Docker Swarm init ignores –data-path-addr argument

[bluepuma77]

Description

It seems docker swarm init ignores --data-path-addr argument when using it like

docker swarm init --advertise-addr wg0 --listen-addr wg0 --data-path-addr wg0

When looking at netstats, the port 4789 is listened to on all IPs:

# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 10.1.3.1:7946           0.0.0.0:*               LISTEN      21029/dockerd
tcp        0      0 10.1.3.1:2377           0.0.0.0:*               LISTEN      21029/dockerd
udp        0      0 10.1.3.1:7946           0.0.0.0:*                           21029/dockerd
udp        0      0 0.0.0.0:4789            0.0.0.0:*                           -

Reproduce

Start a fresh Debian VM

# Update Debian
sudo apt update
sudo apt -y upgrade

# Install Wireguard
sudo apt -y install wireguard

# Generate private and public keys
wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey

# Read private key into a variable
PRIVATE_KEY=$(cat /etc/wireguard/privatekey)

# Create WireGuard configuration
cat <<EOF | sudo tee /etc/wireguard/wg0.conf
[Interface]
PrivateKey = $PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
EOF

# Adjust permissions for the configuration file
sudo chmod 600 /etc/wireguard/{wg0.conf,privatekey}

# Start WireGuard interface
sudo wg-quick up wg0

# Enable WireGuard interface to start on boot
sudo systemctl enable wg-quick@wg0

# Install Docker
curl -fsSL https://get.docker.com | sh -

# Init Docker Swarm
docker swarm init --advertise-addr wg0 --listen-addr wg0 --data-path-addr wg0

# Check ports
netstat -tulpn | grep -E "(2377|7946|4789)"

Expected behavior

All ports used by Docker should only be listening on the specified interface and it's IP addresses.

docker version

Client: Docker Engine - Community
 Version:           25.0.3
 API version:       1.44
 Go version:        go1.21.6
 Git commit:        4debf41
 Built:             Tue Feb  6 21:14:25 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          25.0.3
  API version:      1.44 (minimum version 1.24)
  Go version:       go1.21.6
  Git commit:       f417435
  Built:            Tue Feb  6 21:14:25 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    25.0.3
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.12.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.5
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 25.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: active
  NodeID: nfbe1z2ydd83flqna9lfb8nq5
  Is Manager: true
  ClusterID: jb2a4x51gj3epmjxmyi67wtne
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 10.0.0.1
  Manager Addresses:
   10.0.0.1:2377
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.1.0-18-amd64
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: x86_64
 CPUs: 3
 Total Memory: 3.729GiB
 Name: debian-4gb-fsn1-1
 ID: 008bd6c7-9a1c-49ba-9c3a-bc0e855087bf
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

As discussed on Docker Forum (link).

[schildbach]

I shall add that a docker swarm join --advertise-addr wg0 --listen-addr wg0 --data-path-addr wg0 yields a similar result.

[bluepuma77]

Hi @thaJeztah, can we add a "security issue" label, too?

I think it is quit an issue if I tell Docker to listen only on an internal interface, and instead it listens on all interfaces, on the public IP and is unexpectedly exposed to the whole Internet.