Use dedicated docker-devbox port filtering and publishing instead of Docker internal?

[laeti-tia]

Playing with firewalld or even iptables inside a Docker container can be very tricky, making testing such a setup as we have in perfSONAR unreliable under docker-devbox. It might be good to have the possibility of running containers with Docker iptables setup deactivated but with firewall and port redirection setup managed by docker-devbox instead.

See my comments in perfsonar/toolkit#483 and the firewall blog post to have an idea on how this could be done: https://firewalld.org/2024/04/strictly-filtering-docker-containers

[mfeit-internet2]

DDB was wasn't really designed for this kind of system-level stuff, but it would be worth investigating whether running firewalld inside a container would work. I can't see a reason why it wouldn't; everything lives in its own network namespace and, presumably, the kernel would honor it.

I'm thinking of this in terms of how I use Docker for perfSONAR, which is with a dedicated interface brought in with the macvlan driver. Doing anything that affects the root namespace from inside the container wouldn't be allowed for security reasons.

The linked article is about disabling Docker's manipulation of the firewall at the host level and doing it manually rather than doing it from inside containers.