idea: support for network bridge mode via pledge

[shoenig]

Currently the pledge plugin really only works with network.mode = "host". Ideally we could make it work with network.mode = "bridge" as well. It's a bit complicated though due to how entering a network namespace works. In the other drivers (like exec, raw_exec, etc.) the driver launches a supervisor child process that watches over the actual user's Task process. When using bridge networking, that supervisor process takes on the responsibility of using unshare() to enter the allocation's network namespace. It is not possible to exec a process and have it directly use a given pre-existing namespace.

The pledge driver is designed to not need that intermediate supervisor process. The plugin spawns Task child processes and manages them directly, taking advantage of Linux features to reattach to orphan processes after a Nomad client / driver plugin restart. The problem is then we do not have an entrypoint for entering a namespace.

Except ... perhaps we could modify the pledge.com binary itself to support entering a [network] namespace. Doing so arguably fits in the purpose of the tool. Something like,

pledge.com -z "net:/var/run/netns/<name>"

If that feature exists, the plugin then simply instructs the pledge.com binary to enter the namespace created and managed by the Nomad client when the allocation is set to use network.mode = "bridge".

[jart]

It sounds cool, but I honestly don't know what any of this is and likely wouldn't have any personal need for it. I'd encourage you to take the project and contribute something like this if you do!