阻止来自 Docker 容器的 Internet 访问
[英]Block Internet Access From Docker Container
问题描述
Is there a way to eliminate internet capability from inside a container?
有没有办法从容器内部消除互联网功能? I would like to configure Docker on Ubuntu where containers can only run on an internal network and only communicate with other containers on that network.我想在 Ubuntu 上配置 Docker,其中容器只能在内部网络上运行,并且只能与该网络上的其他容器通信。 By quickly playing around it seems that this may be difficult to do as a user can (1) create their own network that is configured to bridge with the host and become internet-facing.通过快速玩耍,这似乎很难做到,因为用户可以(1)创建自己的网络,该网络被配置为与主机桥接并面向互联网。 Or (2) just run off the default bridge network.或者(2)只运行默认的桥接网络。 From what I understand is that the Docker application is immune to any Unix type controls and Docker does not allow you to remove the pre-defined networks anyway.据我了解,Docker 应用程序不受任何 Unix 类型控件的影响,并且 Docker 无论如何都不允许您删除预定义的网络。 Is there a solution to this?有针对这个的解决方法吗? It seems dangerous to allow users to configure their own container networks.允许用户配置自己的容器网络似乎很危险。 Am I able to modify the default bridge network to be internal?我可以将默认桥接网络修改为内部网络吗? Am I able to restrict network creation?我可以限制网络创建吗?
1 个解决方案
解决方案1
1 2022-07-06 00:53:11
It seems dangerous to allow users to configure their own container networks.
You seem to have a fundamental misapprehension about Docker: it's not meant, out of the box, to be a multi-user tool.您似乎对 Docker 有一个基本的误解:它并不是开箱即用的多用户工具。 Having access to Docker is equivalent to having root access on a host.拥有对 Docker 的访问权限等同于在主机上拥有root访问权限。 If you want to provide some sort of multi-tenant container environment, you need to look at tools like Kubernetes that implement various access control mechanisms on top of some sort of container runtime.如果您想提供某种多租户容器环境,您需要查看诸如 Kubernetes 之类的工具,这些工具在某种容器运行时之上实现了各种访问控制机制。
Docker does have support for authorization plugins , so perhaps there is something you could implement using that feature. Docker 确实支持授权插件,所以也许你可以使用该功能实现一些东西。
Note that there are more secure alternatives: Podman has been providing rootless containers for a while, and even Docker now provides a rootless mode of operation .请注意,还有更安全的替代方案: Podman提供无根容器已经有一段时间了,甚至 Docker 现在也提供了无根操作模式。
These options eliminate the bulk of the security issues with Docker, but they have their own limitations (I haven't worked with rootless Docker, but I use Podman regularly and it's compatibility with docker-compose is only so-so).这些选项消除了 Docker 的大部分安全问题,但它们有其自身的局限性(我没有使用过无根 Docker,但我经常使用 Podman,它与 docker docker-compose的兼容性只是马马虎虎)。
Is there a way to eliminate internet capability from inside a container?
Sure, create a --internal network, and run your containers on that network:当然,创建一个--internal网络,并在该网络上运行您的容器:
$ docker network create --internal mynetwork
$ docker run -it --rm --network mynetwork docker.io/alpine:latest sh
You can't enforce use of this network, but you can certainly use it when deploying your own containers.您不能强制使用此网络,但您当然可以在部署自己的容器时使用它。
Also, as said in this Docker document docs.docker.com/network/bridge, that the default bridge network has its shortcomings and is not recommended for production use.
The documentation describes how you can create additional bridge networks (or other sorts of networks) using the docker network create command.该文档描述了如何使用docker network create命令创建额外的桥接网络(或其他类型的网络)。 These networks do not suffer many of the limitations of the default bridge network (for example, Docker maintains DNS service on these networks so containers can refer to each other by name).这些网络不受默认桥接网络的许多限制(例如,Docker 在这些网络上维护 DNS 服务,因此容器可以通过名称相互引用)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.