• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Exposing Docker container ports for localhost only

M

Michael Lux

New Pleskian
Hello everybody,

recently, we started using the Docker extension of Plesk.
Personally, I think that this extension is - in theory - a brilliant idea.
However, when it comes to the details of implementation, I think that some things have not really been thought through to the end.
This is because of the way Docker interacts with iptables:
By default, it exposes ports to the whole world, not just to localhost!
Even worse, the nat entries used for that seem to "bypass" the protection rules of firewalld (apart from other problems with firewalld and Docker).

Now, when I start a redis instance with the Docker extension, it takes only minutes until the instance is attacked from the outside.
According to Is there a way to bind a docker container to localhost only? this could be solved on the command line, but our "managed hosting" does only allow full access to Plesk, not to the (root) shell of the underlying OS.

Is the any planned feature for the Docker extension to limit the port exposing to localhost?
Is there maybe something the technical support (those have root access) could do to prevent Docker from interfering with iptables altogether?

Best,
Michael
 
Hi Michael,

We know about this limitation and plan to fix it in one of the next releases, but I have no any ETA for this update.
 
Good to hear that it's at least somehow on the agenda.
How do you plan to fix this?
In fact, an embarrassingly simple change allowing the specification of a binding IP with the port would be perfectly sufficient. The only problem is that the current filter won't let me do this and instead reply "invalid port specification: "127.0.0.1:6379"".
 
Michael Lux said:
Hello everybody,

recently, we started using the Docker extension of Plesk.
Personally, I think that this extension is - in theory - a brilliant idea.
However, when it comes to the details of implementation, I think that some things have not really been thought through to the end.
This is because of the way Docker interacts with iptables:
By default, it exposes ports to the whole world, not just to localhost!
Even worse, the nat entries used for that seem to "bypass" the protection rules of firewalld (apart from other problems with firewalld and Docker).

Now, when I start a redis instance with the Docker extension, it takes only minutes until the instance is attacked from the outside.
According to Is there a way to bind a docker container to localhost only? this could be solved on the command line, but our "managed hosting" does only allow full access to Plesk, not to the (root) shell of the underlying OS.

Is the any planned feature for the Docker extension to limit the port exposing to localhost?
Is there maybe something the technical support (those have root access) could do to prevent Docker from interfering with iptables altogether?

Best,
Michael
Click to expand...
bulent said:
Hi,
in my case I use some firewall rules and seems to be ok.
Click to expand...

Issue seems to be related to Centos, because even without addtional firewall rules, containers ports are not accessible from the outside (I have tried with MariaDB and redis-server, and no way to login from another server) on my Ubuntu server
 
bulent said:
Hi,
in my case I use some firewall rules and seems to be ok.
Click to expand...

Have you checked what happens when you restart dockerd and the container, or even the whole system?
Cause our support told me that the most likely reason for this "solution" to work is that the Plesk firewall seems to delete the nat entries of Docker.
So, did you verify that this is indeed a solution and not just a side-effect?
 
virtubox said:
Issue seems to be related to Centos, because even without addtional firewall rules, containers ports are not accessible from the outside (I have tried with MariaDB and redis-server, and no way to login from another server) on my Ubuntu server
Click to expand...

Interesting... because this not an issue, but the intended behavior according to the Docker extension docs, see [1]:
"Important: If port mapping is configured, Docker binds to the specified port on all network interfaces of the host system. Usually, this means that the application can be accessed from anywhere. Docker presumes that authentication is carried out by the application itself, but sometimes it is not so (for example, MySQL does not allow anonymous access by default, but redis does).
Plesk cannot determine what service is installed in a specific Docker container, and cannot control access to it. If you need to prohibit access to the application from outside Plesk, do it manually using the firewall on the host system."

[1] Using Docker
 
Michael Lux said:
Interesting... because this not an issue, but the intended behavior according to the Docker extension docs, see [1]:
"Important: If port mapping is configured, Docker binds to the specified port on all network interfaces of the host system. Usually, this means that the application can be accessed from anywhere. Docker presumes that authentication is carried out by the application itself, but sometimes it is not so (for example, MySQL does not allow anonymous access by default, but redis does).
Plesk cannot determine what service is installed in a specific Docker container, and cannot control access to it. If you need to prohibit access to the application from outside Plesk, do it manually using the firewall on the host system."

[1] Using Docker
Click to expand...

I haven't set any additional rules in Plesk firewall. Port mapping is configured on my two containers, 3307 -> 3306 for MySQL, 6380 -> 6379 for Redis but even by scanning those ports with nmap, ports are not accessibles from outside.
 
virtubox said:
I haven't set any additional rules in Plesk firewall. Port mapping is configured on my two containers, 3307 -> 3306 for MySQL, 6380 -> 6379 for Redis but even by scanning those ports with nmap, ports are not accessibles from outside.
Click to expand...
Are you using the Plesk firewall? If so, did you enable it before or after starting the containers?
Because starting the firewall appeared to solve the problem for me as well... until I had to restart dockerd, which recreated the nat entries and made the ports world-open again...
 
Hi, sorry to dig up this thread but I think it's better than reopening a new one, this concern is still present ...

Even worse actually, when applying the "hack" with the Plesk firewall, my container stops by itself, as if Docker notices that iptables modify a port of a container that belongs to it, and restarts then reopens his ports on its own , I do not know if it is specific to my container (linuxserver/bookstack) or to Docker, anyway it slows me down to use Plesk Docker extension, at least for now :/

I really hope the Docker extension for Plesk will be updated to fix this huge problem (And others that would be good too), add basic functions of Portainer for example, but above all add the support of Docker Compose this would be very great
 
You must log in or register to reply here.

Similar threads

C
Question Securing Docker ports to local access only with firewalld
Replies
8
Views
5K
captainhook
C
A
Question Assistance Needed: Setting Up Reverse Proxy for Joplin Server on Plesk VPS
Replies
0
Views
455
alborworld
A
G
Issue Plesk is using Port 443 but Traefik-Container needs it
Replies
1
Views
890
Peter Debik
P
S
Issue Installing Owncast via Docker - Ports not exposed
Replies
2
Views
2K
bo_max
B
F
Question Having difficulties setting up MySQL docker for use in Plesk
Replies
3
Views
2K
aronaugust
A
Back
Top