Docker how to set --net=host on aws red hat ec2

3/11/2021

I successfully containerized my rds backup to a s3 upload through a k8 cronjob. However, it only works when when port 5432 is open on 0.0.0.0/0. Based on this https://stackoverflow.com/questions/32893876/accessing-rds-from-within-a-docker-container-not-getting-through-security-group/41864708#comment64694174_32912847 a work around is to set --net=host on the docker container which I am still struggling to figure how. My DNS server is 10.122.8.2. Listing the codes below: Dockerfile

FROM private/registry:rds-backup # this is a private registry

# Use root user for packages installation
USER root

# Install packages
RUN yum update -y && yum upgrade -y

# Install curl
RUN yum install curl -y

# Install unzip and zip
RUN yum install zip unzip -y

# Install aws cli
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
RUN unzip awscliv2.zip
RUN ./aws/install

# Make sure that your shell script file is in the same folder as your dockerfile while running the docker build command as the below command will copy the file to the /home/root/ folder for execution
COPY . /home/root/

# Add user
RUN groupadd --system user && adduser --system user --no-create-home --gid user
RUN chown -R user:user /home/root/ && chmod -R 777 /home/root/

# Switch to non-root user
USER user

# Run service
CMD ["postgres"]

My command for the build docker built -t private/registry:rds-backup .

My postgres-backup.sh script:

#file-name: postgres-backup.sh
#!/bin/bash

export DUMP_FILE=backup_`date +%Y%m%d_%H%M%S`.dump.sql
export PGPASSWORD=adminadmin
cd /home/root
mkdir pg-backup
cd pg-backup
pg_dump -h database-k8.name.region.rds.amazonaws.com -U postgres -d k8rdsbackup -Fp > $DUMP_FILE

# s3 upload
aws s3 cp $DUMP_FILE s3://k8rdsbackup-test/dev/

backup-postgres-cronjob.yaml

#file-name: postgresql-backup-cron-job.yaml
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: postgresql-backup-cron-job
  namespace: rds-backup-test
spec:
#Cron Time is set according to server time, ensure server time zone and set accordingly.
  schedule: "*/5 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          imagePullSecrets:
          - name: rds
          containers:
          - name: postgresql-backup-job-pod
            image: private/registry:rds-backup # this is a private registry
            imagePullPolicy: Always
            args:
            - /bin/bash
            - -c
            - cd /home/root; ls; bash postgres-backup.sh;
          restartPolicy: OnFailure
      backoffLimit: 3

and my current systemd docker.service unit file in the bastion is below:

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --dns 10.122.8.2 --dns 8.8.8.8 --dns 8.8.4.4
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always

As you can see I have added --dns 10.122.8.2 --dns 8.8.8.8 --dns 8.8.4.4 at the end of the ExecStart and reloaded the daemon with these below but no luck. Please help!

sudo systemctl daemon-reload
sudo systemctl restart docker.service
-- kddiji
amazon-rds
docker
kubernetes
kubernetes-cronjob

1 Answer

3/11/2021

Host networking (--net=host) is a per container setting rather than a Docker daemon setting, used on docker create or docker run

docker run --net=host --detach me/myimage 

Be aware that this gives the container full access to the hosts network.

-- Matt
Source: StackOverflow