Description
Description
docker-ingress-routing-daemon is a solution to the issue of swarm obscuring packet source ips (#25526). We've been discussing the option of deploying this via docker swarm (see here), and one of the things that has come up is the inability to set sysctls on the ingress_sbox network namespace inside the swarm service, because it does not yet support --privileged (#25303)
As far as I can tell, with the right cap_add's, it should theoretically be possible to set the sysctls, but it seems to be thwarted by the fact that docker mounts /proc/sys as read-only inside containers. Unmounting it to expose the parent /proc mount, which is rw, doesn't help because then you get a permission denied.
Is there a way to tell a docker service not to protect /proc/sys without using --privileged (which isnt supported)?
Alternatively, are there any current plans to add --privileged support to docker service create? moby/swarmkit#1722 was closed for #32801, but that seems to be dead.