Others should not access my containers and imges

Question

Others should not access my containers and imges

tobegit3hub opened this issue 10 years ago · 8 comments

Now the server is running on localhost and others could access its containers and images. It's not safe for others to start, stop or delete our containers.

Answer 1 · 2014-10-18T04:59:20.000Z

this part mostly is done in nginx web layer seems in front of real WEB GUI

Answer 2 · 2014-10-19T07:34:55.000Z

Yes, @larrycai . I would like to write some rules of iptable for normal users. Just let others know the risk of exposing the IP and port.

Answer 3 · 2014-10-20T07:40:51.000Z

These commands work like a charm in my localhost.

sudo iptables -A INPUT -p tcp --dport 10086 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 10086 -j DROP

If I want to revert it, just run the following commands.

sudo iptables -D INPUT -p tcp --dport 10086 -s 127.0.0.1 -j ACCEPT
sudo iptables -D INPUT -p tcp --dport 10086 -j DROP

I will update the readme.md for everyone to notice about this 😄

Answer 4 · 2014-10-20T09:20:18.000Z

Looks quite simple.

But I don't fully understand the purpose, do you mean to remove web access
from other server ? This is not what I want ;-)

probably it is relate to the issues #7 for readonly mode in another machine

On Mon, Oct 20, 2014 at 3:40 PM, tobe notifications@github.com wrote:

Closed #2 #2.

—
Reply to this email directly or view it on GitHub
#2 (comment).

True software development embraces consistent inconsistency.
blog: http://larrycaiyu.com/blog (en), http://larrycaiyu.com (chinese)

Answer 5 · 2014-10-20T12:07:15.000Z

Currently seagull is designed to monitor docker deamon on arbitrary servers, not just for read-only registry. So if I'm using seagull to monitor my containers, I have to make sure only the authorized IPs can view, start, stop or delete my containers. It can be done by nginx as well and iptables is just a simple option for normal users.

#7 is under consideration. Thanks @larrycai for your suggestion 😺

Answer 6 · 2014-10-27T02:58:36.000Z

Then why not docker run -d -p 127.0.0.1:10086:10086 -v /var/run/docker.sock:/va r/run/docker.sock tobegit3hub/seagull , should be good enough for this case.

Answer 7 · 2014-10-27T08:06:57.000Z

Thanks @larrycai and that's really better. You can send the pull-request to update the notice part in readme.md and readme-zh.md. I will re-open this issue and wait for your contribution 🎉

Answer 8 · 2014-10-28T06:48:47.000Z

Fixed by @larrycai 's pull-request 👍