search

artefactual-labs / am

Development environment for Archivematica
https://archivematica.org
GNU Affero General Public License v3.0
10 stars 20 forks source link

Problem: internal services may be exposed outside the docker compose host #61

Closed jhsimpson closed 5 years ago

jhsimpson commented 6 years ago

The docker-compose.yml file included in the compose directory deploys a number of containers, many of which need to expose a port for use by other containers. The exposed ports all show up in the docker compose host bound to 0.0.0.0. Depending on the firewall/iptables setup on the docker compose host, those ports could be accessed from an external machine.

example:

$ docker-compose ps
                 Name                                Command               State                       Ports                     
---------------------------------------------------------------------------------------------------------------------------------
compose_archivematica-dashboard_1         /bin/sh -c /usr/local/bin/ ...   Up      8000/tcp                                      
compose_archivematica-mcp-client_1        /bin/sh -c /src/MCPClient/ ...   Up                                                    
compose_archivematica-mcp-server_1        /bin/sh -c /src/MCPServer/ ...   Up                                                    
compose_archivematica-storage-service_1   /bin/sh -c /usr/local/bin/ ...   Up      8000/tcp                                      
compose_clamavd_1                         /run.sh                          Up      0.0.0.0:62006->3310/tcp                       
compose_elasticsearch_1                   /docker-entrypoint.sh elas ...   Up      0.0.0.0:62002->9200/tcp, 9300/tcp             
compose_fits_1                            /usr/bin/fits-ngserver.sh  ...   Up      0.0.0.0:62005->2113/tcp                       
compose_gearmand_1                        docker-entrypoint.sh --que ...   Up      0.0.0.0:62004->4730/tcp                       
compose_mysql_1                           docker-entrypoint.sh mysqld      Up      0.0.0.0:62001->3306/tcp                       
compose_nginx_1                           nginx -g daemon off;             Up      0.0.0.0:62080->80/tcp, 0.0.0.0:62081->8000/tcp
compose_redis_1                           docker-entrypoint.sh --sav ...   Up      0.0.0.0:62003->6379/tcp

Most of those services (in particular elasticsearch) should be bound to 127.0.0.1 instead of 0.0.0.0 by default. This would still make them available to a developer from their host machine, but not from any external machines without explictly allowing it/configuring it in the host machines firewall.