fix: change default network_mode from host to bridge#49
Merged
dasirra merged 6 commits intoMar 26, 2026
Merged
Conversation
Reduces container network exposure by defaulting to bridge mode. Adds explicit port mappings for gateway (18789) and bridge (18790) ports. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a commented-out section showing how advanced users can switch back to host network mode, with a warning about loss of network isolation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Prompts the user to choose bridge (default) or host network mode, saves the selection to .env, and writes the override file if host mode is selected. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ard screen - Remove explicit network_mode: bridge (let Compose use its project network) - Add extra_hosts for host.docker.internal so container can reach host services - Remove network mode wizard screen (bridge is the secure default; host mode is documented in docker-compose.override.example.yaml for power users) - Add Compose version requirement comment for !reset YAML tag Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dasirra
deleted the
build/43-sec-change-default-network-from-host-to-bridge
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes the default Docker network mode from
hosttobridgewith explicit port mappings (18789, 18790), eliminating unrestricted container access to the host network stack. Documents the legacyhostmode as an optional override and adds a network mode selection screen to the install wizard.Source
Closes #43
What Changed
Docker Compose
docker-compose.yaml: replacednetwork_mode: "host"withnetwork_mode: bridgeand added explicitportsmappings for ports 18789 and 18790docker-compose.override.example.yaml: added a fully commented-out example block showing how to restore host mode via override, withports: !reset []to clear the incompatible port mappings and a clear isolation warningInstall Wizard
install.sh: added "Screen 4: Network Mode" between the Git Identity and integration setup sectionshostselection: warns about loss of isolation, writesdocker-compose.override.yamlif absent (or checks for existing host config)bridgeselection: warns if an existing override file still enforces host modeTasks
Code Review
Two MUST_FIX and two SHOULD_FIX issues were found and resolved:
NETWORK_MODEenv var (was written to.envbut never consumed by Docker Compose)Built autonomously by
/build