Docker run script in host on docker-compose up

My question relates to best practices on how to run a script on a docker-compose up directive.

Currently I'm sharing a volume between host and container to allow for the script changes to be visible to both host and container. Similar to a watching script polling for changes on configuration file. The script has to act on host on changes according to predefined rules.

How could I start this script on a docker-compose up directive or even from the Dockerfile of the service, so that whenever the container goes up the "watcher" can find any changes being made and writing to.

The container in question will always run over a Debian / Ubuntu OS and should be architecture independent, meaning it should be able to run on ARM as well.

I wish to run a script on the Host, not inside the container. I need the Host to change its network interface configurations to easily adapt any environment The HOST needs to change I repeat.. This should be seamless to the user, and easily editable on a Web interface running Inside a CONTAINER to adapt to new environments.

I currently do this with a script running on the host based on crontab. I just wish to know the best practices and examples of how to run a script on HOST from INSIDE a CONTAINER, so that the deploy can be as easy for the installing operator to just run docker-compose up.

Im not entirely sure you understood the question. What I meant is, I need to run a script on the Host, when the containers go up. So that the container and host can communicate between each other so I can change current network configurations on the host. The CMD directive, will run the script inside the running container, not inside the hosting machine, nor should it run.

Thank you for answering, its a step frorward, but It wouldn't differ much from having a script calling both the compose up and the sript to run. Regarding the security concerns it's the same as if you were to run any web application or any application connected to the internet. The isolation aspect is not as needed for this use case as it is the deploy across all platforms aspect. The script is predefined and its not user editable. nor character injectable, and would not give user shell access. Only to signal the invocation of the script, avoiding the active polling and such. Thank you

My concern is about executing code in the host. Suppose that one user adds something in the container that can be executed on the host. A simple ssh -R could expose your infrastructure. Anyway, it's up to you to assume the risk, I only wanted to point it out for you to know. Also, I recommend you to read the link provided by @tgogos

I've seen it @charli long before posting this question as the topic on allowing containers to run something on host seems like taboo for the majority, but as I answered tgogos , maybe Im missing the command , but the script always runs on container and not on host. But I might be misunderstanding the command, if you guys could point me the right direction I would greatly appreciate.

Well I'll mark your answer as correct, for actually bringing a different approach to my current approach to use a script on host, polling for changes on shared volume and given the fact that there doesn't seem to be a concrete answer to the subject, however regarding the security issues, I will have to disagree with you. Docker is not meant to create a security layer, but for easy portability (Ship it right?), if your container is compromised, you are in deep trouble already, man the docker daemon runs as root on your host, you run docker without root access giving it root access...

There is just too much concern regarding something that was not built as a design in docker. These days even bare-metal hypervisors are not safe and leak information across VM's. The idea of docker is essentially to avoid dependencies hell and allow fast deployments. Systems are compromised all the time, Humans are in the loop, giving the container the ability to speak to the host is no different than having your webservice compromised in any other way.

Thanks, docker evolves and this answer here might be outdated quite soon. We can keep an eye on it and see what options will be added in the future...

Your question wasn't very clear. Containers aren't intended to interact with the host. You can work around this using docker run --network=host to directly expose the container using the host's network stack. You could mount the host's filesystem inside the container as well. It sounds like you need a wrapper script or to rethink how you're using docker.

I will just leave a link for people trying to run docker containers from other containers inside the docker host, reaching this page trying to find useful information. Run docker commands in host from inside docker container tdeheurles.github.io/acting-on-docker-from-inside-docker

A simple hook infrastructure in docker-compose would have really helped with some developer-environment type scenarios like this. (e.g vagrant has a way to run custom scripts during vagrant up, etc).