Re: [openstack-dev] [Fuel] Using host networking for docker containers
Hi, we're running only 3 containers in privileged mode: cobbler, rsyslog and mcollective. Running all the containers in privileged mode is not a good idea for security reasons. Docker manages DNAT forwarding itself, so it does not create any overhead for us. Is there any real benefits of using separate namespaces in security terms? Of course, for example only ports specified in EXPOSE line in Dockerfile are exposed to the host network. So if you start any additional tcp/udp listeners inside the containers, their ports won't be accessible from the host network. On Sat, Aug 9, 2014 at 10:39 AM, Dmitriy Shulyak dshul...@mirantis.com wrote: Hi team, I want to discuss benefits of using host networking [1] for docker containers, on master node. This feature was added in docker 0.11 and basicly means - reuse host networking stack, without creating separate namespace for each container. In my opinion it will result in much more stable install/upgrade of master node. 1. There will be no need for dhcrelay/dhcrelay_monitor on host 2. No dnat port forwarding 3. Performance improvement for pxe boot ??? Is there any real benefits of using separate namespaces in security terms? To implement this we will need: 1. Update docker to recent version 0.12/1.x, we will do it anyway, yes? 2. Run docker containers with --net=host Ofcourse it will require running containers in privileged mode, but afaik we are already doing this for other reasons. So, what do you think? [1] https://github.com/docker/docker/issues/2012 [2] https://docs.docker.com/articles/networking/ ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Fuel] Using host networking for docker containers
Moving to host networking would reduce our ability to do zero downtime upgrades in the future. It means you must kill the old container in order to start the new one, rather than allowing for the possibility to remap the network configuration in iptables. It's something we don't have now, but we may be able to do in the future. With regards to security issues, we have some more restrictive firewall rules in place now. I don't think this is a major issue. I don't think it makes a huge difference in performance to switch to host networking, but it's worth testing. On Mon, Aug 11, 2014 at 1:16 PM, Aleksandr Didenko adide...@mirantis.com wrote: Hi, we're running only 3 containers in privileged mode: cobbler, rsyslog and mcollective. Running all the containers in privileged mode is not a good idea for security reasons. Docker manages DNAT forwarding itself, so it does not create any overhead for us. Is there any real benefits of using separate namespaces in security terms? Of course, for example only ports specified in EXPOSE line in Dockerfile are exposed to the host network. So if you start any additional tcp/udp listeners inside the containers, their ports won't be accessible from the host network. On Sat, Aug 9, 2014 at 10:39 AM, Dmitriy Shulyak dshul...@mirantis.com wrote: Hi team, I want to discuss benefits of using host networking [1] for docker containers, on master node. This feature was added in docker 0.11 and basicly means - reuse host networking stack, without creating separate namespace for each container. In my opinion it will result in much more stable install/upgrade of master node. 1. There will be no need for dhcrelay/dhcrelay_monitor on host 2. No dnat port forwarding 3. Performance improvement for pxe boot ??? Is there any real benefits of using separate namespaces in security terms? To implement this we will need: 1. Update docker to recent version 0.12/1.x, we will do it anyway, yes? 2. Run docker containers with --net=host Ofcourse it will require running containers in privileged mode, but afaik we are already doing this for other reasons. So, what do you think? [1] https://github.com/docker/docker/issues/2012 [2] https://docs.docker.com/articles/networking/ ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Fuel] Using host networking for docker containers
Hi team, I want to discuss benefits of using host networking [1] for docker containers, on master node. This feature was added in docker 0.11 and basicly means - reuse host networking stack, without creating separate namespace for each container. In my opinion it will result in much more stable install/upgrade of master node. 1. There will be no need for dhcrelay/dhcrelay_monitor on host 2. No dnat port forwarding 3. Performance improvement for pxe boot ??? Is there any real benefits of using separate namespaces in security terms? To implement this we will need: 1. Update docker to recent version 0.12/1.x, we will do it anyway, yes? 2. Run docker containers with --net=host Ofcourse it will require running containers in privileged mode, but afaik we are already doing this for other reasons. So, what do you think? [1] https://github.com/docker/docker/issues/2012 [2] https://docs.docker.com/articles/networking/ ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
