Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploying docker containers with no internet connection #418

Closed
tuxArg opened this issue Oct 17, 2024 · 1 comment
Closed

Deploying docker containers with no internet connection #418

tuxArg opened this issue Oct 17, 2024 · 1 comment

Comments

@tuxArg
Copy link

tuxArg commented Oct 17, 2024

Describe why it is important and where it will be useful

This is a privacy/security feature request. I want to be able to run the docker apps that are deployed with app_api via docker_socket_proxy (on remote host) limiting outbound connections.
Most models and apps that are intended to run with app_api don't really need internet connection once all models are downloaded.

Describe your proposed solution

Here is what I tried, I think I'm close to gettíng it done but no luck yet.

I have my nextcloud installation inside a vm. Docker (podman in my case but is the same) is in another vm.
My setup works out of the box using host networking. Everything: certificate, https, running, deploying, heartbeats, etc. But I want to modify this setup to be able to restrict outbound connections for new containers.

  • I created a docker network:
    $ podman network create dsp_int --internal

  • I manually modified oc_ex_apps_daemons table so that it says "net":"dsp_int" instead of "net":"host"

  • I manually added this line on line 145 of ./lib/DeployActions/DockerActions.php inside the if (!in_array($params['net'], ['host', 'bridge'])) { } block:

$containerParams['HostConfig']['PortBindings']=[$params['port'].'/tcp' => [['HostPort' => sprintf("%s",$params['port']), 'HostIp' => '127.0.0.1']]];

  • I tried developing an app:
$ occ app_api:app:register llm2
ExApp llm2 deployed successfully.
ExApp llm2 successfully registered.
  • Everything seems to work, from nextcloud vm I can:
$ curl -u "app_api_haproxy_user:my_pass" https://dsp.docker:23000/heartbeat
{"status":"ok"}

But the app is not actually enabled. It isn't enabled as a Text Processing App. And I can see in oc_ex_apps status field where it says "type":"install":
{"deploy":100,"init":0,"action":"init","type":"install","error":"","deploy_start_time":1729194413,"init_start_time":1729194421}

Something in the middle went wrong and I don't know what.

Describe alternatives you've considered, if relevant

No response

Additional context

No response
@tuxArg tuxArg closed this as completed Oct 19, 2024
@tuxArg
Copy link
Author

tuxArg commented Oct 19, 2024
edited
Loading

I achieved it. I realized that containers need to contact back nextcloud via http. So I added a nginx docker proxy to do that and everything works. No outbound connections from deployed containers by app_api.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tuxArg