feat: add network isolation modes to container/run.sh script

[keivenchang]

Overview:

Add network isolation modes to container run script with comprehensive configuration options. This enables secure CI/CD pipelines and flexible networking for different deployment scenarios.

Details:

• Add --network flag to run.sh supporting host, bridge, none, and container sharing modes
• Update container README with detailed network configuration documentation and use cases
• Add CI/CD workflow examples demonstrating bridge networking for test isolation
• Document performance/security tradeoffs and limitations for each network mode
• Include comparison table and warnings for restricted functionality modes

Where should the reviewer start?

• container/run.sh - New network flag implementation and argument parsing
• container/README.md - Comprehensive network configuration documentation and examples

/coderabbit profile chill

Summary by CodeRabbit

• New Features

  • Added a configurable networking option to the container runner with modes: host (default), bridge, none, and container sharing. Help text updated with usage and examples.

• Documentation

  • Expanded network configuration guidance with detailed use cases and examples for each mode, including custom networks.
  • Updated usage examples to be network-aware; removed outdated GPU-focused example.
  • Introduced a CI/CD Workflow section emphasizing network isolation and in-container integration tests.
  • Augmented examples for workspace mounting, volume/cache flags, and a multi-service startup sequence.

[coderabbitai]

Walkthrough

Adds a configurable --network option to container/run.sh (default: host) and updates container/README.md with expanded network configuration documentation, examples, and CI/CD workflow guidance. Docker run now uses the selected network value instead of a hardcoded host network.

Changes

Cohort / File(s)	Summary
Documentation: Network & CI/CD updates container/README.md	Rewrites network configuration section with modes (host, bridge, none, container:name, custom), replaces prior examples with network-aware usage, adds CI/CD workflow emphasizing network isolation, updates examples for mounts/volumes/cache, includes multi-service startup sequence.
Script: Network option in runner container/run.sh	Introduces NETWORK variable (default host), parses --network <mode> in get_options, expands help to document values and examples, and uses --network "$NETWORK" in docker run.

Sequence Diagram(s)

sequenceDiagram
  actor User
  participant run.sh as run.sh
  participant Docker as docker run

  User->>run.sh: Invoke with args (e.g., --network bridge)
  run.sh->>run.sh: Parse options (get_options)
  run.sh-->>run.sh: Set NETWORK (default host or provided value)
  run.sh->>Docker: docker run --network "$NETWORK" ...
  Docker-->>run.sh: Container started with selected network
  run.sh-->>User: Exit with status

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

In wires and waves, I thump with glee,
Flip host to bridge—a hop for me!
CI drums hum, containers align,
A carrot-shaped ping on every line.
With NETWORK set, I bound and run—
Docked and linked, the job is done. 🥕🐇

Pre-merge checks

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The description follows the repository template for Overview, Details, and Where to start sections but omits the required “Related Issues” section with an action keyword and issue reference, making it incomplete against the specified template.	Please add a “#### Related Issues:” section listing any closing or related issues using an action keyword (e.g., “closes #123”) to fully comply with the repository’s description template.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly describes the primary change of adding network isolation modes to the container/run.sh script, matching the core implementation and its intent. It is concise, specific, and clearly communicates what the pull request introduces without ambiguous or extraneous phrasing. While it omits documentation updates, titles need only highlight the main feature. Therefore, it effectively summarizes the most important change from the developer’s perspective.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kthui]

Nice! We have network isolation to the container.

One thing people might ask in the future is adding port publish

-p HOST_PORT:CONTAINER_PORT

because the host or other containers no longer have access to network services at the container if bridge mode is used, so network service ports will need to be explicitly published, but I think this can be done in a separate PR given the default option is still "host".

[keivenchang]

Nice! We have network isolation to the container.

One thing people might ask in the future is adding port publish

-p HOST_PORT:CONTAINER_PORT

because the host or other containers no longer have access to network services at the container if bridge mode is used, so network service ports will need to be explicitly published, but I think this can be done in a separate PR given the default option is still "host".

Ok, I just added the --port|-p option and mentioned in the README.md about it.