Network and VM FAQs
How can I limit the type of internet access allowed by the container when it runs, to prevent it from being able to exfiltrate data or download malicious code?
There is no built-in mechanism for that but it can be addressed by process-level firewall on the host. Hook into the `com.docker.vpnkit`` user-space process and apply rules where it can connect to (DNS URL white list; packet/payload filter) and which ports/protocols it is allowed to use.
There is no direct way to enforce that through Docker Desktop but it would inherit any firewall rules enforced on the host.
What options exist to lock containerized network settings to a system? If not supported, are there any consequences to manipulating the settings?
The Docker network settings are entirely local within the VM and have no effect on the system.
For network connectivity, Docker Desktop uses a user-space process (
com.docker.vpnkit), which inherits constraints like firewall rules, VPN, http proxy properties etc, from the user that launched it.
DockerDesktopVM name is hard coded in the service code, so you cannot use Docker Desktop to create or manipulate any other VM.
On Mac it is an unprivileged operation to start a VM, so that is not enforced by Docker Desktop.
The VM processes are the same for both WSL 2 (running inside the
docker-desktop distro) and Hyper-V (running inside the
DockerDesktopVM). Host/VM communication uses
AF_VSOCK hypervisor sockets (shared memory). It does not use Hyper-V network switches or network interfaces. All host networking is performed using normal TCP/IP sockets from the
com.docker.backend.exe processes. For more information see
How Docker Desktop networking works under the hoodopen_in_new.