Docker network security

A place to discuss potential docker network related security enhancements:

This is driven by me seeing an uptick in users who really shouldn't, due to lack of knowledge, blindly following guides and placing apps on the internet.

My initial three thoughts are:

1. By default all apps should only allow IANA private IP access. Users should opt in to allowing internet IPs to connect. I suspect this can be done with docker networking.

2. By default all containers should not be able to see any other container i.e. network isolation. This can absolutely be done with docker but likely not with current version and/or emHTTP GUI

3. We should not force users to create a port mapping. i.e. in many instances a container port should never be bridged to a host port for increased security e.g. a nginx reverse proxy on the same docker internal subnet

Above all any changes need to be practical but take into account that by default users really dont understand security and networking (and why should they thats our job) and should be secure by default.

bump for comment. Especially interested in what the dockers container devs think.

A place to discuss potential docker network related security enhancements:

 

This is driven by me seeing an uptick in users who really shouldn't, due to lack of knowledge, blindly following guides and placing apps on the internet.

 

My initial three thoughts are:

 

1. By default all apps should only allow IANA private IP access. Users should opt in to allowing internet IPs to connect. I suspect this can be done with docker networking.

2. By default all containers should not be able to see any other container i.e. network isolation. This can absolutely be done with docker but likely not with current version and/or emHTTP GUI

3. We should not force users to create a port mapping. i.e. in many instances a container port should never be bridged to a host port for increased security e.g. a nginx reverse proxy on the same docker internal subnet

 

Above all any changes need to be practical but take into account that by default users really dont understand security and networking (and why should they thats our job) and should be secure by default.

I understand what you are going towards but am not sure it is the correct route..

The opt-in you describe makes sure that users have to make a conscious choice to open up something towards the internet...

In basis that is allready the case.. You have to make a conscious decission to put your server in your DMZ or open up specific ports..

On the other hand.. Having two more selection buttons stating "allow internet addresses to connect" and/or "allow to connect to other dockers" is not so much of a hassle..

It should however be a users decission to do this, I do not think it should be totally blocked without a way to circumvent..

I agree, that is a sensible viewpoint.

I expect LT will have a policy already for new features that are beneficial but change previous defaults. My personal preference would be the "norm" of enable as new default but do not alter any existing assets.

The downside of this is that is yet more buttons for user to know about and click. IMHO this is worth it since the real unRAID userbase are the silent masses that never talk here. A reasonable (very high?) percentage of these users know little to nothing about IP, ports, NAT or firewalling and it is our duty of care to protect them at default.

I agree, that is a sensible viewpoint.

 

I expect LT will have a policy already for new features that are beneficial but change previous defaults. My personal preference would be the "norm" of enable as new default but do not alter any existing assets.

 

The downside of this is that is yet more buttons for user to know about and click. IMHO this is worth it since the real unRAID userbase are the silent masses that never talk here. A reasonable (very high?) percentage of these users know little to nothing about IP, ports, NAT or firewalling and it is our duty of care to protect them at default.

Yup... I must say that I have no idea on how many unraid users are actually actively out there.. But I agree with you... When you are a no-nonsense user that only uses unraid as a storage platform internally, then it would be good if the system was basically set up in such a way that it could not go wrong..