[eriksjolund]

You can use the podman option `--network=none` together with the systemd directive `RestrictAddressFamilies=`

I wrote a demo: https://www.redhat.com/en/blog/podman-systemd-limit-access

Podman will then not have the privilege to pull the container image, but a web server container can still serve the internet with socket activation.

[rendaw]

What's the use case for that? Multitenant server web hosting where customers provide containers and you want to lock them down I guess? Mostly SaaS/PaaS?

[eriksjolund]

I did it out of pure interest, just to explore ways of locking down a web server.

[rendaw]

Oh, fair enough! It is very cool, FWIW.