Explicitly remove all launched containers from the default Docker bridge network

[yousefamar]

Issue by yousefamar
Thursday Mar 16, 2017 at 17:40 GMT # Sample: Friday Sep 13, 2013 at 22:58 GMT
Originally opened as me-box-archive/databox-netdev#57

---

By default, Docker connects all launched containers to the default Docker bridge network. This is bad for us, since although the container can't use Docker DNS to resolve the IPs of other containers, it can still communicate with them directly by IP, which it could just enumerate.

If you override this by setting NetworkMode to none, then the container can't connect to anything ever. The solution is to explicitly disconnect every container from the default Docker bridge network (by name — it's just called "bridge") on launching.

This should be pretty simple; we just need to add an extra step in the container launch Promise chain to disconnect it.

[yousefamar]

Comment by yousefamar
Tuesday Mar 21, 2017 at 16:12 GMT # Sample: Friday Sep 13, 2013 at 22:58 GMT

---

We need this on the branch backupPlan too ideally. The default bridge (docker0) lets all containers have internet by default. Otherwise they're isolated.

[haddadi]

maybe something for @sevenEng to also keep an eye out for ?

[yousefamar]

Ah, @sevenEng did in fact implement this on databox-netdev, then @Toshbrown got it onto databox manually, so actually this resolved but we never closed the issue. Closing now.