You can use the podman option `--network=none` together with the systemd directi... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		eriksjolund 12 months ago \| parent \| context \| favorite \| on: Podman Quadlets with Podman Desktop You can use the podman option `--network=none` together with the systemd directive `RestrictAddressFamilies=` I wrote a demo: https://www.redhat.com/en/blog/podman-systemd-limit-access Podman will then not have the privilege to pull the container image, but a web server container can still serve the internet with socket activation.

rendaw 12 months ago [–]

What's the use case for that? Multitenant server web hosting where customers provide containers and you want to lock them down I guess? Mostly SaaS/PaaS?

eriksjolund 12 months ago | [–]

I did it out of pure interest, just to explore ways of locking down a web server.

rendaw 12 months ago | | [–]

Oh, fair enough! It is very cool, FWIW.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact