Open phish108 opened 1 year ago
Ubuntu's microk8s profile is almost the same as the profile we use, but sets additional apparmor flags.
This profile comes from the microk8s lxd guide. However, the guide focuses on single node clusters.
https://docs.docker.com/engine/security/apparmor/
https://unix.stackexchange.com/questions/127606/apparmor-profiles-in-docker-lxc?rq=1
https://dockerlabs.collabnix.com/advanced/security/apparmor/
https://www.padok.fr/en/blog/security-docker-apparmor
https://ubuntu.com/server/docs/security-apparmor
https://unix.stackexchange.com/questions/135115/apparmor-profile-deny-internet-access
My old answer is incomplete after a few upgrades
OK, it seems that the services are exposed on the server on which they are running.
The problem was two fold:
Fixed again
unconfined
profile
When running docker nested in a lxc system container, then with the latest packages network configuration is blocked. While the containers can communicate across different systems (on the same host), the network access is entirely blocked. The port will open, but the request never reaches the endpoint within a docker container.
It seems that docker's apparmor profiles get in the way of accessing the network. This appears to be similar to the effect that systems on different hosts could connect but not exchange data after upgrading docker last year.