Home page Portfolio

A Docker footgun

2024-05-11

Here's an easy way to leak data.

  1. First, learn about Docker. Realize that you can now host software that would be horrible to manage on your host. Be thrilled that you can avoid paying Amazon a six-times markup for their managed software services.
  2. Second, host the supporting services for your relatively small app like databases and caches on Docker. Marvel at how easy your stack is to manage.
  3. Third, realize a few months later that Docker bypasses UFW to publish its ports.

Let's say you have a Postgres container. To allow connections to it, the Docker material suggests using -p 5432:5432 to bind/map it to the host's port 5432. What most people would expect that to do is to run the container like a nice, self-contained version of Postgres. But it does more: it creates iptables rules that supersede your UFW configuration.

UFW. You know, your firewall. The program that you trust to prevent access to your secrets. The program that you would somewhat expect to have the final say on what traffic can get into your machine.

This almost happened to me. I got lucky that it didn't actually leak any of my data. I always dual-firewall my app hosts at both the host level and at the cloud provider level, so the cloud provider firewall kept my data safe even as Docker tried its best to expose it. Amazon can and should use this as a talking point for why you should use them.

Important people in Docker view this as a "behavior." Some comments on Hacker News claim that it's your fault that you misconfigured Docker, or that it's actually a UFW problem and not a Docker problem. I reject this. Docker is trying to muscle its way into the standard toolkit of every developer, which means I have to hold it to the apparently unreasonable standard of "doesn't intentionally create a security vulnerability." Is that so much to ask? Also, even if it's a UFW problem, UFW is the default firewall tool of Ubuntu, one of the most popular Linux distributions in the world. To intentionally disregard it suggests that Docker views its own convenience as more important than a user's intentions for their security.

I still like containers, which is why I'm learning Podman. So far, it's been great. I won't blindly claim that it's superior, but I appreciate the attitude of its community towards security, which makes me feel comfortable adopting it. Regardless, though, this really throws a wrench into my push to use simpler tech.