In an environment where docker containers are running inside other docker containers (by mounting the docker socket, not running as privileged), is there any way to manipulate the network to do things like:
- Introduce latency
- Drop % of packets
- Bandwidth caps
I am only interested in docker-to-docker traffic from containers I am starting myself with docker-py (inside the environment). I do not care about manipulating other traffic such as docker to localhost or docker to internet. In many regards it would be ideal to only manipulate docker-docker network traffic.
There are a lot of ways you can do this even within a docker container when it is run under one of the following situations:
- Privileged mode
- Passing the
--cap-add=NET_ADMINflag runtime
A few utilities (iptables, tc, and all sorts of libraries implemented using them) allow this. But all require higher permissions than are available in my environment, since the "host" container is not started in privileged mode.
I cannot control the system configuration. I have to run these containers inside another container, not started in privileged mode. It would be straightforward if I could change this because I could just use any of the above listed utilities.
All the containers are attached to a network created simply by docker network create foobar.
My application, written in Python3.4, is using docker-py on OSX.
- Is there any way to manipulate networking for docker to docker networking characteristics to introduce latency, packet drop, etc?
