Is there any way to manipulate the network docker containers are present on?

I am interested in doing the following:

  • Running docker containers inside docker containers (where the “host” docker container is not run with privileged mode)
  • Manipulating network settings, introducing latency/etc

This is very straightforward when running on an actual host OS (such as OSX or linux) using iptables or the variety of libraries wrapping them. However, all of these require more privileges than a container run without --privileged (or just --cap-add=NET_ADMIN). I cannot change this as it is an external constraint - I know I can just add either of those runtime arguments to my “host” container and have access to the ‘native’ OS utils.

The “host” container mounts the docker sock when it is run (so I’m not running docker in docker).

All the containers are added to a network created with Docker that I am creating. Using Docker 1.11+ with docker-py as a framework basis on OSX. Currently running the docker beta, too, though that’s not necessarily required.

Is there any way I can trigger network conditions on the docker created network or influence the effectiveness of container to container manipulation from within the “host” docker container, when it is not run with privileged mode? Are there commands I can run directly against the user created docker network I am using?