Add --docker-run feature for Docker container network isolation#38
Merged
Add --docker-run feature for Docker container network isolation#38
Conversation
- Add new --docker-run CLI flag to run Docker containers with httpjail - Create docker.rs module with Docker-specific logic - Mount httpjail network namespace for Docker access via /var/run/netns - Inject --network flag to use httpjail's namespace - Pass CA certificate environment variables to container
- Handle Option<u32> return type from sleep_cmd.id() properly - Remove unnecessary if-let block indentation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
Codex Review: Here are some suggestions.
Reply with @codex fix comments to fix any unresolved comments.
About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".
- Test basic Docker container execution - Test network restrictions within containers - Test proper cleanup of namespaces after container exit - Tests gracefully skip if Docker is not available
- ci-ssh.sh: SSH into CI-1 instance - ci-sync.sh: Sync local changes to CI without committing - ci-build.sh: Build httpjail on CI with different profiles - ci-test.sh: Run tests on CI with optional filters - ci-run.sh: Execute httpjail directly on CI for quick testing Updated CLAUDE.md with documentation for CI helper scripts and workflows.
- Rework mount_namespace to use existing namespace processes instead of spawning sleep - Remove obtuse CI scripts, keep only ci-ssh.sh and ci-scp.sh - Update ci-ssh.sh to accept remote commands - Add ci-scp.sh for easy file transfers - Remove #[serial] from Docker tests for better performance - Remove redundant Docker cleanup test (reuses existing jail cleanup) - Update CLAUDE.md with simplified CI documentation
- Add NamespaceHolder struct that cleans up process on drop - Remove unnecessary namespace mounting logic (jail already handles it) - Just ensure a process exists in namespace for Docker to use - Remove redundant cleanup_namespace_mount function
- Add code to make namespaces visible in Docker's netns directory - Add NamespaceHolder cleanup for Docker mounts - Update CLAUDE.md with HTTPJAIL_BIN test environment variable - Fix ci-ssh.sh to accept remote commands - Add ci-scp.sh helper script Note: Docker integration may not work on all systems due to Docker's namespace isolation. The daemon may not be able to access externally created network namespaces depending on the Docker version and configuration.
- Create DockerLinux jail that wraps LinuxJail with Docker-specific functionality - Use isolated Docker networks with no default connectivity - Route traffic from Docker network to jail proxy via host-side nftables - Containers run with normal permissions, no elevated access required - All network manipulation done on host side, no reliance on container commands - Reuse existing LinuxJail infrastructure for network namespaces and proxy - Add Docker network as SystemResource for automatic cleanup - Integration tests pass with proper network filtering 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Remove unused subnet variable in setup_docker_routing - Mark DockerNetwork::new as dead_code (used for API consistency) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Add cleanup for orphaned Docker networks via ManagedResource - Add cleanup for orphaned Docker routing nftables - Properly chain cleanup with LinuxJail orphan cleanup This ensures DockerLinux follows the same resource cleanup pattern as LinuxJail for handling orphaned resources from crashed processes. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Create DockerRoutingTable implementing SystemResource trait - Use ManagedResource for automatic cleanup of routing tables - Simplify cleanup logic by leveraging RAII pattern - Ensure consistent resource management across all Docker resources This follows the same pattern as other system resources in httpjail, ensuring proper cleanup even when processes crash. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
The jail_id field is kept for consistency and potential future use, but currently not read. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Bind mount CA certificate into Docker containers for TLS interception - Mount both the certificate file and parent directory (read-only) - Add integration tests for Docker HTTPS/TLS functionality - Test both allowed and blocked HTTPS traffic scenarios - Use ifconfig.me/ip endpoint for reliable IP address retrieval This ensures TLS interception works correctly in Docker containers by making the httpjail CA certificate accessible inside the container. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Add a one-liner example showing how to use --docker-run to isolate Docker containers with httpjail network policies. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Use wget which is included in Alpine by default instead of installing curl, making the example cleaner and faster. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Use if-let with && to combine conditions as recommended by clippy. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds a new
--docker-runfeature that allows running Docker containers with httpjail network isolation. All container traffic is transparently intercepted through httpjail's proxy without requiring proxy-aware applications or environment variables.Implementation
The feature works by:
/var/run/netns/--network=ns:/var/run/netns/httpjail_<id>into the docker run commandUsage
Key Changes
--docker-runCLI flag that accepts Docker container argumentssrc/docker.rsmodule with Docker-specific network namespace integrationCLAUDE.mdwith CI testing best practices and fast build profile[profile.fast]in Cargo.toml for quicker development buildsTesting
The feature requires Linux with Docker installed. Network namespace operations require root/sudo access.
Notes
-p) bind to the namespace interface, not directly to the host--networkflag is automatically overridden if specified by the user