I want to allow a Docker container to invoke some actions on another container without granting it full privileges. An example would be a Docker container which does log rotation and reloads the services afterwards, or a control server which should be allowed to modify a certain nginx configuration file (that works with file permissions) and reload the server then.
If the control server would not run in a container, I could create a script which executes docker exec nginx_container nginx -s reload, and allow a non-privileged user to run it by creating an entry in the /etc/sudoers file.
I could of course pass the docker socket to the container, but this would give it full control over every container (and even the host as we know).
So how do I grant one container to docker exec only some predefined commands on a particular container?
I'm using Docker 1.11 on a Ubuntu 16.04 host.
