Ubuntu
docker.io package

/lib/systemd/system/docker.service lacks EnvironmentFile

Bug #1858248 reported by Hadmut Danisch
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
docker.io (Ubuntu)
New
Undecided
Unassigned

Bug Description

docker has a severe security problem since it opens ports assigned with -p through adding a dnat rule to iptables ( -t nat ). Therefore this dnat rule is applied before ubuntu's firewall ufw, and thus the firewall does not protect docker processes. Ports are open even if the firewall is supposed to block.

A common workaround is to add --iptables=false to keep docker from modifying iptables, usually in the form of

DOCKER_OPTS="--iptables=false"

in /etc/default/docker.

However, the current ubuntu package does not have this file or an

EnvironmentFile=-/etc/default/docker

entry in /lib/systemd/system/docker.service

So there's no defined clean way to keep docker from fully opening ports to the world.

ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: docker.io 19.03.2-0ubuntu1
ProcVersionSignature: Ubuntu 5.3.0-24.26-generic 5.3.10
Uname: Linux 5.3.0-24-generic x86_64
ApportVersion: 2.20.11-0ubuntu8.2
Architecture: amd64
CurrentDesktop: LXQt
Date: Sat Jan 4 00:11:57 2020
InstallationDate: Installed on 2019-11-30 (34 days ago)
InstallationMedia: Lubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017.1)
SourcePackage: docker.io
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Hadmut Danisch (hadmut) wrote :
Revision history for this message
Tianon Gravi (tianon) wrote :

The upstream-supported method of accomplishing this is via a systemd drop-in which overrides ExecStart.

Revision history for this message
Hadmut Danisch (hadmut) wrote :

I'm working actively and administratively with systemd for years, have read plenty of documentation, but that's the first time I hear and read about „systemd drop-in”.

However, overriding the complate ExecStart line is unsecure and error prone since it breaks updates and changes to ExecStart updates that might come with updated packages.

In general: it is highly dangerous and sort of unbearable, to offer a docker that rigorously breaks any firewall rules. As far as I can see docker inserts iptables rules aggressively into the beginning of rules and always allows just everything to everyone.

That's a no go on productive systems.

Is this behaviour part of docker.io itself, or does this come with the debian/ubuntu package?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.