Deploying docker containers with no internet connection
tuxArg opened this issue · 1 comments
Describe why it is important and where it will be useful
This is a privacy/security feature request. I want to be able to run the docker apps that are deployed with app_api via docker_socket_proxy (on remote host) limiting outbound connections.
Most models and apps that are intended to run with app_api don't really need internet connection once all models are downloaded.
Describe your proposed solution
Here is what I tried, I think I'm close to gettíng it done but no luck yet.
I have my nextcloud installation inside a vm. Docker (podman in my case but is the same) is in another vm.
My setup works out of the box using host networking. Everything: certificate, https, running, deploying, heartbeats, etc. But I want to modify this setup to be able to restrict outbound connections for new containers.
-
I created a docker network:
$ podman network create dsp_int --internal -
I manually modified
oc_ex_apps_daemonstable so that it says"net":"dsp_int"instead of"net":"host" -
I manually added this line on line 145 of
./lib/DeployActions/DockerActions.phpinside theif (!in_array($params['net'], ['host', 'bridge'])) { }block:
$containerParams['HostConfig']['PortBindings']=[$params['port'].'/tcp' => [['HostPort' => sprintf("%s",$params['port']), 'HostIp' => '127.0.0.1']]];
- I tried developing an app:
$ occ app_api:app:register llm2
ExApp llm2 deployed successfully.
ExApp llm2 successfully registered.
- Everything seems to work, from nextcloud vm I can:
$ curl -u "app_api_haproxy_user:my_pass" https://dsp.docker:23000/heartbeat
{"status":"ok"}
But the app is not actually enabled. It isn't enabled as a Text Processing App. And I can see in oc_ex_apps status field where it says "type":"install":
{"deploy":100,"init":0,"action":"init","type":"install","error":"","deploy_start_time":1729194413,"init_start_time":1729194421}
Something in the middle went wrong and I don't know what.
Describe alternatives you've considered, if relevant
No response
Additional context
No response
I achieved it. I realized that containers need to contact back nextcloud via http. So I added a nginx docker proxy to do that and everything works. No outbound connections from deployed containers by app_api.