Restrict network access from Apptainer/Singularity container

Question

Is it possible with Apptainer/Singularity to restrict which network interfaces can be used from within a container?

In my specific use-case I want to allow access to the internet but block access to some SocketCAN interfaces that are available on the host system. Is this possible?

I saw the --net/--network options but the documentation on this option not very detailed so I'm not sure how to use it (or if it can solve my problem at all).

score 1 · Accepted Answer · answered Aug 02 '22 at 08:40

I got the answer from the Apptainer Slack channel (thanks to Cedric Clerget!):

In my specific case (allowing normal network access but hiding the SocketCAN interfaces), it is actually enough to add

--dns <IP of DNS server> --net --network=bridge  # or --network=ptp

Specifying the DNS server is needed when using systemd resolved. In other cases it may work without.

Restrict network access from Apptainer/Singularity container

1 Answers1