eddelbuettel
commented
3 years ago Wouldn't you do that on the outside of the container on the machine hosting it?
Closed alanpaulkwan closed 3 years ago
eddelbuettel
commented
3 years ago Wouldn't you do that on the outside of the container on the machine hosting it?
alanpaulkwan
commented
3 years ago Yes, I'm looking into that too but Docker is quite awkward about this (still fluidly changing best practices, which differ across Linux/Windows hosts, potential interference with host's IP tables).
If it's way too hard, I understand. Just thought I'd ask. Love the project and thanks for rocker!
eddelbuettel
commented
3 years ago It is not that it is "hard" (it may well be: networking is complex) but it is that it really is orthogonal to what we do. In the standard Unix sense we give you a tool (or, really, a 'piece of content' for the existing docker tool) and you need to look out for your deployment.
If you find a set of good tutorials out there maybe we can add them to the wiki but it is otherwise ... a little at the edge of what we do here: worrying mostly about 'that content'.
alanpaulkwan
commented
3 years ago This turned out to be easy. Just run the docker in privileged mode and iptables works fine.
What I want is achieved by imposing restrictions on outgoing connections.
eddelbuettel
commented
3 years ago I once knew that too :) Sorry for not suggesting it earlier.
Suppose I am a bit security paranoid but resource constrained, and would like to host a docker on a machine and wall off specific ports from the container.
Is there a way to do this? I tried entering as root and as configured the docker rejects my attempts to configure iptables, complaining getsockopt failed strangely: Operation not permitted.