https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# rancher-desktop
a
This message was deleted.
f
What do you mean by "run on"? You can explicitly bind a port just to localhost
Copy code
docker run -d --name nginx --restart=always -p 127.0.0.1:8080:80 nginx
This should open port 
80
just on localhost and not any external interface
r
I mean is there a way to prevent a container from being run on 0.0.0.0? Like, no matter what IP is given it would run on localhost
f
I assume this is about Windows. You can probably lock this down via firewall rules. Let's discuss this next week Tuesday with @calm-sugar-3169
r
Ok, awesome. and it would really be both Windows and Mac
f
What are you trying to protect against? On macOS any unprivileged process can bind to 
0.0.0.0
, so there isn't really a way to prevent a user from doing this intentionally. You could configure Rancher Desktop not to bind to it, but the user could undo this, if they really wanted to.
They can always run a trivial port forwarder to forward any port from 
127.0.0.1
to 
0.0.0.0
themselves, independent of what RD might do.
r
Hmm yeah, we were given requirements to not allow users to be able to open running containers to people outside of their machine.
f
That means you must prevent them from running containers while they are connected to the network:
Copy code
$ docker run -d --name nginx --restart=always -p 127.0.0.1:8080:80 nginx
$ curl -s 127.0.0.1:8080 | grep title
<title>Welcome to nginx!</title>
$ curl -s 192.168.17.20:8081 | grep title
# Next command in a different shell; it needs to remain running
$ socat tcp-listen:8081,reuseaddr,fork tcp:localhost:8080
$ curl -s 192.168.17.20:8081 | grep title
<title>Welcome to nginx!</title>
socat
is not part of macOS, but you can do the same thing with 
mkfifo
and `nc`; it is just a little more work. But it shows that as an unprivileged user you can easily forward any port from 
127.0.0.1
to 
0.0.0.0
if you really want to.
The most we could provide from Rancher Desktop would be an option that simple port forwarding without specifying an interface would bind to 
127.0.0.1
instead of 
0.0.0.0
. But that would break docker compatibility. Not sure if it is worth spending effort on.
It seems more sensible to force aggressive firewall rules that would block all incoming connections to the machine. Then it doesn't matter if the containers bind to external ports or not.
I've still created Add an option to prevent port forwarding to external ports · Issue #4726 because it feels like a useful safeguard to prevent accidental exposure of ports, even if it doesn't prevent malicious forwarding.
🙌 1
r
Awesome! Thank you, I was unaware that that was possible to do. Right now we are struggling to rework some things for a tight deadline to get this working. We really don't want to purchase 8000 seats for Docker lol
24 Views
Open in Slack
PreviousNext
Powered by