This folder demonstrates how to set up Docker containers with network isolation using the --network none flag. This approach helps mitigate risks when working with unknown packages and models. The example includes configuration files and tests to ensure the container cannot access any network resources.
Additionally, this setup includes dropping all Linux capabilities to further enhance security. Capability dropping ensures that the container has the least privileges necessary to operate, reducing the potential attack surface.
Moreover, resource limiting is configured to restrict the container's memory and CPU usage. This ensures that the container cannot consume excessive resources, which could impact the host system.
To work with each specific example or template in this repository, you need to open this subdirectory as the root in VSCode. Follow these steps:
- Open Visual Studio Code.
- Navigate to
File > Open Folder. - Select this subdirectory (
Python_Container_Demo/Isolation_Example) to open it as the root folder.
This will ensure that VSCode and Docker/VSCode look at the .devcontainer folder correctly.
- Open Visual Studio Code.
- Access the Extensions view by clicking on the Extensions icon in the Activity Bar on the side of the window, or by pressing
Ctrl+Shift+X. - Type
Remote Developmentin the search bar. - Locate the
Remote Developmentextension pack by Microsoft and click on the install button.
- To access the Command Palette, either press
Ctrl+Shift+Por navigate toView > Command Palette. - Choose
Dev Containers: Rebuild and Reopen in Container.
- Open the Command Palette using
Ctrl+Shift+Por by going toView > Command Palette. - Select
Dev Containers: Reopen Folder Locally.
- Once inside the container, open the Extensions view by clicking on the Extensions icon in the Activity Bar on the side of the window, or by pressing
Ctrl+Shift+X. - Type
Pythonin the search bar. - Locate the
Pythonextension by Microsoft and click on the install button.
The tests directory contains various tests to ensure that the container cannot access network resources and respects resource limits. These tests include HTTP/HTTPS requests, DNS resolution, socket connections, FTP connections, ICMP ping requests, SMTP connections, HTTP/HTTPS uploads and downloads, and resource usage limits.
Additionally, a parameterized test is included to verify that specific Linux capabilities have been dropped from the container.
- Ensure you have the Python extension installed in the container as described above.
- Open the Command Palette using
Ctrl+Shift+Por by going toView > Command Palette. - Choose
Python: Configure Testsand selectpytestas the testing framework. - Once configured, you will see a beaker icon (Flask icon) on the left side of the VSCode Activity Bar.
- Click on the beaker icon to access the Test Explorer.
- Click on the
Run Testsbutton to run all tests in thetestsdirectory.
Resource limiting is configured to restrict the container's memory and CPU usage.
To modify the resource limits, such as increasing memory or CPU allocation, adjust the relevant parameters in the .devcontainer/devcontainer.json file's runArgs section.
The tests/test_network_isolation.py file contains various tests to ensure network isolation:
test_http_https_requeststest_dns_resolutiontest_socket_connectiontest_ftp_connectiontest_icmp_pingtest_smtp_connectiontest_http_https_uploadtest_http_https_download
The tests/test_cap_drop.py file contains a parameterized test to verify that specific Linux capabilities have been dropped:
test_capabilities(parameterized to check the following capabilities):cap_chowncap_killcap_setuidcap_setgidcap_mknodcap_net_admincap_sys_timecap_sys_modulecap_net_rawcap_dac_overridecap_audit_writecap_setfcap
The tests/test_resource_limiting.py file contains tests to verify resource limiting:
test_memory_limitingtest_cpu_limiting
Refer to the test files for detailed test implementations and purposes.
For additional Docker setup instructions, refer to the main project's README.