Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

libcnb-test: ContainerConfig::expose_port exposes ports to the internet #609

Closed
edmorley opened this issue Jul 24, 2023 · 0 comments · Fixed by #610
Closed

libcnb-test: ContainerConfig::expose_port exposes ports to the internet #609

edmorley opened this issue Jul 24, 2023 · 0 comments · Fixed by #610
Assignees
Labels
bug Something isn't working libcnb-test

Comments

@edmorley
Copy link
Member

edmorley commented Jul 24, 2023

ContainerConfig::expose_port exposes ports on the started container to the host machine.

Currently libcnb-test does not set a host_ip in the corresponding PortBinding:


https://docs.rs/bollard/latest/bollard/models/struct.PortBinding.html

The Bollard docs don't say what this implies, however, the Docker run docs say:

Note that ports which are not bound to the host (i.e., -p 80:80 instead of -p 127.0.0.1:80:80) are externally accessible.

(on https://docs.docker.com/engine/reference/commandline/run/#publish)

And on the networking page:

Publishing container ports is insecure by default. Meaning, when you publish a container’s ports it becomes available not only to the Docker host, but to the outside world as well.

If you include the localhost IP address (127.0.0.1) with the publish flag, only the Docker host can access the published container port.

(on https://docs.docker.com/network/#published-ports)

We should set the host_ip to 127.0.0.1, so that ports are only exposed to localhost, and not the internet.

IMO this is another example of how using Bollard makes it harder for us to understand what's going on, since Bollard's docs don't mention this pitfall, and it's not necessarily obvious at first glance how PortBinding correlates to the docker run options.

@edmorley edmorley added bug Something isn't working libcnb-test labels Jul 24, 2023
@edmorley edmorley self-assigned this Jul 24, 2023
edmorley added a commit that referenced this issue Jul 24, 2023
Previously ports exposed using `ContainerConfig::expose_port` would be
exposed to the internet, rather than just localhost.

See:
https://docs.docker.com/network/#published-ports

Fixes #609.
GUS-W-13812521.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working libcnb-test
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant