Root Console to a Host via Portainer?

How to gain console access to your hosts via Portainer
Written by
Neil Cresswell
,
Portainer CEO
5 min read
July 24, 2022
July 8, 2025

So, you have Portainer running in your environment, you are remote, enjoying a long overdue holiday or something suitably glamorous, and now disaster strikes... you need to access your Docker/Kubernetes Hosts, but you forgot your SSH keys...

What can you do? You have Portainer running, you are an admin, so how can you get a console on the hosts?

Well, due to the nature of Docker (and to a lesser extent, Kubernetes) containers BY DEFAULT have near unlimited access to the host (its why security is so critical).

Let me show you what i mean.

In Portainer, click on Containers, and then click to "+ Add Container".

Use the image "busybox:latest" (or another of your preference)

In the bottom of the window, "advanced container settings" select console mode " Interactive & TTY"

Set a bind mount of /host in the container to / on the host

Set the permissions to "privileged"

Deploy the container.

Now, console into the container (for busybox, change the console to /bin/sh).

Type the command chroot /host to change your default root path to be /host (which is the bind mount to the host fs)

The container is now running as root on the host and you can run commands againt the host.

As an example, you can type "echo 3 > /proc/sys/vm/drop_caches" to flush the memory caches .. or you can reboot the host using "reboot now"

So this is a really quick and easy way to get root console access to your hosts..

Dangerous? Yes, or course, and its why (by default) in Portainer we DISABLE this capability for non-admin users.

Regardless, if you are remote, a Portainer admin, and you need to quickly gain access to your hosts, this does the trick.

Share this post
This is some text inside of a div block.