Will the network isolation of remote docker containers likely ever change?

docker

#1

I understand that using setup_remote_docker configures a remote docker daemon in an isolated environment, and that per the docs

Docker or Machine containers cannot directly communicate with the containers running in remote docker

What I’m not sure of, possibly due to my lack of experience with docker, is why? Is it just impossible to limit network communication between the primary instance in the shared environment with the containers spun up in the remote environment, some other security-related issue, or is it just something that’s not currently possible and maybe will be later?

This is currently causing some minor strife for me trying to run chef kitchen tests in CircleCI 2.0 using the kitchen-docker driver, where I’d like to do this:

jobs:
  test:
    docker:
      - image: chef/chefdk:2.0.28
    steps:
      - checkout
      # setup, local tests…
      - setup_remote_docker
      - kitchen test

This actually works fine, spin-up and all, except obviously that kitchen can’t SSH into the new container because it’s in the separate isolated environment.

Using workflows I can always sidestep this by executing kitchen (or everything) in a separate machine job, but that comes with the ominous warning that

Machine Executor may be available for additional fees in a future pricing update

which is not the end of the world, but kind of stinks given that my only reason for needing the machine executor is that the process which invokes docker aso needs to be able to connect to the started container.

Since kitchen isn’t a process I control, I don’t think there’s any rabbit hole I can go down that would let me run the provisioning step on the primary image and then the test step on a dummy image in the isolated which could connect to the provisioned image or any way to have kitchen execute the commands via docker instead of trying to connect directly, and that seems like a lot of hoops to jump through anyway.

I assume the cleanest option currently available is using a machine executor like I’m doing, but I’m definitely open to suggestions. Is it likely going to remain the only feasible way, or is it possible this might change in the future?


#2

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.