[英]Restrict internet access to docker container?
What is the best way to restrict internet access to a single docker container while still forwarding ports? 在仍然转发端口的同时限制对单个docker容器的Internet访问的最佳方法是什么?
My current way of doing this works like this: 我目前这样做的方式是这样的:
sudo docker network create --internal --subnet 10.1.1.0/24 no-internet
sudo docker run --name gitlab -d -p 80:80 -p 822:22 --restart always gitlab/gitlab-ce
sudo docker network connect no-internet gitlab
sudo docker network disconnect bridge gitlab
The problem is that if I restart the system the ports are not forwarded anymore: 问题是,如果我重新启动系统,端口将不再转发:
sudo docker ps
before reboot: 重启前
sudo docker ps
:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2d2a062744ec gitlab/gitlab-ce "/assets/wrapper" 13 seconds ago Up 13 seconds (health: starting) 0.0.0.0:80->80/tcp, 443/tcp, 0.0.0.0:822->22/tcp gitlab
sudo docker ps
after reboot: sudo docker ps
重启后:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2d2a062744ec gitlab/gitlab-ce "/assets/wrapper" 12 minutes ago Up 2 minutes (healthy) gitlab
So if I understand your scenario correctly, you would like to avoid sharing your host's network to your gitlab container to make sure gitlab cannot connect to the internet. 因此,如果我正确理解您的场景,您希望避免将您的主机网络共享到您的gitlab容器,以确保gitlab无法连接到互联网。 At the same time you wish to share the host's network to bind a container port to your host system.
同时,您希望共享主机的网络以将容器端口绑定到主机系统。 It doesn't work that way, but the following might be an acceptable workaround for you: docker containers sharing the same internal network can connect to exposed/published ports of other containers on the same network.
它不起作用,但以下可能是您可接受的解决方法:共享同一内部网络的docker容器可以连接到同一网络上其他容器的公开/已发布端口。
You could follow this approach: 你可以遵循这种方法:
I quickly put this example together, hope that gets you started: 我很快把这个例子放在一起,希望能让你开始:
docker network create --internal --subnet 10.1.1.0/24 no-internet
docker network create internet
docker-compose.yml
: docker-compose.yml
:
version: '2'
services:
whoami:
image: jwilder/whoami
container_name: whoami
networks:
- no-internet
proxy:
image: nginx:1.13-alpine
container_name: proxy
networks:
- internet
- no-internet
volumes:
- ./vhost.conf:/etc/nginx/conf.d/default.conf
ports:
- "80:80"
networks:
internet:
external:
name: internet
no-internet:
external:
name: no-internet
vhost.conf
: vhost.conf
:
upstream whoami {
server whoami:8000;
}
server {
server_name localhost;
listen 80;
location / {
proxy_pass http://whoami;
}
}
Please note the above mentioned internet
network is actually not needed, as a docker container shares the host network by default anyway. 请注意,实际上不需要上面提到的
internet
,因为无论如何,泊坞容器默认共享主机网络。 It's just there to make things clearer. 它只是让事情变得更清晰。
In the example depicted above, open http://localhost/
and you will see the response of the whoami
container, the whoami
container itself however can't connect to the internet. 在上面描述的示例中,打开
http://localhost/
,您将看到whoami
容器的响应,但是whoami
容器本身无法连接到Internet。
You can also use internal:true
to disable internet connectivity: 您还可以使用
internal:true
来禁用Internet连接:
networks:
yournetwork:
internal: true
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.