scheduler: make the container run in same networking space to prevent further churn

idea comes from https://github.com/moby/moby/pull/9402#issuecomment-67259655
and https://github.com/moby/moby/pull/9402#issuecomment-67224239

see also:
https://github.com/moby/moby/issues/9098
https://github.com/moby/moby/pull/9167
https://github.com/moby/moby/issues/12899#issuecomment-97816048 (exec mem leak)
https://github.com/moby/moby/pull/38704

part of #732

src/docker.js

@@ -17,7 +17,6 @@ exports = module.exports = {
     stopContainerByName: stopContainer,
     stopContainers: stopContainers,
     deleteContainer: deleteContainer,
-    deleteContainerByName: deleteContainer,
     deleteImage: deleteImage,
     deleteContainers: deleteContainers,
     createSubcontainer: createSubcontainer,
@@ -200,12 +199,11 @@ function createSubcontainer(app, name, cmd, options, callback) {
     assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    let isAppContainer = !cmd; // non app-containers are like scheduler and exec (terminal) containers
+    let isAppContainer = !cmd; // non app-containers are like scheduler
 
     var manifest = app.manifest;
     var exposedPorts = {}, dockerPortBindings = { };
     var domain = app.fqdn;
-    const hostname = isAppContainer ? app.id : name;
 
     const envPrefix = manifest.manifestVersion <= 1 ? '' : 'CLOUDRON_';
 
@@ -257,15 +255,9 @@ function createSubcontainer(app, name, cmd, options, callback) {
     addons.getEnvironment(app, function (error, addonEnv) {
         if (error) return callback(error);
 
-        // do no set hostname of containers to location as it might conflict with addons names. for example, an app installed in mail
-        // location may not reach mail container anymore by DNS. We cannot set hostname to fqdn either as that sets up the dns
-        // name to look up the internal docker ip. this makes curl from within container fail
-        // Note that Hostname has no effect on DNS. We have to use the --net-alias for dns.
-        // Hostname cannot be set with container NetworkMode
-        var containerOptions = {
+        let containerOptions = {
             name: name, // for referencing containers
             Tty: isAppContainer,
-            Hostname: hostname,
             Image: app.manifest.dockerImage,
             Cmd: (isAppContainer && app.debugMode && app.debugMode.cmd) ? app.debugMode.cmd : cmd,
             Env: stdEnv.concat(addonEnv).concat(portEnv).concat(appEnv),
@@ -302,22 +294,35 @@ function createSubcontainer(app, name, cmd, options, callback) {
                 },
                 CpuShares: app.cpuShares,
                 VolumesFrom: isAppContainer ? null : [ app.containerId + ':rw' ],
-                NetworkMode: 'cloudron', // user defined bridge network
-                Dns: ['172.18.0.1'], // use internal dns
-                DnsSearch: ['.'], // use internal dns
                 SecurityOpt: [ 'apparmor=docker-cloudron-app' ],
                 CapAdd: [],
                 CapDrop: []
-            },
-            NetworkingConfig: {
-                EndpointsConfig: {
-                    cloudron: {
-                        Aliases: [ name ] // this allows sub-containers reach app containers by name
-                    }
-                }
             }
         };
 
+        // do no set hostname of containers to location as it might conflict with addons names. for example, an app installed in mail
+        // location may not reach mail container anymore by DNS. We cannot set hostname to fqdn either as that sets up the dns
+        // name to look up the internal docker ip. this makes curl from within container fail
+        // Note that Hostname has no effect on DNS. We have to use the --net-alias for dns.
+        // Hostname cannot be set with container NetworkMode. Subcontainers run is the network space of the app container
+        // This is done to prevent lots of up/down events and iptables locking
+        if (isAppContainer) {
+            containerOptions.Hostname = app.id;
+            containerOptions.HostConfig.NetworkMode = 'cloudron'; // user defined bridge network
+            containerOptions.HostConfig.Dns = ['172.18.0.1']; // use internal dns
+            containerOptions.HostConfig.DnsSearch = ['.']; // use internal dns
+
+            containerOptions.NetworkingConfig = {
+                EndpointsConfig: {
+                    cloudron: {
+                        Aliases: [ name ] // adds hostname entry with container name
+                    }
+                }
+            };
+        } else {
+            containerOptions.HostConfig.NetworkMode = `container:${app.containerId}`;
+        }
+
         var capabilities = manifest.capabilities || [];
 
         // https://docs-stage.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
@@ -402,7 +407,7 @@ function stopContainer(containerId, callback) {
     });
 }
 
-function deleteContainer(containerId, callback) {
+function deleteContainer(containerId, callback) { // id can also be name
     assert(!containerId || typeof containerId === 'string');
     assert.strictEqual(typeof callback, 'function');