the "proxy" container, configure the iptables pre-routing NAT rule according to the mitmproxy
transparent mode instructions, then start mitmproxy
(with the -T
flag to enable transparent mode). I use a small start script as the proxy image's entry point for this since network settings changes occur at container runtime only and cannot be specified in a Dockerfile or otherwise persisted.
In the "client" container, just use ip route
commands to change the default gateway to the proxy container's IP address on the docker bridge. If this is a setup you'll be repeating regularly, consider using an entry point script on the client image that will set this up for you automatically when the container starts. Container linking makes that easier: you can start the proxy container, and link it when starting the client container. Then the client entry point script has access to the proxy container's IP via an environment variable.
By the way, if you can get away with using mitmproxy in non-transparent mode (configure the client explicitly to use an HTTP proxy), I'd highly recommend it. It's much less of a headache to set up.
Good luck, have fun!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With