Hi,

we're running only 3 containers in privileged mode: cobbler, rsyslog and
mcollective. Running all the containers in privileged mode is not a good
idea for security reasons. Docker manages DNAT forwarding itself, so it
does not create any overhead for us.

> Is there any real benefits of using separate namespaces in security terms?

Of course, for example only ports specified in EXPOSE line in Dockerfile
are exposed to the host network. So if you start any additional tcp/udp
listeners inside the containers, their ports won't be accessible from the
host network.



On Sat, Aug 9, 2014 at 10:39 AM, Dmitriy Shulyak <dshul...@mirantis.com>
wrote:

> Hi team,
>
> I want to discuss benefits of using host networking [1] for docker
> containers, on master node.
>
> This feature was added in docker 0.11 and basicly means - reuse host
> networking stack, without
> creating separate namespace for each container.
>
> In my opinion it will result in much more stable install/upgrade of master
> node.
>
> 1. There will be no need for dhcrelay/dhcrelay_monitor on host
> 2. No dnat port forwarding
> 3. Performance improvement for pxe boot ???
>
> Is there any real benefits of using separate namespaces in security terms?
>
> To implement this we will need:
>
> 1. Update docker to recent version 0.12/1.x, we will do it anyway, yes?
> 2. Run docker containers with --net=host
>
> Ofcourse it will require running containers in privileged mode, but afaik
> we are already doing this for other reasons.
>
> So, what do you think?
>
> [1] https://github.com/docker/docker/issues/2012
> [2] https://docs.docker.com/articles/networking/
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to