[openstack-dev] [Fuel] Using host networking for docker containers

Matthew Mosesohn mmosesohn at mirantis.com
Mon Aug 11 10:28:54 UTC 2014


Moving to host networking would reduce our ability to do zero downtime
upgrades in the future. It means you must kill the old container in
order to start the new one, rather than allowing for the possibility
to remap the network configuration in iptables. It's something we
don't have now, but we may be able to do in the future.

With regards to security issues, we have some more restrictive
firewall rules in place now. I don't think this is a major issue.

I don't think it makes a huge difference in performance to switch to
host networking, but it's worth testing.

On Mon, Aug 11, 2014 at 1:16 PM, Aleksandr Didenko
<adidenko at mirantis.com> wrote:
> Hi,
>
> we're running only 3 containers in privileged mode: cobbler, rsyslog and
> mcollective. Running all the containers in privileged mode is not a good
> idea for security reasons. Docker manages DNAT forwarding itself, so it does
> not create any overhead for us.
>
>
>> Is there any real benefits of using separate namespaces in security terms?
>
> Of course, for example only ports specified in EXPOSE line in Dockerfile are
> exposed to the host network. So if you start any additional tcp/udp
> listeners inside the containers, their ports won't be accessible from the
> host network.
>
>
>
> On Sat, Aug 9, 2014 at 10:39 AM, Dmitriy Shulyak <dshulyak at mirantis.com>
> wrote:
>>
>> Hi team,
>>
>> I want to discuss benefits of using host networking [1] for docker
>> containers, on master node.
>>
>> This feature was added in docker 0.11 and basicly means - reuse host
>> networking stack, without
>> creating separate namespace for each container.
>>
>> In my opinion it will result in much more stable install/upgrade of master
>> node.
>>
>> 1. There will be no need for dhcrelay/dhcrelay_monitor on host
>> 2. No dnat port forwarding
>> 3. Performance improvement for pxe boot ???
>>
>> Is there any real benefits of using separate namespaces in security terms?
>>
>> To implement this we will need:
>>
>> 1. Update docker to recent version 0.12/1.x, we will do it anyway, yes?
>> 2. Run docker containers with --net=host
>>
>> Ofcourse it will require running containers in privileged mode, but afaik
>> we are already doing this for other reasons.
>>
>> So, what do you think?
>>
>> [1] https://github.com/docker/docker/issues/2012
>> [2] https://docs.docker.com/articles/networking/
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



More information about the OpenStack-dev mailing list