bundles/docker-engine: do not put containers on the host network

2025-02-15 10:32:56 +01:00 · 2025-02-15 10:32:56 +01:00 · 463443e1e3
commit 463443e1e3
parent aae1e8397e
2 changed files with 15 additions and 3 deletions
--- a/bundles/docker-engine/files/docker-wrapper
+++ b/bundles/docker-engine/files/docker-wrapper
@ -18,6 +18,7 @@ PGID="$(id -g "docker-${name}")"
 if [ "$ACTION" == "start" ]
 then
    docker run -d \
+        --rm \
        --name "${name}" \
        --env "PUID=$PUID" \
        --env "PGID=$PGID" \
@ -25,9 +26,8 @@ then
 % for k, v in sorted(environment.items()):
        --env "${k}=${v}" \
 % endfor
-        --network host \
 % for host_port, container_port in sorted(ports.items()):
-        --expose "127.0.0.1:${host_port}:${container_port}" \
+        --publish "127.0.0.1:${host_port}:${container_port}" \
 % endfor
 % for host_path, container_path in sorted(volumes.items()):
        --volume "/var/opt/docker-engine/${name}/${host_path}:${container_path}" \
@ -38,7 +38,6 @@ then
 elif [ "$ACTION" == "stop" ]
 then
    docker stop "${name}"
-    docker rm "${name}"

 else
    echo "Unknown action $ACTION"
--- a/bundles/docker-engine/metadata.py
+++ b/bundles/docker-engine/metadata.py
@ -18,6 +18,19 @@ defaults = {
            '/var/opt/docker-engine',
        },
    },
+    'nftables': {
+        'forward': {
+            'docker-engine': [
+                'ct state { related, established } accept',
+                'iifname docker0 accept',
+            ],
+        },
+        'postrouting': {
+            'docker-engine': [
+                'iifname docker0 masquerade',
+            ],
+        },
+    },
    'hosts': {
        'entries': {
            '172.17.0.1': {