[Request]: Allow for port publishing / connectivity to container when "none" network is selected

[matthewcmead]

Feature or enhancement request details

Sometimes the purpose of using --network none is to isolate the container from being able to connect to external networks while connectivity from the host to the container would be useful. Currently when using --network none, if ports are published with -p, there is no listening socket on the host and no connectivity to the container.

I'm requesting to change this to allow for host to container connectivity to work using port publishing when --network none is used.

There is a workaround for this, but it's somewhat of a hassle: --publish-socket can be used to connect a unix domain socket into the container and socat can be used on the host as well as the container to connect the published domain socket to ports on the host and in the container. Perhaps this can serve as the mechanism to accomplish the connectivity in an automated way that entirely avoids activating the network stack with host connectivity for the container?

Thanks for the consideration.

Code of Conduct

• I agree to follow this project's Code of Conduct

[jglogan]

@matthewcmead If you feel like trying a quick hack, you could change the mode of the default network to VMNET_HOST_MODE and play around with that setup. The containers on that network can talk to each other and to the host, but can't go off host.

Grab the source, and in the main branch, make the change here: https://github.com/apple/container/blob/main/Sources/Services/ContainerNetworkService/Server/ReservedVmnetNetwork.swift#L113.

Clearly it doesn't give you the container-level granularity you want, but it's what could be delivered with a relatively simple contribution.