I work on an application with different processes and I'm asked to contain those processes for achieving more isolation.
The problem is that the processes share memory with a single "hypervisor" process in order to exchange data (they use classic shared buffers). This solution was implemented for performance requirement and because it is running in user-space, so there aren't content switching between user-space and kernel-space.
If I'm not wrong is not possible to run more than one docker container inside a single IPC namespace, but I don't know if it is possible that a single docker container belongs to different IPC namespaces, this could solve my problem.
Other solutions are welcome, just keep in mind that performance is a requirement, thanks in advance.
The --ipc=host and --ipc=container:id options have since been added to the Docker create and run commands to share IPC resources.
--ipc="" : Set the IPC mode for the container,
'container:<name|id>': reuses another container's IPC namespace
'host': use the host's IPC namespace inside the container
IPC with the Host
docker run --ipc=host <image>
IPC with another Container
docker run --ipc=container:<id> <image>
Technically, you can share the same IPC namespace between containers, but Docker doesn't support that (yet).
If you can use mmap() instead of IPC, then you could share a volume between both containers, and map a file on that volume; it will be the same file, and therefore be shared correctly.
If you really need to share the IPC namespace (because you can't change the existing code), then it's time to write some Go code and contribute it to Docker :-)
The easiest path would probably be to add a flag to the libcontainer binding, so that you can start a container reusing the IPC namespace of the host (or of another container). Check the implementation of the --net flag, since it achieves exactly that, but for the network namespace.
As suggested by @jpetazzo I looked ad the source of Docker and also with the help of devs guys on #docker-dev I successfully recompiled Docker in order to drop the IPC namespace.
To achieve this, it is necessary to comment the line "NEWIPC": true, in the file default_template.go located in the folder docker/daemon/execdriver/native/template of the Docker source code.
The old code now works perfectly.
