Others should not access my containers and imges
tobegit3hub opened this issue ยท 8 comments
Now the server is running on localhost and others could access its containers and images. It's not safe for others to start, stop or delete our containers.
this part mostly is done in nginx web layer seems in front of real WEB GUI
Yes, @larrycai . I would like to write some rules of iptable
for normal users. Just let others know the risk of exposing the IP and port.
These commands work like a charm in my localhost.
sudo iptables -A INPUT -p tcp --dport 10086 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 10086 -j DROP
If I want to revert it, just run the following commands.
sudo iptables -D INPUT -p tcp --dport 10086 -s 127.0.0.1 -j ACCEPT
sudo iptables -D INPUT -p tcp --dport 10086 -j DROP
I will update the readme.md for everyone to notice about this ๐
Looks quite simple.
But I don't fully understand the purpose, do you mean to remove web access
from other server ? This is not what I want ;-)
probably it is relate to the issues #7 for readonly mode in another machine
On Mon, Oct 20, 2014 at 3:40 PM, tobe notifications@github.com wrote:
โ
Reply to this email directly or view it on GitHub
#2 (comment).
True software development embraces consistent inconsistency.
blog: http://larrycaiyu.com/blog (en), http://larrycaiyu.com (chinese)
Currently seagull is designed to monitor docker deamon on arbitrary servers, not just for read-only registry. So if I'm using seagull to monitor my containers, I have to make sure only the authorized IPs can view, start, stop or delete my containers. It can be done by nginx as well and iptables
is just a simple option for normal users.
#7 is under consideration. Thanks @larrycai for your suggestion ๐บ
Then why not docker run -d -p 127.0.0.1:10086:10086 -v /var/run/docker.sock:/va r/run/docker.sock tobegit3hub/seagull
, should be good enough for this case.
Thanks @larrycai and that's really better. You can send the pull-request to update the notice part in readme.md and readme-zh.md. I will re-open this issue and wait for your contribution ๐
Fixed by @larrycai 's pull-request ๐