Do not bind dstack-runner to the public IP address #3078
Description
Problem
Currently, dstack-runner always listens on all network interfaces, including the instance's public IP address if the container runs in host network mode.
In general, this is not an issue, as access to the public IP should be restricted by the firewall. For cloud instances, dstack automatically configures the firewall. For SSH fleets, firewall configuration is the responsibility of the fleet administrator.
However, to reduce the risk of unintended exposure in case of a firewall misconfiguration, it is recommended to avoid binding dstack-runner to the public IP address altogether.
Solution
- If the container is running in host network mode, bind only to localhost.
- If the container is running in bridge network mode, continue binding to all interfaces — otherwise, the container port cannot be forwarded to the host's localhost.
Workaround
No response
Would you like to help us implement this feature by sending a PR?
Yes