Right now, the following appears to be the current situation given docker's current state of implementation:
When using IPv4:
(EDIT: Apparently an INCORRECT statement: Only ports EXPOSE'd are reachable by any other containers. This means random small programs inadvertently opening ports in a container aren't much of a problem. - Correction: EXPOSE only adds metadata, and ports are reachable anyway if you really want to even when not exposed)
Only ports -p/--publish'd are reachable by the outside world. This means any containers having unsecured plain text and possibly password-lacking backends that is not EXPOSE'd is safely protected and cannot be reached directly in the outside world.
When enabling IPv6 support:
Suddenly, any sort of [::0] listen on any container is immediately reachable from everywhere in the world. (correct me if this is wrong. I hadn't had the chance to test this myself because of IPv6 configuration problems by my hosting provider, so I've had to rely on information provided by other docker users and developers. If I'm putting a factually incorrect statement out with this I'm sorry and I'll be happy to immediately retract this ticket)
This behavior difference is absolutely insane. It needs to be changed. You are asking for users to get into trouble.
To make a more constructive remark: one solution would be to introduce an explicit docker run switch to make a container with opt-in behavior globally reachable, and in absence of the switches docker should default to writing ip table rules to drop all incoming connections to any containers' global IPv6 addresses for non-published ports.
hberntsen, kohenkatz, jae1911 and sabberworm
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4