How do I make docker run to setns to the network namespace of my choice when starting a container? I want something like --net host mode, but aiming to the namespace of Docker server itself.
Or should I nsenter(1) from within the container started with --net host? Can it be done without making the container overly privileged?
dockers/containerd. Obviously, that is the namespace where--net hostcontainers are started by default.--privileged--net hostcontainer + mounting (-v) the network namespace into the container +nsenterwithin the container. Maybe Docker supports specifying some additional wrappers while container's is still in host filesystem and hasn't yet dropped privileges. That would make the scheme nicer + remove--privilegedfrom the container itself.host) has this functionality built in. The other built-in drivers aren't what you're asking for. It would be especially tricky to implement because container configuration defined when you typedocker run ...lives across server reboots. AFAIK network namespaces don't and their numbering is completely lost on reboot. So the driver would need some stable way to configure which namespace you wanted.nsenterand can have persistent names. I expect the driver to be almost same ashost, but accepting an additional argument and doing two additional syscalls:open(2)andsetns(2).