ADD container isolation with nftables

ADD read-only flag to run script and ADD gitignore to source dir
2025-05-06 23:42:49 +02:00 · 2025-05-02 18:13:59 +02:00
2 changed files with 15 additions and 2 deletions
--- a/run_container.sh
+++ b/run_container.sh
@ -44,13 +44,22 @@ fi
 # Run the container
 echo "Starting container..."
 $CONTAINER_CMD run --name ${CONTAINER_NAME} \
-    -p 8000:8000 \
+    -p 127.0.0.1:8000:8000 \
    -v "$SOURCE_DIR":/home/appuser/app/source${VOLUME_FLAG} \
    --read-only \
    --security-opt no-new-privileges:true \
    --cap-drop ALL \
    --user 1000:1000 \
    -d ${CONTAINER_NAME}:latest
 echo $(podman inspect ${CONTAINER_NAME} --format '{{.State.Pid}}')
 sudo nsenter -t $(podman inspect ${CONTAINER_NAME} --format '{{.State.Pid}}') -n nft add table inet filter
 sudo nsenter -t $(podman inspect ${CONTAINER_NAME} --format '{{.State.Pid}}') -n nft add chain inet filter output { type filter hook output priority 0 \; policy drop \; }
 sudo nsenter -t $(podman inspect ${CONTAINER_NAME} --format '{{.State.Pid}}') -n \
  nft add rule inet filter output oif lo accept
 # Check if container started successfully
 if [ $? -eq 0 ]; then
    echo "Container started successfully!"
@ -66,4 +75,4 @@ if [ $? -eq 0 ]; then
 else
    echo "Failed to start container."
    exit 1
-fi
+fi
--- a/source/.gitignore
+++ b/source/.gitignore
@ -0,0 +1,4 @@
 # Ignore everything in this directory
 *
 # Except this file
 !.gitignore
Author	SHA1	Message	Date
CaffeineFueled	36eed976f2	ADD container isolation with nftables	2025-05-06 23:42:49 +02:00
CaffeineFueled	cc6f03d27b	ADD read-only flag to run script and ADD gitignore to source dir	2025-05-02 18:13:59 +02:00