Reputation: 14185
Manipulating network traffic between containers in Docker in Docker environment without privileged mode?
In an environment where docker containers are running inside other docker containers (by mounting the docker socket, not running as privileged), is there any way to manipulate the network to do things like:
- Introduce latency
- Drop % of packets
- Bandwidth caps
I am only interested in docker-to-docker traffic from containers I am starting myself with docker-py (inside the environment). I do not care about manipulating other traffic such as docker to localhost or docker to internet. In many regards it would be ideal to only manipulate docker-docker network traffic.
There are a lot of ways you can do this even within a docker container when it is run under one of the following situations:
- Privileged mode
- Passing the
--cap-add=NET_ADMINflag runtime
A few utilities (iptables, tc, and all sorts of libraries implemented using them) allow this. But all require higher permissions than are available in my environment, since the "host" container is not started in privileged mode.
I cannot control the system configuration. I have to run these containers inside another container, not started in privileged mode. It would be straightforward if I could change this because I could just use any of the above listed utilities.
All the containers are attached to a network created simply by docker network create foobar.
My application, written in Python3.4, is using docker-py on OSX.
- Is there any way to manipulate networking for docker to docker networking characteristics to introduce latency, packet drop, etc?
Upvotes: 3
Views: 1797
Answers (1)
Reputation: 187
I know this is very late, but I found this why I was looking for an answer to my own question... (it does however need privileges, but thought it might be useful nonetheless)
You can introduce latency between containers using the tc command. For example, if the ping time is 5ms then by running the command:
tc qdisc add dev eth0 root netem delay 1000ms
the ping will now be approx. 1005 ms.
To remove the delay run the command:
tc qdisc del dev eth0 root netem
It's possible to simulate the complete failure of the network using the iptables command, so the following command will block all traffic to the IP address 192.168.1.202:
iptables -A INPUT -s 192.168.1.202/255.255.255.255 -j DROP
and to unblock it again use:
iptables -D INPUT -s 192.168.1.202/255.255.255.255 -j DROP
Upvotes: 4
Related Questions
- How do I pass environment variables to Docker containers?
- Docker Network Nginx Resolver
- Docker - how can I copy a file from an image to a host?
- Run docker build in privileged LXC containers
- How can I capture the network traffic of Docker Swarm containers using netshoot and network_mode?
- Relaying multicast traffic between docker network and host network
- docker overlay network problems connecting containers
- Blocking traffic to one of the docker service tasks (containers)
- How to use Docker (or Linux Containers) for Network Emulation?