Reputation: 1
Block Internet Access From Docker Container
Is there a way to eliminate internet capability from inside a container? I would like to configure Docker on Ubuntu where containers can only run on an internal network and only communicate with other containers on that network. By quickly playing around it seems that this may be difficult to do as a user can (1) create their own network that is configured to bridge with the host and become internet-facing. Or (2) just run off the default bridge network. From what I understand is that the Docker application is immune to any Unix type controls and Docker does not allow you to remove the pre-defined networks anyway. Is there a solution to this? It seems dangerous to allow users to configure their own container networks. Am I able to modify the default bridge network to be internal? Am I able to restrict network creation?
Upvotes: 0
Views: 2314
Answers (1)
Reputation: 312790
It seems dangerous to allow users to configure their own container networks.
You seem to have a fundamental misapprehension about Docker: it's not meant, out of the box, to be a multi-user tool. Having access to Docker is equivalent to having root access on a host. If you want to provide some sort of multi-tenant container environment, you need to look at tools like Kubernetes that implement various access control mechanisms on top of some sort of container runtime.
Docker does have support for authorization plugins, so perhaps there is something you could implement using that feature.
Note that there are more secure alternatives: Podman has been providing rootless containers for a while, and even Docker now provides a rootless mode of operation.
These options eliminate the bulk of the security issues with Docker, but they have their own limitations (I haven't worked with rootless Docker, but I use Podman regularly and it's compatibility with docker-compose is only so-so).
Is there a way to eliminate internet capability from inside a container?
Sure, create a --internal network, and run your containers on that network:
$ docker network create --internal mynetwork
$ docker run -it --rm --network mynetwork docker.io/alpine:latest sh
You can't enforce use of this network, but you can certainly use it when deploying your own containers.
Also, as said in this Docker document docs.docker.com/network/bridge, that the default bridge network has its shortcomings and is not recommended for production use. This makes sense, however they do not offer a solution outside of configuring your own
The documentation describes how you can create additional bridge networks (or other sorts of networks) using the docker network create command. These networks do not suffer many of the limitations of the default bridge network (for example, Docker maintains DNS service on these networks so containers can refer to each other by name).
Upvotes: 1
Related Questions
- Restrict Internet Access - Docker Container
- How to restrict access from internet to containers ports on remote linux server?
- Disable access to LAN from docker container
- How to prevent internet access in Docker containers
- docker restrict container network access
- How , with iptables, to block access to docker container port from internet?
- Restrict docker container internet access
- Restrict internet access to docker container?
- How to disable all network connections inside Docker?
- Limit Network access but allow a specific IP for a Running Docker Container