Privileged service container security

Hello all,

So, I’ve decided to embark on a custom/personal management interface for docker containers on docker-only hosts. Some things I’m wanting are expanded network interfacing, which docker doesn’t support out of the box (yet).

eth0 <-> docker0 (default)
eth1 <-> lan0 (Intranet constructed between the cluster of physical hosts)
eth2 <-> A public address which is allocated to the host and passed down to the container.

Now, these interfaces are totally possible. Since I’m mostly using CoreOS, managing the manipulation of these interfaces programmatically (via updates through etcd) has lead me to having a “network configuration” container. This container communicates with etcd and is privileged to the host’s network namespace and the other running container’s network namespace via access to /proc/ from the host.

The inquiry I have that I haven’t been able to gather much information on is what can I lock down to attempt to make this as secure as possible. The netconfig container won’t be receiving input from anything other than what’s added and parsed in etcd.

I haven’t been able to find the right capability combination to add to allow access to /proc/*/ns/net, so, I’ve settled with --privileged with -v /proc/:/hostproc. If there’s a better way to obtain access to other processes network namespaces, I’d love to check it out.

This seems to have some over-lap with!topic/docker-dev/xR_SexGtrug

perhaps you can join that discussion?