zlacker

[parent] [thread] 3 comments
1. mschus+(OP)[view] [source] 2025-01-05 16:09:05
Docker Compose would not prevent you from doing a "publish port to 0.0.0.0/0", it's not much more than a (very convenient) wrapper around "docker build" and "docker run".

And many if not as good as all examples of docker-compose descriptor files don't care about that. Images that use different networks for exposed services and backend services (db, redis, ...) are the rare exception.

replies(1): >>Cyph0n+D
2. Cyph0n+D[view] [source] 2025-01-05 16:14:00
>>mschus+(OP)
Are you sure about that? Because I was under the impression that these firewall rules are configured by Docker. So if you use Docker Compose with Podman emulating the Docker socket, this shouldn’t happen.

Maybe someone more knowledgeable can comment.

replies(1): >>smarx0+T6
◧◩
3. smarx0+T6[view] [source] [discussion] 2025-01-05 17:02:49
>>Cyph0n+D
I think you are both correct, see >>42602429 - the socket would still listen on 0.0.0.0 but podman would not punch holes.
replies(1): >>Cyph0n+jf
◧◩◪
4. Cyph0n+jf[view] [source] [discussion] 2025-01-05 18:09:56
>>smarx0+T6
Aha, thanks for confirming! Yes, this was the behavior I was talking about.

I encountered it with Docker on NixOS and found it confusing. They have since documented this behavior: https://search.nixos.org/options?channel=24.11&show=virtuali...

[go to top]