This repo is for building a Docker image for troubleshooting in container environments. The contanier run as non-root by default. Some commands like tcpdump requires the container to run as root (Kubernetes).

Below are some use cases for docker-compose and Kubernetes. Kubernetes would be similar but not totally the same.

Please be reminded about the security implications of the capabilities being granted. The testing is performed testing with Podman and K3S.

1. For using this image without any extra capabilities (as user "debug")

   1. traceroute -U / --udp

      • -I (ICMP) is not possible because it needs NET_RAW capability

   2. mtr: -U (UDP), -T (TCP)

   3. telnet, dig, curl, wget, openssl and etc.

2. Run this image with net_raw capability

   docker-compose:
       cap_drop:
         - all
       cap_add:
         - net_raw
   
   Kubernetes (Option 1)
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
         drop:
           - all
         add:
           - net_raw
           - net_admin
   
   Kubernetes (Option 2, not recommended)
     securityContext:
       # unspecified or set to true
       # allowPrivilegeEscalation: true
       # Not recommended because it allows privilege escalation
       # Implies that the container may execute binaries with setcap configured
       # Then the privileges may exceed or unbounded by below setting
       capabilities:
         drop:
           - all
         add:
           - net_raw

   • Then the user "debug" can additionally runs (including the previous step):

     • ping (ICMP)

     • traceroute -I (ICMP)

3. Run this image with these capabilities

   docker-compose:
       cap_drop:
         - all
       cap_add:
         - net_raw
         - net_admin
   
   Kubernetes (my preferred setting)
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
         drop:
           - all
         add:
           - net_raw
           - net_admin
           - setuid
           - setgid
       # Need to run the container as root
       runAsUser: 0

   • Then the user "debug" can additionally run (including the previous steps):

     • tcpdump

     • If the conatiner is inside Kubernetes, then the user may need to run as root. Else the user cannot access the network interface (eth0). I am not sure what it is difference from podman.

4. Note there are other alternatives for running tcpdump:

   • In the host server, use nsenter to run tcpdump inside the conatiner.

   • Check if the CNI expose an NIC on the host server, then run tcpdump on the host.

   • Using a sidecar container (Kubernetes) to run tcpdump.

5. Other tools included in the container image

   • A custom build of amicontained, original project/repo