Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
This was a large part of the reason I switched to rootless podman for everything
Explicitly binding certain ports to the container has a similar effect, no?
I still need to allow the ports in my firewall when using podman, even when I bind to 0.0.0.0.
My problem with podman is the incompatibility with portainer :(
Any recommendations?
Nat is not security.
Keep that in mind.
It's just a crutch ipv4 has to use because it's not as powerful as the almighty ipv6
I DIDNT KNOW THAT! WOW, this puts “not to use network_mode: host” another level.
network: host gives the container basically full access to any port it wants. But even with other network modes you need to be careful, as any -p <external port>:<container port> creates the appropriate firewall rule automatically.
It’s my understanding that docker uses a lot of fuckery and hackery to do what they do. And IME they don’t seem to care if it breaks things.
To be fair, the largest problem here is that it presents itself as the kind of isolation that would respect firewall rules, not that they don't respect them.
People wouldn't make the same mistake in NixOS, despite it doing exactly the same.
This post inspired me to try podman, after it pulled all the images it needed my Proxmox VM died, VM won’t boot cause disk is now full. It’s currently 10pm, tonight’s going to suck.
If I had a nickel for every database I've lost because I let docker broadcast its port on 0.0.0.0 I'd have about 35¢
How though? A database in Docker generally doesn't need any exposed ports, which means no ports open in UFW either.
My impression from a recent crash course on Docker is that it got popular because it allows script kiddies to spin up services very fast without knowing how they work.
OWASP was like "you can follow these thirty steps to make Docker secure, or just run Podman instead." https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
My impression from a recent crash course on Docker is that it got popular because it allows script kiddies to spin up services very fast without knowing how they work.
That's only a side effect. It mainly got popular because it is very easy for developers to ship a single image that just works instead of packaging for various different operating systems with users reporting issues that cannot be reproduced.
I dont really understand the problem with that?
Everyone is a script kiddy outside of their specific domain.
I may know loads about python but nothing about database management or proxies or Linux. If docker can abstract a lot of the complexities away and present a unified way you configure and manage them, where's the bad?
That is definitely one of the crowds but there are also people like me that just are sick and tired of dealing with python, node, ruby depends. The install process for services has only continued to become increasingly more convoluted over the years. And then you show me an option where I can literally just slap down a compose.yml and hit "docker compose up - d" and be done? Fuck yeah I'm using that
No it's popular because it allows people/companies to run things without needing to deal with updates and dependencies manually
This only happens if you essentially tell docker "I want this app to listen on 0.0.0.0:80"
If you don't do that, then it doesn't punch a hole through UFW either.
For all the raving about podman, it's dumb too. I've seen multiple container networks stupidly route traffic across each other when they shouldn't. Yay services kept running, but it defeats the purpose. Networking should be so hard that it doesn't work unless it is configured correctly.
Or maybe it should be easy to configure correctly?
instructions unclear, now its hard to use and to configure
You're forgetting the part where they had an option to disable this fuckery, and then proceeded to move it twice - exposing containers to everyone by default.
I had to clean up compromised services twice because of it.
rootless podman and sockets ❤️
This is why I install on bare metal, baby!
We use Firewalld integration with Docker instead due to issues with UFW. Didn't face any major issues with it.
I also ended up using firewalld and it mostly worked, although I first had to change some zone configs.
I mean if you're hosting anything publicly, you really should have a dedicated firewall
On windows (coughing)
Somehow I think that's on ufw not docker. A firewall shouldn't depend on applications playing by their rules.
ufw just manages iptables rules, if docker overrides those it's on them IMO
Feels weird that an application is allowed to override iptables though. I get that when it's installed with root everything's off the table, but still....