Issue Exposing Docker container ports for localhost only

[Michael Lux]

Hello everybody,

recently, we started using the Docker extension of Plesk.
Personally, I think that this extension is - in theory - a brilliant idea.
However, when it comes to the details of implementation, I think that some things have not really been thought through to the end.
This is because of the way Docker interacts with iptables:
By default, it exposes ports to the whole world, not just to localhost!
Even worse, the nat entries used for that seem to "bypass" the protection rules of firewalld (apart from other problems with firewalld and Docker).

Now, when I start a redis instance with the Docker extension, it takes only minutes until the instance is attacked from the outside.
According to Is there a way to bind a docker container to localhost only? this could be solved on the command line, but our "managed hosting" does only allow full access to Plesk, not to the (root) shell of the underlying OS.

Is the any planned feature for the Docker extension to limit the port exposing to localhost?
Is there maybe something the technical support (those have root access) could do to prevent Docker from interfering with iptables altogether?

Best,
Michael

 

[AYamshanov]

Hi Michael,

We know about this limitation and plan to fix it in one of the next releases, but I have no any ETA for this update.

 

[Michael Lux]

Good to hear that it's at least somehow on the agenda.
How do you plan to fix this?
In fact, an embarrassingly simple change allowing the specification of a binding IP with the port would be perfectly sufficient. The only problem is that the current filter won't let me do this and instead reply "invalid port specification: "127.0.0.1:6379"".

 

[bulent]

Hi,
in my case I use some firewall rules and seems to be ok.

 

[virtubox]

Hello everybody,

recently, we started using the Docker extension of Plesk.
Personally, I think that this extension is - in theory - a brilliant idea.
However, when it comes to the details of implementation, I think that some things have not really been thought through to the end.
This is because of the way Docker interacts with iptables:
By default, it exposes ports to the whole world, not just to localhost!
Even worse, the nat entries used for that seem to "bypass" the protection rules of firewalld (apart from other problems with firewalld and Docker).

Now, when I start a redis instance with the Docker extension, it takes only minutes until the instance is attacked from the outside.
According to Is there a way to bind a docker container to localhost only? this could be solved on the command line, but our "managed hosting" does only allow full access to Plesk, not to the (root) shell of the underlying OS.

Is the any planned feature for the Docker extension to limit the port exposing to localhost?
Is there maybe something the technical support (those have root access) could do to prevent Docker from interfering with iptables altogether?

Best,
Michael

Hi,
in my case I use some firewall rules and seems to be ok.

Issue seems to be related to Centos, because even without addtional firewall rules, containers ports are not accessible from the outside (I have tried with MariaDB and redis-server, and no way to login from another server) on my Ubuntu server

 

[Michael Lux]

Hi,
in my case I use some firewall rules and seems to be ok.

Have you checked what happens when you restart dockerd and the container, or even the whole system?
Cause our support told me that the most likely reason for this "solution" to work is that the Plesk firewall seems to delete the nat entries of Docker.
So, did you verify that this is indeed a solution and not just a side-effect?

 

[Michael Lux]

Issue seems to be related to Centos, because even without addtional firewall rules, containers ports are not accessible from the outside (I have tried with MariaDB and redis-server, and no way to login from another server) on my Ubuntu server

Interesting... because this not an issue, but the intended behavior according to the Docker extension docs, see [1]:
"Important: If port mapping is configured, Docker binds to the specified port on all network interfaces of the host system. Usually, this means that the application can be accessed from anywhere. Docker presumes that authentication is carried out by the application itself, but sometimes it is not so (for example, MySQL does not allow anonymous access by default, but redis does).
Plesk cannot determine what service is installed in a specific Docker container, and cannot control access to it. If you need to prohibit access to the application from outside Plesk, do it manually using the firewall on the host system."

[1] Using Docker

 

[virtubox]

Interesting... because this not an issue, but the intended behavior according to the Docker extension docs, see [1]:
"Important: If port mapping is configured, Docker binds to the specified port on all network interfaces of the host system. Usually, this means that the application can be accessed from anywhere. Docker presumes that authentication is carried out by the application itself, but sometimes it is not so (for example, MySQL does not allow anonymous access by default, but redis does).
Plesk cannot determine what service is installed in a specific Docker container, and cannot control access to it. If you need to prohibit access to the application from outside Plesk, do it manually using the firewall on the host system."

[1] Using Docker

I haven't set any additional rules in Plesk firewall. Port mapping is configured on my two containers, 3307 -> 3306 for MySQL, 6380 -> 6379 for Redis but even by scanning those ports with nmap, ports are not accessibles from outside.

 

[Michael Lux]

I haven't set any additional rules in Plesk firewall. Port mapping is configured on my two containers, 3307 -> 3306 for MySQL, 6380 -> 6379 for Redis but even by scanning those ports with nmap, ports are not accessibles from outside.

Are you using the Plesk firewall? If so, did you enable it before or after starting the containers?
Because starting the firewall appeared to solve the problem for me as well... until I had to restart dockerd, which recreated the nat entries and made the ports world-open again...

 

[virtubox]

Yes, I use Plesk firewall, and it was enabled before starting the containers.

 

[Erdack54]

Hi, sorry to dig up this thread but I think it's better than reopening a new one, this concern is still present ...

Even worse actually, when applying the "hack" with the Plesk firewall, my container stops by itself, as if Docker notices that iptables modify a port of a container that belongs to it, and restarts then reopens his ports on its own , I do not know if it is specific to my container (linuxserver/bookstack) or to Docker, anyway it slows me down to use Plesk Docker extension, at least for now :/

I really hope the Docker extension for Plesk will be updated to fix this huge problem (And others that would be good too), add basic functions of Portainer for example, but above all add the support of Docker Compose this would be very great