zlacker

[parent] [thread] 4 comments
1. diggan+(OP)[view] [source] 2025-01-05 15:18:58
Would that actually save you in this case? OP had their container exposed to the internet, listening for incoming remote connections. Wouldn't matter in that case if you're running a unprivileged container, podman, rocky-linux or with selinux, since everything is just wide open at that point.
replies(2): >>smarx0+l >>dboreh+H
2. smarx0+l[view] [source] 2025-01-05 15:21:54
>>diggan+(OP)
I think podman does not punch holes in the firewall as opposed to docker. I.e., to expose a container on port 8080 on the WAN in podman, you need to both expose 8080:8080 and use, for example, firewalld to open port 8080. Which I consider a correct behaviour.
replies(1): >>diggan+O
3. dboreh+H[view] [source] 2025-01-05 15:24:57
>>diggan+(OP)
I think it's more about whether traffic is bound to localhost or a routable interface. Podman has different behavior vs Docker.
replies(1): >>smarx0+O1
◧◩
4. diggan+O[view] [source] [discussion] 2025-01-05 15:25:25
>>smarx0+l
Sure, but the issue here wasn't because the default behavior surprised OP. OP needed a service that was accessible from a remote endpoint, so they needed to have some connection open. They just (for some reason) chose to do it over public internet instead of a private network.

But regardless of software used, it would have led to the same conclusion, a vulnerable service running on the open internet.

◧◩
5. smarx0+O1[view] [source] [discussion] 2025-01-05 15:32:25
>>dboreh+H
I think exposing 8080:8080 would result in sockets bound to 0.0.0.0:8080 in either Docker or Podman. You still need 127.0.0.1:8080:8080 for the socket binding to be 127.0.0.1:8080 in Podman. The only difference is that Podman would not punch holes in the firewall after binding on 0.0.0.0:8080, thus preventing an unintended exposure given that the firewall is set up to block all incoming connections except on 443, for example.

Edit: just confirmed this to be sure.

    $ podman run --rm -p 8000:80 docker.io/library/nginx:mainline
    $ podman ps 
    CONTAINER ID  IMAGE                             COMMAND               CREATED         STATUS         PORTS                 NAMES
    595f71b33900  docker.io/library/nginx:mainline  nginx -g daemon o...  40 seconds ago  Up 41 seconds  0.0.0.0:8000->80/tcp  youthful_bouman
    $ ss -tulpn | rg 8000

    tcp   LISTEN 0      4096                                          *:8000             *:*    users:(("rootlessport",pid=727942,fd=10))
[go to top]