search

docker / machine

Machine management for a container-centric world
https://docs.docker.com/machine/
Apache License 2.0
6.63k stars 1.97k forks source link

Firewall expectations from drivers #2883

Closed ahmetb closed 8 years ago

ahmetb commented 8 years ago

Hi, I think this is going to be a #question.

What are the network firewall expectations from docker-machine drivers provisioning instances on the cloud? VirtualBox obviously won't need to restrict/allow inbound/outbound traffic to various ports however this is certainly a consideration on the cloud.

From what I can tell, azure/amazonec2/google drivers open SSH port and :2376 (and :3376 if swarm is configured).

This kind of creates a bit of friction when someone wants to deploy a publicly available web container as they would need to go to the cloud provider's management console to enable that port. It looks like there are already feature requests about this: #2408. Of course there is a security aspect to it as well. Someone might as well publish a datastore container's port on the host which would open it unauthenticated to the public Internet. Therefore maybe having a --publish-port [num] argument to docker-machine create would be useful.

I guess back to my question, do we intend to keep it this way? What are some firewall expectations from a machine driver (asking this because I'm rewriting the azure driver).

jeanlaurent commented 8 years ago

I'm rewriting the azure driver

Since we briefly met @ dockerconeu where I asked you if you will deal with it, the @docker/machine-maintainers are really happy of this. Thank you.

do we intend to keep it this way?

There is no plan to change this in the short term, it's not in the roadmap for 0.7.

The current vision is that docker-machine should setup relatively standard machines, since we will probably be never be in a position to support each and every flags and options of all drivers, even if we constraint ourselves to the major one. We also expect most people to better know and understand their cloud provider api rather than the one from docker-machine. We believe people will be more accustomed to do the tricky/custom parts through the native api, rather than learn yet another way to achieve their task.

The way you do it on ec2 for instance is modify a specific security-group and specify it to the docker-machine cli.

That being said, opening a port is probably rather standard beyond running `docker run -t hello-world' so this is open to discussion of course.

My personal view on this, is that if the cloud drivers needs to support this, they can do it, and not necessarily all at the same time. I would rather add this per-driver.

ahmetb commented 8 years ago

Thanks @jeanlaurent! This helped me understand the scene better.