Menu
I work on an application with different processes and I'm asked to contain those processes for achieving more isolation.
The problem is that the processes share memory with a single "hypervisor" process in order to exchange data (they use classic shared buffers). This solution was implemented for performance requirement and because it is running in user-space, so there aren't content switching between user-space and kernel-space.
If I'm not wrong is not possible to run more than one docker container inside a single IPC namespace, but I don't know if it is possible that a single docker container belongs to different IPC namespaces, this could solve my problem.
Other solutions are welcome, just keep in mind that performance is a requirement, thanks in advance.
449
If you are running more than one container, you can let your containers communicate with each other by attaching them to the same network. Docker creates virtual networks which let your containers talk to each other. In a network, a container has an IP address, and optionally a hostname.
Multiple containers can run with the same volume when they need access to shared data. Docker creates a local volume by default.
Set Maximum Memory Access To limit the maximum amount of memory usage for a container, add the --memory option to the docker run command. Alternatively, you can use the shortcut -m . Within the command, specify how much memory you want to dedicate to that specific container.
The --ipc=host and --ipc=container:id options have since been added to the Docker create and run commands to share IPC resources.
--ipc="" : Set the IPC mode for the container, 'container:<name|id>': reuses another container's IPC namespace 'host': use the host's IPC namespace inside the container
IPC with the host
docker run --ipc=host <image> IPC with another container
docker run --ipc=container:<id> <image> IPC with another container may need the shareable option set on the initial container (if dockerd defaults IPC to private)
docker run --ipc=shareable <image> Technically, you can share the same IPC namespace between containers, but Docker doesn't support that (yet).
If you can use mmap() instead of IPC, then you could share a volume between both containers, and map a file on that volume; it will be the same file, and therefore be shared correctly.
If you really need to share the IPC namespace (because you can't change the existing code), then it's time to write some Go code and contribute it to Docker :-)
The easiest path would probably be to add a flag to the libcontainer binding, so that you can start a container reusing the IPC namespace of the host (or of another container). Check the implementation of the --net flag, since it achieves exactly that, but for the network namespace.
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
