Restricting network access within a container

ajlennon · May 27, 2019, 11:22pm

Hi,

I’ve been experimenting with various projects which expose an HTTP endpoint via the public URL offered through the Balena cloud.

I need to understand what the security implications are of exposing an endpoint in this manner.

The immediate questions are:

If a public endpoint is accessed and the code running inside the container that can be accessed through that endpoint is compromised then how well is the system sandboxed?
If an attacker can gain remote access to a container then what level of access can they then obtain to the local network segment.

If I use the Balena dashboard to connect to a running container then my very basic checks seem to show I have access to the local network.

Looking at how the multi-container docker-compose setups work it looks as though there’s an internal IP network which allows containers to communicate between themselves.

So can you tell me if there’s a way to restrict access to external facing network adapters from within a container?

I’m thinking that in this way if a container was compromised then at least the attacker could not immediately go on to attack the local network.

Thanks for your advice!

Alex

majorz · May 28, 2019, 7:42am

Hi Alex,

When you do not use docker-compose, the single container will have its network mode set to host and the container will run in privileged mode. When using a docker-compose file, the default will more restrictive - network mode will be bridged (what you are looking for) and the containers will not be running in privileged mode. If you then would like to use the public URL feature, you need to expose port 80 by using the expose directive in your docker-compose declaration.

Please let us know if that covers your questions.

Thanks,
Zahari

ajlennon · May 28, 2019, 10:18am

Excellent - thanks @majorz! I have done a little multi-container work but not much.

I’ll go away and play with docker compose a bit more and come back to you.

Thanks again!

Alex

ajlennon · May 28, 2019, 2:40pm

Hi again @majorz

So I’ve moved to a docker-compose file and that is looking pretty good.

However I’ve exposed port 80 on the container which I want to be accessible on the Balena public URL.

I can’t seem to connect to it though.

github.com

DynamicDevices/does-rpi3-qiskit/blob/master/docker-compose.yml#L7


version: '2'
volumes: 
    resin-data:
services:
    qiskit:
        build: ./qiskit
        expose:
            - "80"
        volumes: 
            - 'resin-data:/data'

Can you advise?

Thanks!

Alex

ajlennon · May 28, 2019, 10:10pm

My mistake - I should have been using “ports”. Working now thanks!