Skip to content
Securely manage Docker, Swarm, Kubernetes and Podman clusters in the cloud, on-premise, and in the data center.
Secure app deployment and device management for your Industrial IoT, IoT and Edge devices.
Let Portainer's Managed Platform Services accelerate your containerization journey.
Manage all your Docker, Swarm, Kubernetes and Podman clusters from a single secure interface.
Portainer empowers Platform Engineering teams to deliver efficient, user-centric services.
Empower your business by adopting containerization the easy way with Portainer.
Deploy to and manage your fleet of remote devices centrally and securely.
Onboard, manage and deploy workloads across hundreds of devices securely with Portainer.
Deployment scenarios
Partner Solutions
blog-banner
Neil Cresswell, CEOJuly 24, 20221 min read

Root Console to a Host via Portainer?

So, you have Portainer running in your environment, you are remote, enjoying a long overdue holiday or something suitably glamorous, and now disaster strikes... you need to access your Docker/Kubernetes Hosts, but you forgot your SSH keys...

What can you do? You have Portainer running, you are an admin, so how can you get a console on the hosts?

Well, due to the nature of Docker (and to a lesser extent, Kubernetes) containers BY DEFAULT have near unlimited access to the host (its why security is so critical).

Let me show you what i mean.

In Portainer, click on Containers, and then click to "+ Add Container".

Use the image "busybox:latest" (or another of your preference)

In the bottom of the window, "advanced container settings" select console mode " Interactive & TTY"

Set a bind mount of /host in the container to / on the host

Set the permissions to "privileged"

Deploy the container.

Now, console into the container (for busybox, change the console to /bin/sh).

Type the command chroot /host to change your default root path to be /host (which is the bind mount to the host fs)

The container is now running as root on the host and you can run commands againt the host.

As an example, you can type "echo 3 > /proc/sys/vm/drop_caches" to flush the memory caches .. or you can reboot the host using "reboot now"

So this is a really quick and easy way to get root console access to your hosts..

Dangerous? Yes, or course, and its why (by default) in Portainer we DISABLE this capability for non-admin users.

Regardless, if you are remote, a Portainer admin, and you need to quickly gain access to your hosts, this does the trick.

 

avatar

Neil Cresswell, CEO

Neil brings more than twenty years’ experience in advanced technology including virtualization, storage and containerization.

COMMENTS

Related articles