@ellotheth I just playing with idea of cloud based dev env and found this today. Basically every time I start my docker all ports are accessible outside of localhost (nginx, mysql)

@ellotheth to be honest: YES. I just want simple tmux+neovim for LAMP stack. Docker felt like good choice because I can easily change version of apps in stack but it come with it's own problems 👿

@GeekDaddy
@ellotheth

To be honest, this is an quite old thing happening? Basically since the beginning of docker and dockerd taking care of firewall rules? So nothing really new here.

Still a well-configured setup won't have a problem with that. So when you want the ports only to be accessible locally, use the portmapping parameter correctly:

Instead of -p 3306:3306 use -p 127.0.0.1:3306:3306 which is the correct way of doing it. or when you don't need direct access, don't use -p at all.

@sheogorath I never claimed it was new, and I thought I had a well-configured setup. I'm glad I now know I didn't, but I wish I'd known earlier. 🤷‍♀️

@ellotheth If you have questions regarding to those things, feel free to reach out :)

Also you may find some inspiration on my infrastructure repository:

git.shivering-isles.com/shiver

@sheogorath Thanks! Hilariously I'm not really a Docker user, per se, I just use stuff that uses Docker. It would never have occurred to me that by default Docker writes its own iptables rules, so I didn't even know I had a question to ask. At this point, I'm back to having no questions. I hope.

@ellotheth Hint: dockerd is written to run standalone on a linux kernel and given that there is something configuring the basic networking (i.e. IP Address, subnet, default route), and mounting the root filesystem, no further daemon is needed on top of the Linux kernel in order to enable docker to setup it's container infrastructure.

A project that is exactly that minimal is Docker Inc.'s linux-kit project:

github.com/linuxkit/linuxkit

@ellotheth and this is UFW or Docker's fault?
Well who uses UFW on production servers anyway?

@ellotheth I don't know, this is known for like forerver, it doesn't need a security expert or whatever. If you let Docker edit iptables, then it edits the goddamn thing.

@dragnucs Sure. If you know Docker's default behavior is to write its own iptables rules, and you know the rules it writes will supersede your ufw config, then yeah, obviously it's super easy to address before it becomes a problem.

You just have to know all that stuff first. Or you have know that you don't know, so you can go look it up.

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either! We adhere to an adapted version of the TootCat Code of Conduct and have documented a list of blocked instances. Ash is the admin and is supported by Fuzzface, Brian!, and Daniel Glus as moderators. Hosting costs are largely covered by our generous supporters on Patreon – thanks for all the help!