[PR #65] [MERGED] Newt Container Network Checking #98

New Issue

GiteaMirror · 2025-11-19T07:13:54-06:00

GiteaMirror commented

2025-11-19 07:13:54 -06:00

📋 Pull Request Information

Original PR: https://github.com/fosrl/newt/pull/65
Author: @JonnyBooker
Created: 6/10/2025
Status: ✅ Merged
Merged: 6/22/2025
Merged by: @oschwartz10612

Base: dev ← Head: docker-network-checking

📝 Commits (10+)

a4d4976 Update to use docker network checking against newt networking
a52260b Add an enforce network validation flag for docker to not break previous functionality
d4b88c3 Merge branch 'fosrl:main' into docker-network-checking
e335bb8 Rename added functions for docker client
cbbd5b0 Add extra pre-condition check for enforcing docker network
126ced6 Merge branch 'docker-network-checking' of https://github.com/JonnyBooker/newt into docker-network-checking
5476a69 Log the container name and id
e26552a Small refinement to how the docker enforcement setting is applied
5cb86f3 Update to readme with new configuration settings
6d9160a Simplified based on PR feedback and support checking use of "bridge" network

📊 Changes

3 files changed (+234 additions, -54 deletions)

View changed files

📝 README.md (+37 -2)
📝 docker/client.go (+130 -32)
📝 main.go (+67 -20)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

Added functionality to be able to restrict the visibility/accessibility of containers that Newt sends to pangolin. Checks will be carried out to ensure that only containers that are available on the same Docker network are sent over to Pangolin.

Default behaviour is as is before to maintain previous behaviour to not break the upgrade path. There is an extra configuration options added to make these checks take place of DOCKER_ENFORCE_NETWORK_VALIDATION or CLI command docker-enforce-network-validation.

This will find the host container, use it to get the networks the Newt container is on, retrieve other containers and using their networks, determine if the Network ID of the Newt Container and other container networks match. If not, they are not sent to Pangolin.

It would be possible to still manually add the container IP/hostname to the Pangolin UI as a target. If validation is enforced, the target will be validated to ensure that it can be seen by Newt, a log will be output as a warning stating the target has not been added due to this new enforcement setting:

Changes have also been made as to how the hostname/IP address of the container is determined. When run as a Newt Docker container, it will be determined under what network mode the Newt container is running on. This has been done to make it so that when using a dedicated docker network, it is accessed internally on the docker network using its hostname rather then an IP, which is more liable to change. The following scenarios will result in the use of IP addresses or hostnames:

Running in Network Mode 'host': IP addresses will be used
Running in Network Mode 'bridge': IP addresses will be used
Running in docker-compose without a network specification: Docker compose creates a network for the compose by default, hostnames will be used
Running on docker-compose with defined network: Hostnames will be used

Example of this functionality in use using a specified docker network:

Example of it being used in network "bridge" mode:

This validation is not possible when the container is run in "host" mode. As it has escalated privileges and also then shares the hostname with the host machine it is running on. This will result in an error of "failed to find host container" being output to the logs.

Example if it being used in network "host" mode with no network validation enabled:

How to test?

Using this branch create a Newt container build
Using the following docker-compose.yml it is possible to test not sending back containers on other networks

services:
  newt:
    image: newt:test
    container_name: newt
    restart: unless-stopped
    environment:
      - PANGOLIN_ENDPOINT=<Url>
      - NEWT_ID=<Id>
      - NEWT_SECRET=<Secret>
      - DOCKER_SOCKET=/var/run/docker.sock
      - DOCKER_ENFORCE_NETWORK_VALIDATION=true
      - LOG_LEVEL=DEBUG
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - newt-network

  nginx-newt:
    image: nginx:latest
    container_name: nginx-newt
    restart: unless-stopped
    networks:
      - newt-network

  nginx-not-newt:
    image: nginx:latest
    container_name: nginx-not-newt
    restart: unless-stopped
    networks:
      - not-newt-network

networks:
  newt-network:
  not-newt-network:

Further testing can be carried out changing the network mode by changing the network_mode to bridge and host

Example output:

