Skip to content
Neil Cresswell, CEOJuly 24, 20221 min read

Root Console to a Host via Portainer?

So, you have Portainer running in your environment, you are remote, enjoying a long overdue holiday or something suitably glamorous, and now disaster strikes... you need to access your Docker/Kubernetes Hosts, but you forgot your SSH keys...

What can you do? You have Portainer running, you are an admin, so how can you get a console on the hosts?

Well, due to the nature of Docker (and to a lesser extent, Kubernetes) containers BY DEFAULT have near unlimited access to the host (its why security is so critical).

Let me show you what i mean.

In Portainer, click on Containers, and then click to "+ Add Container".

Use the image "busybox:latest" (or another of your preference)

In the bottom of the window, "advanced container settings" select console mode " Interactive & TTY"

Set a bind mount of /host in the container to / on the host

Set the permissions to "privileged"

Deploy the container.

Now, console into the container (for busybox, change the console to /bin/sh).

Type the command chroot /host to change your default root path to be /host (which is the bind mount to the host fs)

The container is now running as root on the host and you can run commands againt the host.

As an example, you can type "echo 3 > /proc/sys/vm/drop_caches" to flush the memory caches .. or you can reboot the host using "reboot now"

So this is a really quick and easy way to get root console access to your hosts..

Dangerous? Yes, or course, and its why (by default) in Portainer we DISABLE this capability for non-admin users.

Regardless, if you are remote, a Portainer admin, and you need to quickly gain access to your hosts, this does the trick.



Neil Cresswell, CEO

Neil brings more than twenty years’ experience in advanced technology including virtualization, storage and containerization.


Related articles