The docker-compose.yml file included in the compose directory deploys a number of containers, many of which need to expose a port for use by other containers. The exposed ports all show up in the docker compose host bound to 0.0.0.0. Depending on the firewall/iptables setup on the docker compose host, those ports could be accessed from an external machine.
example:
$ docker-compose ps
Name Command State Ports
---------------------------------------------------------------------------------------------------------------------------------
compose_archivematica-dashboard_1 /bin/sh -c /usr/local/bin/ ... Up 8000/tcp
compose_archivematica-mcp-client_1 /bin/sh -c /src/MCPClient/ ... Up
compose_archivematica-mcp-server_1 /bin/sh -c /src/MCPServer/ ... Up
compose_archivematica-storage-service_1 /bin/sh -c /usr/local/bin/ ... Up 8000/tcp
compose_clamavd_1 /run.sh Up 0.0.0.0:62006->3310/tcp
compose_elasticsearch_1 /docker-entrypoint.sh elas ... Up 0.0.0.0:62002->9200/tcp, 9300/tcp
compose_fits_1 /usr/bin/fits-ngserver.sh ... Up 0.0.0.0:62005->2113/tcp
compose_gearmand_1 docker-entrypoint.sh --que ... Up 0.0.0.0:62004->4730/tcp
compose_mysql_1 docker-entrypoint.sh mysqld Up 0.0.0.0:62001->3306/tcp
compose_nginx_1 nginx -g daemon off; Up 0.0.0.0:62080->80/tcp, 0.0.0.0:62081->8000/tcp
compose_redis_1 docker-entrypoint.sh --sav ... Up 0.0.0.0:62003->6379/tcp
Most of those services (in particular elasticsearch) should be bound to 127.0.0.1 instead of 0.0.0.0 by default. This would still make them available to a developer from their host machine, but not from any external machines without explictly allowing it/configuring it in the host machines firewall.
The docker-compose.yml file included in the compose directory deploys a number of containers, many of which need to expose a port for use by other containers. The exposed ports all show up in the docker compose host bound to 0.0.0.0. Depending on the firewall/iptables setup on the docker compose host, those ports could be accessed from an external machine.
example:
Most of those services (in particular elasticsearch) should be bound to 127.0.0.1 instead of 0.0.0.0 by default. This would still make them available to a developer from their host machine, but not from any external machines without explictly allowing it/configuring it in the host machines firewall.