Host Networking + Links = FAIL :sadface:

I’m running an outgoing e-mail service using Postfix in Docker containers. In order to be able to specify the outgoing IP address to use (for IP reputation purposes, etc) I have to run with --net host (because there’s no SNAT support). Now I want to run a milter (OpenDKIM) alongside the MTA, so I fire up another container and use --link to tell the Postfix container where the OpenDKIM container is… and FWACKOOM.

Error response from daemon: Conflicting options: host type networking can’t be used with links. This would result in undefined behavior.

I’m having trouble coming up with an alternative solution here that isn’t ugly as all get-out. I’ve considered:

  • Patching Docker/libnetwork for SNAT support. Having SNAT in core would be the best option, IMO, because using --net host here is a bodgy and unnecessary hack to get reliable source IP selection for outgoing connections. However, the medium-term support burden of running a patched Docker does not fill me with joy.
  • Putting OpenDKIM into the MTA image. So much for “one process per container”…
  • Using full-blown service discovery. We do have registrator running, so I could tie into that, but that would require exposing the milter to the network (because now instead of just the MTA on the same machine talking to the local milter, all the MTA instances would need to be able to talk to all the instances of the milter). There is absolutely zero security on the milter protocol, which makes me twitchy (yes, I have firewalls, but maintaining the whitelist of source IPs is a pain, and one slip up with the firewall config and all my security is toast… not a happy place).

Does anyone have any other suggestions as to how to achieve this?