https://rancher.com/ logo
Title
r

rapid-napkin-54569

05/20/2023, 12:53 AM
Is there anyway to force containers to run on localhost and not 0.0.0.0 (Not Kubernetes)
f

fast-garage-66093

05/20/2023, 1:04 AM
What do you mean by "run on"? You can explicitly bind a port just to localhost
docker run -d --name nginx --restart=always -p 127.0.0.1:8080:80 nginx
This should open port
80
just on localhost and not any external interface
r

rapid-napkin-54569

05/20/2023, 1:15 AM
I mean is there a way to prevent a container from being run on 0.0.0.0? Like, no matter what IP is given it would run on localhost
f

fast-garage-66093

05/20/2023, 1:21 AM
I assume this is about Windows. You can probably lock this down via firewall rules. Let's discuss this next week Tuesday with @calm-sugar-3169
r

rapid-napkin-54569

05/20/2023, 1:22 AM
Ok, awesome. and it would really be both Windows and Mac
f

fast-garage-66093

05/20/2023, 2:21 AM
What are you trying to protect against? On macOS any unprivileged process can bind to
0.0.0.0
, so there isn't really a way to prevent a user from doing this intentionally. You could configure Rancher Desktop not to bind to it, but the user could undo this, if they really wanted to.
They can always run a trivial port forwarder to forward any port from
127.0.0.1
to
0.0.0.0
themselves, independent of what RD might do.
r

rapid-napkin-54569

05/20/2023, 9:23 PM
Hmm yeah, we were given requirements to not allow users to be able to open running containers to people outside of their machine.
f

fast-garage-66093

05/20/2023, 10:38 PM
That means you must prevent them from running containers while they are connected to the network:
$ docker run -d --name nginx --restart=always -p 127.0.0.1:8080:80 nginx
$ curl -s 127.0.0.1:8080 | grep title
<title>Welcome to nginx!</title>
$ curl -s 192.168.17.20:8081 | grep title
# Next command in a different shell; it needs to remain running
$ socat tcp-listen:8081,reuseaddr,fork tcp:localhost:8080
$ curl -s 192.168.17.20:8081 | grep title
<title>Welcome to nginx!</title>
socat
is not part of macOS, but you can do the same thing with
mkfifo
and `nc`; it is just a little more work. But it shows that as an unprivileged user you can easily forward any port from
127.0.0.1
to
0.0.0.0
if you really want to.
The most we could provide from Rancher Desktop would be an option that simple port forwarding without specifying an interface would bind to
127.0.0.1
instead of
0.0.0.0
. But that would break docker compatibility. Not sure if it is worth spending effort on.
It seems more sensible to force aggressive firewall rules that would block all incoming connections to the machine. Then it doesn't matter if the containers bind to external ports or not.
I've still created Add an option to prevent port forwarding to external ports · Issue #4726 because it feels like a useful safeguard to prevent accidental exposure of ports, even if it doesn't prevent malicious forwarding.
🙌 1
r

rapid-napkin-54569

05/23/2023, 2:39 AM
Awesome! Thank you, I was unaware that that was possible to do. Right now we are struggling to rework some things for a tight deadline to get this working. We really don't want to purchase 8000 seats for Docker lol