Actions and privileges

[Daniel Finneran]

At the moment we start all actions as docker containers with --privileges, the effectively gives them all CAPs (from a linux perspective). One thing that we don't use are additional levels of functionality around namespaces.. 

So two things to consider:

Pid Namespace

(this is needed for kexec), this would allow an action to run amongst all other pids of the host.

Net Namespace

At the moment we leave docker to create veths and bridges and do NATing and all the other docker network goodness.. If we use the net namespace host we would simply use the existing network stack and wouldn't require docker to create all the additional overhead.

I look forward to hearing other peoples thoughts. 

-Dan