Public bug reported:
docker has a severe security problem since it opens ports assigned with
-p through adding a dnat rule to iptables ( -t nat ). Therefore this
dnat rule is applied before ubuntu's firewall ufw, and thus the firewall
does not protect docker processes. Ports are open even if the firewall
is supposed to block.
A common workaround is to add --iptables=false to keep docker from
modifying iptables, usually in the form of
DOCKER_OPTS="--iptables=false"
in /etc/default/docker.
However, the current ubuntu package does not have this file or an
EnvironmentFile=-/etc/default/docker
entry in /lib/systemd/system/docker.service
So there's no defined clean way to keep docker from fully opening ports
to the world.
ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: docker.io 19.03.2-0ubuntu1
ProcVersionSignature: Ubuntu 5.3.0-24.26-generic 5.3.10
Uname: Linux 5.3.0-24-generic x86_64
ApportVersion: 2.20.11-0ubuntu8.2
Architecture: amd64
CurrentDesktop: LXQt
Date: Sat Jan 4 00:11:57 2020
InstallationDate: Installed on 2019-11-30 (34 days ago)
InstallationMedia: Lubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017.1)
SourcePackage: docker.io
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: docker.io (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug eoan
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1858248
Title:
/lib/systemd/system/docker.service lacks EnvironmentFile
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1858248/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
