Allow IPC namespace to be shared between containers or with the host

[crosbymichael]

Replaces #8211

Some workloads rely on IPC for communications with other processes. We
would like to split workloads between two container but still allow them
to communicate though shared IPC.

This patch mimics the --net code to allow --ipc=host to not split off
the IPC Namespace. ipc=container:CONTAINERID to share ipc between containers

If you share IPC between containers, then you need to make sure SELinux labels
match.

Docker-DCO-1.1-Signed-off-by: Dan Walsh dwalsh@redhat.com (github: rhatdan)
Signed-off-by: Michael Crosby crosbymichael@gmail.com

[jessfraz]

"create a"

[jessfraz]

LGTM

[sirupsen]

Do I get the same output if I create a 4th container that uses the container id of the 3rd?

[sirupsen]

In general, the container:<id> syntax feels strange when you have more than one container joining a namespace. A use-case we have for this, is that we use IPC semaphores for accessing external resources (for control in latent conditions)—in that case, we'd share this between every container running web workers on the system. Orchestrating this sharing during deployments (and replacing containers) seems non-trivial with this model. Although I don't have a better idea right now.

[rhatdan]

Yes all namespaces should be shared.

We could add a --ipc ipcns:/proc/PID/ns/ipc

Which seems like a logical addition. I love the idea of this for netns.

[rhatdan]

@crosbymichael Do you want me to take this back to make the changes?

[SvenDowideit]

does this mean there's a default of "", where the container can only talk to itself?

if so, please mention it - personally, I'd rather it be default ==none, empty strings are always such a pain.

[rhatdan]

Yes it means that it will be the default which has a private IPC Namespace.

[SvenDowideit]

mmm, cli.md should have a mirror of what is in the man page, and run.md should really be the one that provides more details - so most of the examples should go there.