sparshev
commented
1 year ago Of course for some reason on linux host it requires additional option to the running container: --add-host=host.docker.internal:host-gateway...
Closed sparshev closed 1 year ago
sparshev
commented
1 year ago Of course for some reason on linux host it requires additional option to the running container: --add-host=host.docker.internal:host-gateway...
Premise of the Bait system is that all the images are building inside a network sandbox with access only to the host, which could provide controlled on-demand proxy. So, the docker builder is actually ignoring that and it could cause some missed internet deps or unwanted services access, especially when using weird images as the base.
So it still will be great to have isolation for the docker containers and, probably, you think that the answer is quite easy - it's not since Bait should support Mac as well as Linux as the host system and on Mac docker actually uses VM to run the stuff, so it's not easy to prepare the hostonly networking...
But there is a way I found recently with help of my VPN docker system - we can actually use another gateway container as network for the target container, and in this gateway could have NET_ADMIN capability whch will allow to setup simple iptables rules to allow only
host.docker.internalto be accessed. So here is the answer for both Mac & Lin systems.