¨Docker run --network host¨ doesn't set docker container in same network as host

I have been trying to setup OWASP ZAP scanner for scanning a rails app through CI.
The thing is I have a specific script I wish to run (because I run specific user tests on ZAP), so I have my docker container which runs zap as a service:
docker run -d --network host --name autozap -u zap -i gmemin/autozap

And then execute the following command in CircleCI:
docker exec -it autozap python3 zapscan.py localhost:3000

This command fails because it can’t reach localhost:3000.

I also checked the ifconfig on the host and docker container and they are in a different network, despite running the docker container with --network host key.
In CircleCI:
- run: ifconfig --> netmask
- run: docker exec -it autozap ifconfig --> netmask

The rails app is running correctly in the host container, I can curl localhost:3000 and get the expected answer.
The ZAP service is also running correctly in the docker image.

I’ve also tried using the ZAP image as a secondary container in the CircleCI environment, meaning using the - image: gmemin/autozap key but can’t get it to execute the script I need. I have read that CircleCI 2.0 doesn’t have this feature, so that’s why I’m running ZAP as a docker container.

I’ve tried running the docker image with the -P key which exposes all ports, and still no luck.

How can I let the docker container have visibility of the rails app running in localhost:3000 in the host environment?
Now I’m looking into docker-izing the rails app so I can run the docker containers in the same network, is this the only solution to my problem?

Welcome gpilleux

The docker executor runs containers in a multi-tenant environment so we have to disable certain features that would cause security issues in such an environment, one of those is host networking (your containers share a physical host with other containers).

If you need full control over the host you can switch to a machine executor which allocates your job a dedicated VM.


1 Like