You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now, the following appears to be the current situation given docker's current state of implementation:
When using IPv4: (EDIT: Apparently an INCORRECT statement: Only ports EXPOSE'd are reachable by any other containers. This means random small programs inadvertently opening ports in a container aren't much of a problem. - Correction: EXPOSE only adds metadata, and ports are reachable anyway if you really want to even when not exposed)
Only ports -p/--publish'd are reachable by the outside world. This means any containers having unsecured plain text and possibly password-lacking backends that is not EXPOSE'd is safely protected and cannot be reached directly in the outside world.
When enabling IPv6 support:
Suddenly, any sort of [::0] listen on any container is immediately reachable from everywhere in the world. (correct me if this is wrong. I hadn't had the chance to test this myself because of IPv6 configuration problems by my hosting provider, so I've had to rely on information provided by other docker users and developers. If I'm putting a factually incorrect statement out with this I'm sorry and I'll be happy to immediately retract this ticket)
This behavior difference is absolutely insane. It needs to be changed. You are asking for users to get into trouble.
To make a more constructive remark: one solution would be to introduce an explicit docker run switch to make a container with opt-in behavior globally reachable, and in absence of the switches docker should default to writing ip table rules to drop all incoming connections to any containers' global IPv6 addresses for non-published ports.
