![]() ![]() You don't have to do it inside the container. But I want to state that your idea is wrong.įirst, do iptables change in the host. Neither of us are native English speaker. ![]() Let's have a look at the actual solution. The ENTRYPOINT script gets executed when the container starts, defines the iptables rules and starts the given application as the configured non-privileged user afterwards.Provisioning of a base image which ships with a non-privileged user and an ENTRYPOINT script.Meh!Īfter implementing some test probes, I settled with the following solution: "A privileged user is necessary for restricting network traffic." was my first thought which conflicts with the third acceptance criteria. The application within the container should run as a non-privileged user.The container should block in- and outbound traffic from and to all other networks.The container should accept in- and outbound traffic from and to a known network.Before I headed straight into tinkering, I created the following acceptance criteria: I thought about that problem today and want to share my approach with you. But what if the module wants to phone home?” Indeed, that helps when the evil module tries to mess up with your filesystem or other host related aspects. "But I'm isolating everything in a Docker container at runtime!", you might say. A dependency that wants to do something evil – a malware. Imagine a scenario in which you might have a stinky module deep in your dependency graph. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |