| ▲ | throwawaypath 6 hours ago |
| This has been a known Docker "feature" since the beginning, nothing new here. This pattern is used to configure host machines by some tools. |
|
| ▲ | pqdbr 3 hours ago | parent | next [-] |
| Like the known Docker "feature" that it completely bypasses UFW and unless your ports look like "- 127.0.0.1:PORT:PORT" (and many of the examples use "-PORT:PORT") you expose everything to the internet? |
| |
| ▲ | Root_Denied 3 hours ago | parent [-] | | My understanding is that docker will expose the ports to the host machine's network interfaces, which is a crucial difference. For my home server running docker that means exposed to the LAN, but not the WAN unless I add in a port forwarding rule on my router. Similarly in an enterprise environment you would be exposing the port on whatever VLAN the host is connected to, which hopefully doesn't have directly transit to the open internet. Anything you're running on the perimeter with open access to the internet in an enterprise environment probably (hopefully) isn't running docker containers without some additional config and protections. | | |
| ▲ | itintheory an hour ago | parent | next [-] | | I was thinking along similar lines to what you've suggested here, but then I considered how many VPS might be configured by folks following some random web tutorial, to set up their LAMP stack (or whatever), that end up doing something like what was described. | |
| ▲ | eximius 30 minutes ago | parent | prev [-] | | If you ever suddenly get IPv6, it may become globally reputable without you realizing. |
|
|
|
| ▲ | canadaduane 4 hours ago | parent | prev | next [-] |
| Isn't this one of the main improvements that Podman has over Docker? |
| |
| ▲ | 0xbadcafebee 4 hours ago | parent [-] | | No, Docker can run rootless too | | |
| ▲ | righthand 3 hours ago | parent [-] | | This was not always true and running rootless has been a benefit of Podman for a long time. Docker also does not run rootless by default afaik, thus making the attack surface greater by default. The other main improvement of Podman over Docker is that Podman is daemonless and therefor is incredibly lightweight and portable. | | |
| ▲ | Zopieux 3 hours ago | parent | next [-] | | I don't understand why anyone still uses docker. | |
| ▲ | vdfs 3 hours ago | parent | prev [-] | | Daemonless also make it a nightmare to run especially compose like setup, you have to do some weird systemd stuff |
|
|
|
|
| ▲ | yjftsjthsd-h 3 hours ago | parent | prev [-] |
| This, and the charming fact that it bypasses your firewall. |
