Is it possible to share memory between docker containers?

Asked 27/5, 2014 at 12:14 Answered 5/11, 2020 at 11:6

I work on an application with different processes and I'm asked to contain those processes for achieving more isolation.

The problem is that the processes share memory with a single "hypervisor" process in order to exchange data (they use classic shared buffers). This solution was implemented for performance requirement and because it is running in user-space, so there aren't content switching between user-space and kernel-space.

If I'm not wrong is not possible to run more than one docker container inside a single IPC namespace, but I don't know if it is possible that a single docker container belongs to different IPC namespaces, this could solve my problem.

Other solutions are welcome, just keep in mind that performance is a requirement, thanks in advance.

Nieman answered 27/5, 2014 at 12:14 Comment(0)

The --ipc=host and --ipc=container:id options have since been added to the Docker create and run commands to share IPC resources.

--ipc=""  : Set the IPC mode for the container,
             'container:<name|id>': reuses another container's IPC namespace
             'host': use the host's IPC namespace inside the container

IPC with the host

docker run --ipc=host <image>

IPC with another container

docker run --ipc=container:<id> <image>

IPC with another container may need the shareable option set on the initial container (if dockerd defaults IPC to private)

docker run --ipc=shareable <image>

Langbehn answered 9/6, 2016 at 4:5 Comment(0)

Technically, you can share the same IPC namespace between containers, but Docker doesn't support that (yet).

If you can use mmap() instead of IPC, then you could share a volume between both containers, and map a file on that volume; it will be the same file, and therefore be shared correctly.

If you really need to share the IPC namespace (because you can't change the existing code), then it's time to write some Go code and contribute it to Docker :-)

The easiest path would probably be to add a flag to the libcontainer binding, so that you can start a container reusing the IPC namespace of the host (or of another container). Check the implementation of the --net flag, since it achieves exactly that, but for the network namespace.

Wolfenbarger answered 27/5, 2014 at 16:57 Comment(4)

(I don't know if this is a real concern, but using tmpfs for the shared volume would reduce the chance that anything would be unnecessarily flushed to disk.) – Exalt 27/5, 2014 at 17:15

It is great info. But how can I validate if under covers it is doing that. I mean not flusing to disk. Any idea? – Clone 29/12, 2016 at 18:42

As far as I understand mmap() this would not be possible in this situation. To use mmap() for IPC you have to set the MAP_SHARED flag. But this flag only count for processes forked out of the main process. – Latini 24/8, 2022 at 15:9

MAP_SHARED works across unrelated processes as long as you map a file 🙂 – Wolfenbarger 25/8, 2022 at 17:34

As suggested by @jpetazzo I looked ad the source of Docker and also with the help of devs guys on #docker-dev I successfully recompiled Docker in order to drop the IPC namespace.

To achieve this, it is necessary to comment the line "NEWIPC": true, in the file default_template.go located in the folder docker/daemon/execdriver/native/template of the Docker source code.

The old code now works perfectly.

Nieman answered 2/10, 2014 at 13:32 Comment(0)

Here how it is work:

start container with shareable ipc

docker run -it --rm --ipc="shareable" --name cont1 ubuntu

then start next container and share with its ipc

docker run -it --rm --name cont2 --ipc container:cont1 ubuntu

Dumbbell answered 5/11, 2020 at 11:6 Comment(0)

Recommended topics

Hot tags