diff options
| author | Ian Gudger <igudger@google.com> | 2019-04-02 18:03:01 -0700 |
|---|---|---|
| committer | Adin Scannell <adin@scannell.ca> | 2019-04-02 18:08:58 -0700 |
| commit | 9549ed31f9617ec10f85595f152022f0e550605d (patch) | |
| tree | d66589e88e31cf831d8668d3cc338ae60911329f | |
| parent | 811de2bbe57ff863b50dec4a0f2494afd551a89e (diff) | |
Add docs for disabling external networking.
This is a useful feature for truly untrusted code.
| -rw-r--r-- | content/docs/user_guide/networking.md | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/content/docs/user_guide/networking.md b/content/docs/user_guide/networking.md index 09d4b9789..83e75aaf2 100644 --- a/content/docs/user_guide/networking.md +++ b/content/docs/user_guide/networking.md @@ -33,4 +33,26 @@ Add the following `runtimeArgs` to your Docker configuration } ``` +## Disabling external networking + +To completely isolate the host and network from the sandbox, external +networking can be disabled. The sandbox will still contain a loopback provided +by netstack. + +Add the following `runtimeArgs` to your Docker configuration +(`/etc/docker/daemon.json`) and restart the Docker daemon: + +```json +{ + "runtimes": { + "runsc": { + "path": "/usr/local/bin/runsc", + "runtimeArgs": [ + "--network=none" + ] + } + } +} +``` + [netstack]: https://github.com/google/netstack |