/lib/systemd/system/docker.service lacks EnvironmentFile
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
docker.io (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
docker has a severe security problem since it opens ports assigned with -p through adding a dnat rule to iptables ( -t nat ). Therefore this dnat rule is applied before ubuntu's firewall ufw, and thus the firewall does not protect docker processes. Ports are open even if the firewall is supposed to block.
A common workaround is to add --iptables=false to keep docker from modifying iptables, usually in the form of
DOCKER_
in /etc/default/
However, the current ubuntu package does not have this file or an
EnvironmentFile
entry in /lib/systemd/
So there's no defined clean way to keep docker from fully opening ports to the world.
ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: docker.io 19.03.2-0ubuntu1
ProcVersionSign
Uname: Linux 5.3.0-24-generic x86_64
ApportVersion: 2.20.11-0ubuntu8.2
Architecture: amd64
CurrentDesktop: LXQt
Date: Sat Jan 4 00:11:57 2020
InstallationDate: Installed on 2019-11-30 (34 days ago)
InstallationMedia: Lubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017.1)
SourcePackage: docker.io
UpgradeStatus: No upgrade log present (probably fresh install)
The upstream-supported method of accomplishing this is via a systemd drop-in which overrides ExecStart.