Restricting Uncontrolled Network Communication Between Containers

Network communication between containers on the same host is not restricted. Therefore, each container can read all packets on the container network of the same host. This may cause the data in a container to be accidentally leaked to other containers. Therefore, restrict the communication between containers.

Modify the Docker startup parameters and add the --icc=false parameter to disable the communication between containers. For example:

......
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd  --userland-proxy=false --icc=false -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
......

After modifying the parameters, run the following command to restart the service:

 systemctl restart docker