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/newt/pull/65 **Author:** [@JonnyBooker](https://github.com/JonnyBooker) **Created:** 6/10/2025 **Status:** ✅ Merged **Merged:** 6/22/2025 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `dev` ← **Head:** `docker-network-checking` --- ### 📝 Commits (10+) - [`a4d4976`](https://github.com/fosrl/newt/commit/a4d49761033969cf2288b831bdcc5bbdefc2f420) Update to use docker network checking against newt networking - [`a52260b`](https://github.com/fosrl/newt/commit/a52260b49d7b10a2656b992c224aed13ae15159e) Add an enforce network validation flag for docker to not break previous functionality - [`d4b88c3`](https://github.com/fosrl/newt/commit/d4b88c398550b8300beec617593df01b9af30fcc) Merge branch 'fosrl:main' into docker-network-checking - [`e335bb8`](https://github.com/fosrl/newt/commit/e335bb8a1f3f9744f3856d828060ee073b48ee25) Rename added functions for docker client - [`cbbd5b0`](https://github.com/fosrl/newt/commit/cbbd5b0c76602e375b540a727e373a3265787f14) Add extra pre-condition check for enforcing docker network - [`126ced6`](https://github.com/fosrl/newt/commit/126ced6d579256b3af87ccc0c50f0ea4a2805e2e) Merge branch 'docker-network-checking' of https://github.com/JonnyBooker/newt into docker-network-checking - [`5476a69`](https://github.com/fosrl/newt/commit/5476a69963904b3e51da105c2b8d21c902e21632) Log the container name and id - [`e26552a`](https://github.com/fosrl/newt/commit/e26552a5d7329695ffb7afb92a7c2409b696ded2) Small refinement to how the docker enforcement setting is applied - [`5cb86f3`](https://github.com/fosrl/newt/commit/5cb86f3e4738f5f467370418c7fb3cbba28cae3b) Update to readme with new configuration settings - [`6d9160a`](https://github.com/fosrl/newt/commit/6d9160ab5e98b4d82a82a47ecf48a35a23e3145e) Simplified based on PR feedback and support checking use of "bridge" network ### 📊 Changes **3 files changed** (+234 additions, -54 deletions) <details> <summary>View changed files</summary> 📝 `README.md` (+37 -2) 📝 `docker/client.go` (+130 -32) 📝 `main.go` (+67 -20) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description Added functionality to be able to restrict the visibility/accessibility of containers that Newt sends to pangolin. Checks will be carried out to ensure that only containers that are available on the same Docker network are sent over to Pangolin. Default behaviour is as is before to maintain previous behaviour to not break the upgrade path. There is an extra configuration options added to make these checks take place of `DOCKER_ENFORCE_NETWORK_VALIDATION` or CLI command `docker-enforce-network-validation`. This will find the host container, use it to get the networks the Newt container is on, retrieve other containers and using their networks, determine if the Network ID of the Newt Container and other container networks match. If not, they are not sent to Pangolin. It would be possible to still manually add the container IP/hostname to the Pangolin UI as a target. If validation is enforced, the target will be validated to ensure that it can be seen by Newt, a log will be output as a warning stating the target has not been added due to this new enforcement setting: ![image](https://github.com/user-attachments/assets/26834e81-2570-40d1-b2c7-b128e4b3b4fd) Changes have also been made as to how the hostname/IP address of the container is determined. When run as a Newt Docker container, it will be determined under what network mode the Newt container is running on. This has been done to make it so that when using a dedicated docker network, it is accessed internally on the docker network using its hostname rather then an IP, which is more liable to change. The following scenarios will result in the use of IP addresses or hostnames: - Running in Network Mode 'host': IP addresses will be used - Running in Network Mode 'bridge': IP addresses will be used - Running in docker-compose without a network specification: Docker compose creates a network for the compose by default, hostnames will be used - Running on docker-compose with defined network: Hostnames will be used Example of this functionality in use using a specified docker network: ![image](https://github.com/user-attachments/assets/2ce190b7-b8c6-40f9-8222-4b20f03d9d81) Example of it being used in network "bridge" mode: ![image](https://github.com/user-attachments/assets/432e4e81-4eb9-461b-9100-e295de6ff348) This validation is not possible when the container is run in "host" mode. As it has escalated privileges and also then shares the hostname with the host machine it is running on. This will result in an error of "failed to find host container" being output to the logs. Example if it being used in network "host" mode with no network validation enabled: ![image](https://github.com/user-attachments/assets/5aeda103-c429-4949-b34a-3ca5c7fe7699) ## How to test? 1. Using this branch create a Newt container build 2. Using the following `docker-compose.yml` it is possible to test not sending back containers on other networks ```yaml services: newt: image: newt:test container_name: newt restart: unless-stopped environment: - PANGOLIN_ENDPOINT=<Url> - NEWT_ID=<Id> - NEWT_SECRET=<Secret> - DOCKER_SOCKET=/var/run/docker.sock - DOCKER_ENFORCE_NETWORK_VALIDATION=true - LOG_LEVEL=DEBUG volumes: - /var/run/docker.sock:/var/run/docker.sock networks: - newt-network nginx-newt: image: nginx:latest container_name: nginx-newt restart: unless-stopped networks: - newt-network nginx-not-newt: image: nginx:latest container_name: nginx-not-newt restart: unless-stopped networks: - not-newt-network networks: newt-network: not-newt-network: ``` Further testing can be carried out changing the network mode by changing the `network_mode` to `bridge` and `host` Example output: ![image](https://github.com/user-attachments/assets/a5c1abb5-8773-4976-bfc9-68e1f5224aba) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2025-11-19 07:13:54 -06:00

GiteaMirror closed this issue

2025-11-19 07:13:54 -06:00

GiteaMirror referenced this issue

2025-11-19 07:14:28 -06:00

[PR #98] [CLOSED] Split mTLS client and CA certificates handling for improved TLS configuration #121

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/newt#98