Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
This was a large part of the reason I switched to rootless podman for everything
Explicitly binding certain ports to the container has a similar effect, no?
I still need to allow the ports in my firewall when using podman, even when I bind to 0.0.0.0.
Also when using a rootfull Podman socket?
I haven’t tried rootful since I haven’t had issues with rootless. I’ll have to check on that and get back to you.
When running as root, I did not need to add the firewall rule.
Thanks for checking
It’s better than nothing but I hate the additional logs that came from it constantly fighting firewalld.
My problem with podman is the incompatibility with portainer :(
Any recommendations?
CLI and Quadlet? /s but seriously, that’s what I use lol
Quadlets are so nice.
cockpit has a podman/container extension you might like.
It’s okay for simple things, but too simple for anything beyond that, IMO. One important issue is that unlike with Portainer you can’t edit the container in any way without deleting it and configuring it again, which is quite annoying if you just want to change 1 environment variable (GH Issue). Perhaps they will add a quadlet config tool to cockpit sometime in the future.
i mean, you can just redeploy the container with the updated variable. thats kinda how they work.
I assume portainer communicates via the docker socket? If so, couldn’t you just point portainer to the podman socket?
Portainer Docs | Install Portainer CE with Podman on Linux The official docs also mention doing that.
This is the way.
It’s my understanding that docker uses a lot of fuckery and hackery to do what they do. And IME they don’t seem to care if it breaks things.
To be fair, the largest problem here is that it presents itself as the kind of isolation that would respect firewall rules, not that they don’t respect them.
People wouldn’t make the same mistake in NixOS, despite it doing exactly the same.
This is why I hate Docker.
I don’t know how much hackery and fuckery there is with docker specifically. The majority of what docker does was already present in the Linux kernel namespaces, cgroups etc. Docker just made it easier to build and ship the isolated environments between systems.
My impression from a recent crash course on Docker is that it got popular because it allows script kiddies to spin up services very fast without knowing how they work.
OWASP was like “you can follow these thirty steps to make Docker secure, or just run Podman instead.” https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
I dont really understand the problem with that?
Everyone is a script kiddy outside of their specific domain.
I may know loads about python but nothing about database management or proxies or Linux. If docker can abstract a lot of the complexities away and present a unified way you configure and manage them, where’s the bad?
That is definitely one of the crowds but there are also people like me that just are sick and tired of dealing with python, node, ruby depends. The install process for services has only continued to become increasingly more convoluted over the years. And then you show me an option where I can literally just slap down a compose.yml and hit “docker compose up - d” and be done? Fuck yeah I’m using that
Another take: Why should I care about dependency hell if I can just spin up the same service on the same machine without needing an additional VM and with minimal configuration changes.
This post inspired me to try podman, after it pulled all the images it needed my Proxmox VM died, VM won’t boot cause disk is now full. It’s currently 10pm, tonight’s going to suck.
eh, booting into single user mod should work fine, uninstall podman and init 5
Okay so I’ve done some digging and got my VM to boot up! This is not Podman’s fault, I got lazy setting up Proxmox and never really learned LVM volume storage, while internally on the VM it shows 90Gb used of 325Gb Proxmox is claiming 377Gb is used on the LVM-Thin partition.
I’m backing up my files as we speak, thinking of purging it all and starting over.
Edit: before I do the sacrificial purge This seems promising.
thinking of purging it all and starting over.
Don’t do that. You’ll learn nothing.
So I happened to follow the advice from that Proxmox post, enabled the “Discard” option for the disk and ran
sudo fstrim /within the VM, now the Proxmox LVM-Thin partition is sitting at a comfortable 135Gb out of 377Gb.Think I’m going to use this
fstrimcommand on my main desktop to free up space.I think linux does fstrim oob.
edit: I meant to say linux distros are set up to do that automatically.
It’s been about a day since this issue and now I’ve been keeping a close eye on my local-lvm, it fills fast, like, ridiculously fast and I’ve been having to run
sudo fstrim /inside the VM just to keep it maintained. I’m finding it weird I’m now just noticing this as this server has been running for months!For now I edited my
/etc/bash.bashrcso whenever I ssh in it’ll automatically runsudo fstrim /, there is something I’m likely missing but this works as a temporary solution.
You’re forgetting the part where they had an option to disable this fuckery, and then proceeded to move it twice - exposing containers to everyone by default.
I had to clean up compromised services twice because of it.
This is why I install on bare metal, baby!
I mean if you’re hosting anything publicly, you really should have a dedicated firewall
Do you mean a hardware firewall?
Basically yeah, though I didn’t specify hardware because of how often virtualization is done now
The VPS I’m using unfortunately doesn’t offer an external firewall
Well, if you have the option you could set up a virtual network through the VPS and have a box with pfsense or something to route all traffic through. Take this with a grain of salt - I’ve seen this done but never done it fully myself.
I’ve just disabled all incoming connections (including SSH etc.) and access everything through WireGuard
have a dedicated firewall
I mean, don’t router firewalls count in this regard? Isn’t that kinda part of their job?
Nat is not security.
Keep that in mind.
It’s just a crutch ipv4 has to use because it’s not as powerful as the almighty ipv6
rootless podman and sockets ❤️
For all the raving about podman, it’s dumb too. I’ve seen multiple container networks stupidly route traffic across each other when they shouldn’t. Yay services kept running, but it defeats the purpose. Networking should be so hard that it doesn’t work unless it is configured correctly.
Or maybe it should be easy to configure correctly?
instructions unclear, now its hard to use and to configure
That’s asking a lot, these days.
Somehow I think that’s on ufw not docker. A firewall shouldn’t depend on applications playing by their rules.
ufw just manages iptables rules, if docker overrides those it’s on them IMO
Feels weird that an application is allowed to override iptables though. I get that when it’s installed with root everything’s off the table, but still…
Not really.
Both docker and ufw edit iptables rules.
If you instruct docker to expose a port, it will do so.
If you instruct ufw to block a port, it will only do so if you haven’t explicitly exposed that port in docker.
Its a common gotcha but it’s not really a shortcoming of docker.
iptables is deprecated for like a decade now, the fact that both still use it might be the source of the problem here.
Docker spesifically creates rules for itself which are by default open to everyone. UFW (and underlying eftables/iptables) just does as it’s told by the system root (via docker). I can’t really blame the system when it does what it’s told to do and it’s been administrators job to manage that in a reasonable way since forever.
And (not related to linux or docker in any way) there’s still big commercial software which highly paid consultants install and the very first thing they do is to turn the firewall off…
We use Firewalld integration with Docker instead due to issues with UFW. Didn’t face any major issues with it.
I also ended up using firewalld and it mostly worked, although I first had to change some zone configs.
On windows (coughing)
Docker does not play fair, does not play nice. It’s a dozer that plow through everything for devops that yolo and rush to production.
Well yea ofc it works like that, the services are not on the same network, so the packets need to be sent onto another adapter. That means either nat or forwarding tables.
Now if that was a good design of docker is another question.
