✦ For everyone, free.

Practical knowledge for real and everyday life

Home

7.2.3.2 None Batch Isolation

A focused guide to None Batch Isolation, connecting core concepts with practical Docker and container operations.

None batch isolation refers to using the none network driver for batch processing workloads that operate purely on already-provided local data (through mounted volumes, for instance), needing no network access at all during their actual processing work, gaining strong isolation as a result.

A Typical Batch Processing Use Case

A container performing a computation purely on locally mounted input data, producing locally written output, with no need to fetch anything from or send anything to a network during that processing.

docker run --rm --network none \
  -v $(pwd)/input:/data/input:ro \
  -v $(pwd)/output:/data/output \
  data-processor:1.0

This batch job reads from and writes to local, mounted directories exclusively, with no network access needed or available during its execution.

Why This Pattern Provides Strong Isolation for Batch Work

Disabling networking entirely for a batch processing container ensures that, even if the processing logic or its dependencies contained an unexpected vulnerability, there would be no network available through which data could be exfiltrated or a remote connection established.

docker run --rm --network none untrusted-data-processor:1.0

This is particularly valuable when processing data of uncertain trustworthiness, where the processing logic itself might not be fully trusted to behave safely if it somehow gained network access.

Preparing All Needed Data Before Disabling Networking

Since the container has no network access during processing, any data it needs must already be available locally (through mounts) before the container starts — this requires structuring the batch workflow to fetch needed data in a separate, prior step.

curl -o input/data.json https://api.example.com/data
docker run --rm --network none -v $(pwd)/input:/data/input:ro data-processor:1.0
Why None Batch Isolation Matters

For batch processing workloads operating purely on local data, disabling networking entirely provides a strong, structural isolation guarantee, particularly valuable when processing data or running logic whose trustworthiness isn't fully established.

Related content