Description
In docker swarm mode, binding a port to 127.0.0.1 results with the port being open on 0.0.0.0 also. This could be a severe security issue and should be explained in the documentation.
Steps to reproduce the issue:
- Create a service, for example MongoDB, in your docker-compose.swarm.yml file, and publish the port 27017 to localhost:
mongodb:
image: mongo:3.2
volumes:
- ./persistent-data/mongodb:/data
- ./persistent-data/mongodb/db:/data/db
networks:
data:
aliases:
- mongo.docker
logging:
driver: syslog
options:
syslog-address: "udp://10.129.26.80:5514"
tag: "docker[mongodb]"
ports:
- "127.0.0.1:27017:27017"
deploy:
placement:
constraints: [node.labels.purpose == main-data]
- Deploy your swarm
- Check if the port is open from outside your swarm with netcat
Describe the results you received:
nc -vz PUBLIC_NODE_IP 27017
found 0 associations
found 1 connections:
[...]
Connection to PUBLIC_NODE_IP port 27017 [tcp/*] succeeded!
Describe the results you expected:
The port being only available on 127.0.0.1, at least in the swarm nodes running this service.
Additional information you deem important (e.g. issue happens only occasionally):
Output of docker version:
Docker version 17.03.1-ce, build c6d412e
Output of docker info:
docker info for swarm manager:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 17.03.1-ce
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 3
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Swarm: active
NodeID: pk7ulemi0z0chgtsg0azfrjz5
Is Manager: true
ClusterID: 27etomlyjvtmygrm6rcdgr2ni
Managers: 1
Nodes: 6
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot Interval: 10000
Number of Old Snapshots to Retain: 0
Heartbeat Tick: 1
Election Tick: 3
Dispatcher:
Heartbeat Period: 5 seconds
CA Configuration:
Expiry Duration: 3 months
Node Address: 10.129.26.165
Manager Addresses:
10.129.26.165:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 4ab9917febca54791c5f071a9d1f404867857fcc
runc version: 54296cf40ad8143b62dbcaa1d90e520a2136ddfe
init version: 949e6fa
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.0-64-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 992.4 MiB
Name: <HIDDEN>
ID: IMOK:QIR7:WU5Y:WTPP:EPRQ:F77G:ULGE:WOG4:O7S7:6AFE:V7QG:2XEK
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: <HIDDEN>
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Additional environment details (AWS, VirtualBox, physical, etc.):
Tested on Digital Ocean's droplets.
Description
In docker swarm mode, binding a port to 127.0.0.1 results with the port being open on 0.0.0.0 also. This could be a severe security issue and should be explained in the documentation.
Steps to reproduce the issue:
Describe the results you received:
Describe the results you expected:
The port being only available on 127.0.0.1, at least in the swarm nodes running this service.
Additional information you deem important (e.g. issue happens only occasionally):
Output of
docker version:Output of
docker info:docker info for swarm manager:
Additional environment details (AWS, VirtualBox, physical, etc.):
Tested on Digital Ocean's droplets.