-
-
Notifications
You must be signed in to change notification settings - Fork 396
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3-part port binding for docker run
or docker-compose is not respected, so services can be exposed on network
#186
Comments
Explanation there by @AkihiroSuda
|
Colima used to bind to You can still workaround that by using the
As at now, there is no way to distinguish between a port forward of 127.0.0.1 and 0.0.0.0 from Lima VM to the host, which prevents taking full advantage of the 3-part port-binding of docker/docker-compose. |
I would do some more investigations to see how this can be properly supported. |
Thanks, yes, the current default is pretty problematic, major security issues. For example, on ddev it would mean that anybody on the local network could access and alter the database of a project. It also is overriding the explicit configuration given to the container. |
This has been fixed upstream in Lima and tested successfully. |
Thanks so much. It wasn't my understanding that lima-vm/lima#660 was actually fixing this problem... |
* core: update iso to 0.3.4 * docker: support host.docker.internal hostname * fix #186: 3-part port binding is not respected
@rfay can you kindly try with the latest development version and see if this is fixed? |
I confirm that with HEAD colima both issues are solved, thanks so much!
|
Thanks for confirming, will create a release soon. |
Description
(bouncd back from lima-vm/lima#655)
macOS 12.2 arm64, colima 0.3.2, limactl version 0.8.2, docker back-end
docker/docker-compose support a 3-part port-binding technique where the interface to bind to can be chosen explicitly. For example:
docker run -p 127.0.0.1:8080:80 --name nginx -d nginx
Given that example, you should be able to
curl localhost:8080
on the system where you ran it, but you should not be able to connect from another interface. For example, if10.211.55.2
is another interface,curl 10.211.55.2:8080
should fail.This has very serious security implications for applications that are not supposed to bind to all interfaces, see
When you bind to all interfaces (the default, 0.0.0.0) it typically means that any user on the local network can access any service running under lima.
To demonstrate this,
docker run -p 127.0.0.1:8080:80 --name nginx -d nginx
curl localhost:8080
- you'll see the default nginx outputcurl 10.211.55.2:8080
for example, and it will also show the default nginx output. It should not.You can repeat the same with any version of docker and you won't see this exposed behavior.
The text was updated successfully, but these errors were encountered: