Isolating containers on same network? (rootful userns=auto)

[Lombra]

Hi,

I have a reverse proxy situation going on, and I would like to allow traffic only from the proxy container and to the Internet. I don't want to create a separate network for every single container. This might be referred to as layer 2 isolation in other contexts. I can find no information on this. (except possibly using pasta?) Is this fundamentally incompatible with how container networking works, or is just no one doing this?

[Luap99]

No, the recommend way is to have one network per service (make sure you set the isolate=strict option) and then reverse proxy is connected to all the networks.

There is containers/netavark#1009 for isolation on the network but then you could also no longer talk to the reverse proxy container as it is a all or nothing.

[Lombra]

I see. As far as I can tell, I could make that work by placing the reverse proxy in a different network, which I can live with, but container DNS lookups does not work across networks, unless I've done something wrong. Is there anything I can do about that?

[Luap99]

yeah that is by design, no way around it, the whole thing is really setup for the multiple network use case

[Lombra]

Got it. Since I'm already using custom systemd generators, is there any hack I can resort to? Say, generate a static hosts file and feed that to the reverse proxy container or something? Edit: Actually, that seems a little tricky. Getting it to use the other network's DNS resolver? Doesn't seem to work.

Alternatively, if I were to go the recommended route, is there no way to automatically create networks? (for quadlet containers) Just seems like a lot of administrative overhead.

[Lombra]

I think it should work if I just isolate everything except the proxy container. Isolation appears in effect only between isolated containers. A non isolated container can still reach isolated containers, and vice versa, which is fine.

I would need to know which bridge port belongs to the proxy container, though.