From 9549ed31f9617ec10f85595f152022f0e550605d Mon Sep 17 00:00:00 2001
From: Ian Gudger <igudger@google.com>
Date: Tue, 2 Apr 2019 18:03:01 -0700
Subject: [PATCH] Add docs for disabling external networking.

This is a useful feature for truly untrusted code.
---
 content/docs/user_guide/networking.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/content/docs/user_guide/networking.md b/content/docs/user_guide/networking.md
index 09d4b9789..83e75aaf2 100644
--- a/content/docs/user_guide/networking.md
+++ b/content/docs/user_guide/networking.md
@@ -33,4 +33,26 @@ Add the following `runtimeArgs` to your Docker configuration
 }
 ```
 
+## Disabling external networking
+
+To completely isolate the host and network from the sandbox, external
+networking can be disabled. The sandbox will still contain a loopback provided
+by netstack.
+
+Add the following `runtimeArgs` to your Docker configuration
+(`/etc/docker/daemon.json`) and restart the Docker daemon:
+
+```json
+{
+    "runtimes": {
+        "runsc": {
+            "path": "/usr/local/bin/runsc",
+            "runtimeArgs": [
+                "--network=none"
+            ]
+       }
+    }
+}
+```
+
 [netstack]: https://github.com/google/netstack