I have a project where I read system information from the host inside a container. Right now I got CPU, RAM and Storage to work, but Network turns out to be a little harder. I am using the Node.js library https://systeminformation.io/network.html, which reads the network stats from /sys/class/net/
.
The only solution that I found right now, is to use --network host
, but that does not seem like the best way, because it breaks a lot of other networking related stuff and I cannot make the assumption that everybody who uses my project is fine with that.
I have tried --add-host=host.docker.internal:host-gateway
as well, but while it does show up in /etc/hosts
, it does not add a network interface to /sys/class/net/
.
My knowledge on Docker and Linux is very limited, so does someone know if there is any other way?
My workaround for now is, to use
readlink -f /sys/class/net/$(ip addr show | awk '/inet.*brd/{print $NF; exit}')
to get the final path to the network statistics of the default interface and mount it to a imaginary path in the container. Therefore I don’t use the mentionedsysteminformation
library for that right now. I would still like to have something that is a bit more reliable and in the best case officially supported by docker. I am fine with something that is not compatible withsysteminformation
, though.
3
Answers
You could mount the host’s
/sys/class/net/
directory as a volume in your container and patch thesysteminformation
package to read the contents of your custom path instead of the default path. The changes would need to be made inlib/network.js
. You can see in that file how the directory is hardcoded throughout, just do a find/replace in your local copy to change all instances of the default path.An easy way is to mount the whole "/sys" filesystem of the host into the container. Either mount them to a new location (e.g. /sys_host) or over-mount the original "/sys" in the container:
Please be aware that this way the container has access to the whole "/sys" filesystem of the host. The relative links from the network interface to the pci device still work.
If you don’t need to write you should mount it read-only by appending ":ro" to the mounted path.
There is a way to enter the host network namespace after starting the container. This can be used to run one process in the container in the container network namespace and another process in the host network namespace. Communication between the processes can be done using a unix domain socket.
Alternatively you can just mount a new instance of the sysfs which points to the host network namespace. If I understood correctly this is what you really need.
For this to work you need access to the host
net
namespace (I mount /proc/1/ns/net to the container for this purpose). Additionally the capabilities CAP_SYS_PTRACE and CAP_SYS_ADMIN are needed.Putting this together for non-interactive usage:
Use the
docker run
with the following parameters:docker run -it --rm --cap-add CAP_SYS_PTRACE --cap-add CAP_SYS_ADMIN -v /proc/1/ns/net:/host_ns_net:ro debian:bullseye-slim bash
Execute these commands in the container before starting your node app:
After nsenter (and mount) exits, you are back in the network namespace of the container. In theory you could drop the extended capabilities now.
Now you can access the network devices under /sys2/class/net.