-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.network.yml
More file actions
160 lines (151 loc) · 3.79 KB
/
docker-compose.network.yml
File metadata and controls
160 lines (151 loc) · 3.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
version: '3.8'
# Enhanced network security stack for Replicante
# This adds proxy, DNS filtering, and network monitoring
services:
# HTTP/HTTPS Filtering Proxy
proxy:
image: ubuntu/squid:latest
container_name: replicante-proxy
volumes:
- ./proxy/squid.conf:/etc/squid/squid.conf:ro
- ./proxy/whitelist.txt:/etc/squid/whitelist.txt:ro
- proxy-logs:/var/log/squid
networks:
replicante-net:
ipv4_address: 172.20.0.2
ports:
- "3128:3128" # Proxy port (only expose if needed for debugging)
restart: unless-stopped
healthcheck:
test: ["CMD", "squid", "-k", "check"]
interval: 30s
timeout: 10s
retries: 3
# DNS Server with filtering
dns:
image: jpillora/dnsmasq:latest
container_name: replicante-dns
volumes:
- ./dns/dnsmasq.conf:/etc/dnsmasq.conf:ro
- ./dns/hosts.allow:/etc/hosts.allow:ro
networks:
replicante-net:
ipv4_address: 172.20.0.3
cap_add:
- NET_ADMIN
restart: unless-stopped
command: ["--no-daemon", "--log-queries", "--log-facility=-"]
# Network Monitor (Rust binary)
network-monitor:
build:
context: .
dockerfile: Dockerfile.monitor
container_name: replicante-netmon
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- monitor-data:/data
- ./logs/network:/logs
networks:
- replicante-net
environment:
- RUST_LOG=info
- MONITOR_INTERVAL=5
- SUPERVISOR_URL=http://supervisor:8080
cap_add:
- NET_ADMIN
- SYS_PTRACE
- SYS_ADMIN
restart: unless-stopped
depends_on:
- supervisor
# Modified supervisor with network monitoring
supervisor-enhanced:
extends:
file: docker-compose.yml
service: supervisor
depends_on:
- proxy
- dns
environment:
- NETWORK_MONITOR_ENABLED=true
- PROXY_URL=http://172.20.0.2:3128
- DNS_SERVER=172.20.0.3
# Secured agent with proxy and DNS
agent-secured:
build:
context: .
dockerfile: Dockerfile
container_name: replicante-agent-secured
command: ["sandbox", "--config", "/config/agent.toml", "--sandbox-config", "/config/sandbox-strict.toml"]
volumes:
- ./config:/config:ro
- sandbox-secured:/sandbox
- agent-secured-data:/data
networks:
replicante-net:
ipv4_address: 172.20.0.100
environment:
- HTTP_PROXY=http://172.20.0.2:3128
- HTTPS_PROXY=http://172.20.0.2:3128
- NO_PROXY=localhost,127.0.0.1,supervisor,172.20.0.0/16
- RUST_LOG=info
dns:
- 172.20.0.3
read_only: true
tmpfs:
- /tmp
security_opt:
- no-new-privileges:true
- apparmor:docker-default
- seccomp:./security/seccomp-profile.json
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
depends_on:
- proxy
- dns
- supervisor-enhanced
restart: unless-stopped
deploy:
resources:
limits:
cpus: '0.5'
memory: 256M
reservations:
cpus: '0.25'
memory: 128M
# Traffic analyzer (using tcpdump in a minimal container)
traffic-analyzer:
image: nicolaka/netshoot:latest
container_name: replicante-tcpdump
volumes:
- ./logs/pcap:/pcap
- ./network-policy/capture.sh:/capture.sh:ro
networks:
- replicante-net
cap_add:
- NET_ADMIN
- NET_RAW
command: ["/bin/bash", "/capture.sh"]
restart: unless-stopped
networks:
replicante-net:
external: true
name: replicante_replicante-net
volumes:
proxy-logs:
driver: local
monitor-data:
driver: local
driver_opts:
o: "size=100m"
sandbox-secured:
driver: local
driver_opts:
o: "size=100m"
agent-secured-data:
driver: local
driver_opts:
o: "size=50m"