-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Block traffic to external ip without privileged mode #23854
Comments
To clarify, I don't want to block anything on the host where I understand the need for
|
It's not possible to manipulate iptables from within an unprivileged docker container. Containers share the same kernel as the host, you need root (or the relevant capabilities) to interact with the iptables settings. FWIW giving those capabilities to a container running untrusted code is a really bad idea. You're better off setting iptables rules from where they are meant to be set, the host.
will drop any traffic from any bridge interface named If you're creating a new bridge per container then you'll need to tweak the interface pattern. There is one major problem with this approach, which I'm currently checking to see if it's already been filed. I'll update this comment with a link once I either find it or create it. |
Related: #23897 |
Thanks @gordonsyme. The problem is that I don't have access to the host. It's a bit ironical that we cannot isolate from within the container directly. |
@jtblin in that case the best course of action is to talk to someone who does have access to the host, the responsibility to filter what hosted containers can and can't do lies with them. |
Well, it's a bit weird to have the container contain itself. You can also do this at the network level:
|
I don't think there's a bug here, and @cpuguy83 mentioned some options that should resolve this case, so I'm closing this issue, but feel free to continue the discussion |
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
Example docker image
Steps to reproduce the issue:
Run the following command inside a container that has
iptables
installed:Describe the results you received:
I get the following error:
Describe the results you expected:
This is related to #4424. I need to run an iptables command inside the docker container but I cannot use the
-privileged
option as it is a shared platform. I basically need to prevent traffic from inside the container which executes non trusted code to access the ec2 metadata API.Additional information you deem important (e.g. issue happens only occasionally):
The text was updated successfully, but these errors were encountered: