Isolated network (apple#1079)

- Closes apple#1037.
- Adds a `--mode` flag that has `nat` and `hostOnly` options.
  The host-only option selects the vmnet host-only mode,
  where containers attached to the network can reach each
  other and the host, but not external systems.

Author: JaewonHur

Sources/ContainerCommands/Network/NetworkCreate.swift

@@ -31,6 +31,9 @@ extension Application {
  @Option(name: .customLong("label"), help: "Set metadata for a network")
  var labels: [String] = []
 
+ @Flag(name: .customLong("internal"), help: "Restrict to host-only network")
+ var hostOnly: Bool = false
+
  @Option(
             name: .customLong("subnet"), help: "Set subnet for a network",
             transform: {
@@ -55,9 +58,10 @@ extension Application {
 
  public func run() async throws {
  let parsedLabels = Utility.parseKeyValuePairs(labels)
+ let mode: NetworkMode = hostOnly ? .hostOnly : .nat
  let config = try NetworkConfiguration(
                 id: self.name,
-                mode: .nat,
+                mode: mode,
                 ipv4Subnet: ipv4Subnet,
                 ipv6Subnet: ipv6Subnet,
                 labels: parsedLabels

Sources/ContainerResource/Network/NetworkMode.swift

@@ -14,12 +14,18 @@
 // limitations under the License.
 //===----------------------------------------------------------------------===//
 
+import ArgumentParser
+
 /// Networking mode that applies to client containers.
-public enum NetworkMode: String, Codable, Sendable {
+public enum NetworkMode: String, Codable, Sendable, ExpressibleByArgument {
     /// NAT networking mode.
     /// Containers do not have routable IPs, and the host performs network
     /// address translation to allow containers to reach external services.
  case nat = "nat"
+
+    /// Host only networking mode
+    /// Containers can talk with each other in the same subnet only.
+ case hostOnly = "hostOnly"
 }
 
 extension NetworkMode {
@@ -30,6 +36,7 @@ extension NetworkMode {
  public init?(_ value: String) {
  switch value.lowercased() {
  case "nat": self = .nat
+ case "hostOnly": self = .hostOnly
  default: return nil
  }
  }

Sources/Helpers/NetworkVmnet/NetworkVmnetHelper+Start.swift

@@ -45,6 +45,9 @@ extension NetworkVmnetHelper {
  @Option(name: .shortAndLong, help: "Network identifier")
  var id: String
 
+ @Option(name: .long, help: "Network mode")
+ var mode: NetworkMode = .nat
+
  @Option(name: .customLong("subnet"), help: "CIDR address for the IPv4 subnet")
  var ipv4Subnet: String?
 
@@ -73,7 +76,7 @@ extension NetworkVmnetHelper {
  let ipv6Subnet = try self.ipv6Subnet.map { try CIDRv6($0) }
  let configuration = try NetworkConfiguration(
                     id: id,
-                    mode: .nat,
+                    mode: mode,
                     ipv4Subnet: ipv4Subnet,
                     ipv6Subnet: ipv6Subnet,
  )

Sources/Services/ContainerAPIService/Server/Networks/NetworksService.swift

@@ -269,7 +269,7 @@ public actor NetworksService {
  }
 
  private func registerService(configuration: NetworkConfiguration) async throws {
- guard configuration.mode == .nat else {
+ guard configuration.mode == .nat || configuration.mode == .hostOnly else {
  throw ContainerizationError(.invalidArgument, message: "unsupported network mode \(configuration.mode.rawValue)")
  }
 
@@ -282,6 +282,8 @@ public actor NetworksService {
             configuration.id,
  "--service-identifier",
             serviceIdentifier,
+ "--mode",
+            configuration.mode.rawValue,
  ]
 
  if let ipv4Subnet = configuration.ipv4Subnet {

Sources/Services/ContainerNetworkService/Server/ReservedVmnetNetwork.swift

@@ -52,7 +52,7 @@ public final class ReservedVmnetNetwork: Network {
         configuration: NetworkConfiguration,
         log: Logger
  ) throws {
- guard configuration.mode == .nat else {
+ guard configuration.mode == .nat || configuration.mode == .hostOnly else {
  throw ContainerizationError(.unsupported, message: "invalid network mode \(configuration.mode)")
  }
 
@@ -110,7 +110,8 @@ public final class ReservedVmnetNetwork: Network {
 
         // set up the vmnet configuration
  var status: vmnet_return_t = .VMNET_SUCCESS
- guard let vmnetConfiguration = vmnet_network_configuration_create(vmnet.operating_modes_t.VMNET_SHARED_MODE, &status), status == .VMNET_SUCCESS else {
+ let mode: vmnet.operating_modes_t = configuration.mode == .hostOnly ? .VMNET_HOST_MODE : .VMNET_SHARED_MODE
+ guard let vmnetConfiguration = vmnet_network_configuration_create(mode, &status), status == .VMNET_SUCCESS else {
  throw ContainerizationError(.unsupported, message: "failed to create vmnet config with status \(status)")
  }
 

Tests/CLITests/Subcommands/Networks/TestCLINetwork.swift

@@ -190,4 +190,61 @@ class TestCLINetwork: CLITest {
  return
  }
  }
+
+ @available(macOS 26, *)
+ @Test func testIsolatedNetwork() async throws {
+ do {
+ let name = getLowercasedTestName()
+ let networkDeleteArgs = ["network", "delete", name]
+            _ = try? run(arguments: networkDeleteArgs)
+
+ let networkCreateArgs = ["network", "create", "--internal", name]
+ let result = try run(arguments: networkCreateArgs)
+ if result.status != 0 {
+ throw CLIError.executionFailed("command failed: \(result.error)")
+ }
+ defer {
+                _ = try? run(arguments: networkDeleteArgs)
+ }
+ let port = UInt16.random(in: 50000..<60000)
+ try doLongRun(
+                name: name,
+                image: "docker.io/library/python:alpine",
+                args: ["--network", name],
+                containerArgs: ["python3", "-m", "http.server", "--bind", "0.0.0.0", "\(port)"]
+ )
+ defer {
+ try? doStop(name: name)
+ }
+
+ let container = try inspectContainer(name)
+            #expect(container.networks.count > 0)
+ let curlImage = "docker.io/curlimages/curl:8.6.0"
+ let cidrAddress = container.networks[0].ipv4Address
+ let url = "http://\(cidrAddress.address):\(port)"
+ let (_, _, _, succeed) = try run(arguments: [
+ "run",
+ "--rm",
+ "--network",
+                name,
+                curlImage,
+ "curl",
+                url,
+ ])
+
+            #expect(succeed == 0, "internal connection should succeed")
+
+ let (_, _, _, failed) = try run(arguments: [
+ "run",
+ "--rm",
+ "--network",
+                name,
+                curlImage,
+ "curl",
+ "http://google.com",
+ ])
+
+            #expect(failed == 6, "external connection should fail")
+ }
+ }
 }