The docker reach-around: hacking containers for fun and profit
OK. Those who know me know I use the term ‘hacker’ in the original RFC 1392 sense of the word, “A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.”, and not the Hollywood “This is Unix, I know this” where someone can just guess the password. It means extending a system in a way it was not original intended.
So containers. You build them with the least-files you can (cuz size, cuz security). You’d never think to put ‘ssh’ or ‘vim’ or ‘sudo’ in there. But then you need to debug why the $!#* thing won’t do what you want. Sure you could enter into an endless stream of ‘build/push/run/exec’. Or you could add these files ‘for dev only’ and promise yourself you’d remove them later.
But why not cheat? This is Unix, we know this! First, find the container:
$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 5ca0e51472b7 us.gcr.io/corp-202415/taiga_backend "/scripts/entrypoint…" 16 hours ago Up 9 minutes taiga_backend
Now find where’s its mounted:
$ docker inspect 5ca0e51472b7 |grep DeviceName "DeviceName": "docker-253:1-5636841-75947de5cd473e1e1fb1a153350243989118ca7b2a4fd840c9deebb6666f4491", $ mount |grep 75947de5cd473 /dev/mapper/docker-253:1-5636841-75947de5cd473e1e1fb1a153350243989118ca7b2a4fd840c9deebb6666f4491 on /var/lib/docker/devicemapper/mnt/75947de5cd473e1e1fb1a153350243989118ca7b2a4fd840c9deebb6666f4491 type xfs (rw,relatime,nouuid,attr2,inode64,logbsize=128k,sunit=256,swidth=256,noquota)
Now lets just sneak in there, as root:
sudo chroot /var/lib/docker/devicemapper/mnt/75947de5cd473e1e1fb1a153350243989118ca7b2a4fd840c9deebb6666f4491/rootfs echo nameserver 220.127.116.11 > /etc/resolv.conf apt install sudo echo myuser ALL=NOPASSWD: ALL > /etc/sudoers.d/myuser
and bingo, we can run sudo inside the container now. Or feel free to not chroot there and just modify things as needed.
There, in the few minutes of your life I just gave you back you can watch: