CaffeineFueled/static2api
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ADD container isolation with nftables

Browse source
This commit is contained in:
CaffeineFueled 2025-05-06 23:42:49 +02:00
parent cc6f03d27b
commit 36eed976f2
1 changed files with 9 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

10
run_container.sh
View file

@ -44,7 +44,7 @@ fi
# Run the container # Run the container
echo "Starting container..." echo "Starting container..."
$CONTAINER_CMD run --name ${CONTAINER_NAME} \ $CONTAINER_CMD run --name ${CONTAINER_NAME} \
-p 8000:8000 \ -p 127.0.0.1:8000:8000 \
-v "$SOURCE_DIR":/home/appuser/app/source${VOLUME_FLAG} \ -v "$SOURCE_DIR":/home/appuser/app/source${VOLUME_FLAG} \
--read-only \ --read-only \
--security-opt no-new-privileges:true \ --security-opt no-new-privileges:true \
@ -52,6 +52,14 @@ $CONTAINER_CMD run --name ${CONTAINER_NAME} \
--user 1000:1000 \ --user 1000:1000 \
-d ${CONTAINER_NAME}:latest -d ${CONTAINER_NAME}:latest
echo $(podman inspect ${CONTAINER_NAME} --format '{{.State.Pid}}')
sudo nsenter -t $(podman inspect ${CONTAINER_NAME} --format '{{.State.Pid}}') -n nft add table inet filter
sudo nsenter -t $(podman inspect ${CONTAINER_NAME} --format '{{.State.Pid}}') -n nft add chain inet filter output { type filter hook output priority 0 \; policy drop \; }
sudo nsenter -t $(podman inspect ${CONTAINER_NAME} --format '{{.State.Pid}}') -n \
nft add rule inet filter output oif lo accept
# Check if container started successfully # Check if container started successfully
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo "Container started successfully!" echo "Container started successfully!"