Only setup networking for containers which need it. #65
Conversation
This should mitigate a hypothetical compromise of the scripts used to manage the CA and other sensitive material. The examples should still work and make sense although I have not tried all of them with this change applied. Note that I did not append the --net=none to all examples because in some cases network is probably wanted.
|
I'm worried that this complicates the commands people copy/paste and increase the chance of errors as it overwhelms the Docker n00bs. I think this makes most sense in the |
|
Well … Yes and no. What errors would you expect form this change? All the commands that I changed don’t need Internet access so why would users want to allow this? I think using long command line arguments (as you probably always should) should be self-documenting. |
|
It's too much noise, for what? None of the processes are even opening a socket inbound or outbound. It increases the complexity for no realistic reason. |
|
But they could initiate a connection. Related to #68 (comment). Reason is described in my initial comment but OK I will make a second PR which only patches the paranoid.md doc. |
This should mitigate a hypothetical compromise of the scripts used to manage the CA and other sensitive material. The examples should still work and make sense although I have not tried all of them with this change applied. Note that I did not append the --net=none to all examples because in some cases network is probably wanted. * Changing this for all docs was not accepted by @kylemanna. kylemanna#65 (comment)
And there is more paranoid stuff from me 😄
This should mitigate a hypothetical compromise of the scripts used to
manage the CA and other sensitive material.
The examples should still work and make sense although I have not tried
all of them with this change applied.
Note that I did not append the --net=none to all examples because in
some cases network is probably wanted.