You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The docker swarm init command with --data-path-addr flag does not set the listen address of the VXLAN port.
This causes that VXLAN port be accessible on other interfaces that may be publicly accessible.
This makes security issues that discussed in following advisory: GHSA-vwm3-crmr-xfxw
Is there way to limit listen address for VXLAN port?
I understand that we can block access to this port on other interface with firewall. But I think it's a expected behavior that when we specify this setting the listen address respect this setting. Like --listen-addr.
Reproduce
docker swarm init --data-path-addr 192.168.1.2
netstat -tulpn | grep 4789
Expected behavior
The VXLAN port be accessible just from specified address.
docker version
Client: Docker Engine - Community
Version: 26.0.0
API version: 1.45
Go version: go1.21.8
Git commit: 2ae903e
Built: Wed Mar 20 15:18:01 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 26.0.0
API version: 1.45 (minimum version 1.24)
Go version: go1.21.8
Git commit: 8b79278
Built: Wed Mar 20 15:18:01 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.28
GitCommit: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0
@corhere thanks for your reply. I understand the usage of this flag and the linux limitation about vxlan.
As @thaJeztah mentioned, I think it should be clarified in the docs with a warning for possibility of security problem.
Another thing is that setting firewall rule for each new node we add to the cluster makes an extra step in the scaling process and makes it error prone. It is possible to use another implementation for VXLAN that supports interface binding but I think it's not feasible for this use case.
Description
The
docker swarm init
command with--data-path-addr
flag does not set the listen address of the VXLAN port.This causes that VXLAN port be accessible on other interfaces that may be publicly accessible.
This makes security issues that discussed in following advisory:
GHSA-vwm3-crmr-xfxw
Is there way to limit listen address for VXLAN port?
I understand that we can block access to this port on other interface with firewall. But I think it's a expected behavior that when we specify this setting the listen address respect this setting. Like
--listen-addr
.Reproduce
Expected behavior
The VXLAN port be accessible just from specified address.
docker version
Client: Docker Engine - Community Version: 26.0.0 API version: 1.45 Go version: go1.21.8 Git commit: 2ae903e Built: Wed Mar 20 15:18:01 2024 OS/Arch: linux/amd64 Context: default Server: Docker Engine - Community Engine: Version: 26.0.0 API version: 1.45 (minimum version 1.24) Go version: go1.21.8 Git commit: 8b79278 Built: Wed Mar 20 15:18:01 2024 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.28 GitCommit: ae07eda36dd25f8a1b98dfbf587313b99c0190bb runc: Version: 1.1.12 GitCommit: v1.1.12-0-g51d5e94 docker-init: Version: 0.19.0 GitCommit: de40ad0
docker info
Additional Info
No response
The text was updated successfully, but these errors were encountered: