Currently, our containers share the root network namespace as the underlying host, which presents obvious security risks. This is to enable proxies in different hosts to be able to dial each other.
To make the system more secure against malicious or compromised services, the containers should be within its own private namespace. By default, Docker containers are bridged in the same LAN as other containers within the same host, so those containers are okay with dialing each other directly. Services and proxies on separate hosts will not be able to dial.
Currently, our containers share the root network namespace as the underlying host, which presents obvious security risks. This is to enable proxies in different hosts to be able to dial each other.
To make the system more secure against malicious or compromised services, the containers should be within its own private namespace. By default, Docker containers are bridged in the same LAN as other containers within the same host, so those containers are okay with dialing each other directly. Services and proxies on separate hosts will not be able to dial.
We should use the local LCA as a fallback P2P relay. Relaying is an enabled feature by default (see: https://godoc.org/github.com/libp2p/go-libp2p#EnableRelay), but auto-relay discovery has been disabled (see: https://github.com/libp2p/go-libp2p-circuit/commit/1b975c0c693c36a445316e0d21d964f852471f5e), and peers must manually specify they want to dial through a specific relay. Using the local LCA is an obvious choice.