Closed alanpaulkwan closed 3 years ago
Wouldn't you do that on the outside of the container on the machine hosting it?
Yes, I'm looking into that too but Docker is quite awkward about this (still fluidly changing best practices, which differ across Linux/Windows hosts, potential interference with host's IP tables).
If it's way too hard, I understand. Just thought I'd ask. Love the project and thanks for rocker!
It is not that it is "hard" (it may well be: networking is complex) but it is that it really is orthogonal to what we do. In the standard Unix sense we give you a tool (or, really, a 'piece of content' for the existing docker
tool) and you need to look out for your deployment.
If you find a set of good tutorials out there maybe we can add them to the wiki but it is otherwise ... a little at the edge of what we do here: worrying mostly about 'that content'.
This turned out to be easy. Just run the docker in privileged mode and iptables works fine.
What I want is achieved by imposing restrictions on outgoing connections.
I once knew that too :) Sorry for not suggesting it earlier.
Suppose I am a bit security paranoid but resource constrained, and would like to host a docker on a machine and wall off specific ports from the container.
Is there a way to do this? I tried entering as root and as configured the docker rejects my attempts to configure iptables, complaining getsockopt failed strangely: Operation not permitted.