Containers can talk to the host over the network even with ICC disabled

[vincentwoo]

Output of docker version:

ubuntu@execute-1460530807:~$ docker version
Client:
 Version:      1.11.0-rc5
 API version:  1.23
 Go version:   go1.5.3
 Git commit:   6178547
 Built:        Mon Apr 11 21:07:24 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.0-rc5
 API version:  1.23
 Go version:   go1.5.3
 Git commit:   6178547
 Built:        Mon Apr 11 21:07:24 2016
 OS/Arch:      linux/amd64

Output of docker info:

ubuntu@execute-1460530807:~$ docker info
Containers: 17
 Running: 17
 Paused: 0
 Stopped: 0
Images: 23
Server Version: 1.11.0-rc5
Storage Driver: overlay
 Backing Filesystem: extfs
Logging Driver: none
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge null host
Kernel Version: 3.19.0-58-generic
Operating System: Ubuntu 14.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 29.45 GiB
Name: execute-1460530807
ID: PQ6T:3IL3:XDMV:KKFC:TAJN:MDAO:6T6K:SSO4:L3YQ:LIDK:NNPZ:6J5U
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.):
GCE

Steps to reproduce the issue:
Setup a docker host that also happens to be listening on whatever ports:

ubuntu@execute-1460530807:~$ sudo netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1204/sshd
tcp6       0      0 :::42069                :::*                    LISTEN      5017/node
tcp6       0      0 :::22                   :::*                    LISTEN      1204/sshd

Make sure that ICC is OFF:

ubuntu@execute-1460530807:~$ cat /etc/default/docker
DOCKER_OPTS="-s overlay --icc=false --log-driver=none"

Try to run a container that scans local available ports:

ubuntu@execute-1460530807:~$ docker run --rm -t us.gcr.io/coderpad-1189/coderpad:base /bin/bash -c "nc -vz 172.17.0.1 1-65535 2>&1 | grep succeeded"
Connection to 172.17.0.1 22 port [tcp/ssh] succeeded!
Connection to 172.17.0.1 42069 port [tcp/*] succeeded!

Describe the results you received:

The container was able to see and interact with the host over the local bridge.

Describe the results you expected:

https://github.com/docker/docker/blob/master/docs/userguide/networking/default_network/container-communication.md states:

It is a strategic question whether to leave --icc=true or change it to --icc=false so that iptables will protect other containers -- and the main host -- from having arbitrary ports probed or accessed by a container that gets compromised.

which suggests that this behavior should not occur with ICC disabled.

[thaJeztah]

/cc @aboch

[vincentwoo]

ping

[aboch]

@vincentwoo Thanks for the report. I confirm currently there is a divergence between documentation and docker behavior. So I went back to docker 1.6.2 to see if that statement was respected. My finding was:

• If the container tries to reach the exposed port via the docker0 bridge, the connection is in fact blocked
• But if it tries against any other L3 interface on the host, the connection is allowed

So it looks like that statement was not very accurate. We need to decide what the expected behavior should be and make it consistent.

[vincentwoo]

Yeah, as a stopgap I added iptables -A INPUT -d 172.17.0.0/16 -i docker0 -j DROP to my systems but this is obviously brittle. I would love it if Docker behaved as suggested in the docs. I think anyone who runs icc = false would almost certainly want communication to the host to be blocked as well.

[aboch]

@vincentwoo I am still not sure about this.

Further in the docs, it says a way to allow two containers to communicate when --icc=false is to --link them. The example shows the two iptables rule which will allow the inter-communication as a result of linking. And these two rules are about the internal L4 exposed port for the containers IP addresses. IOW, to me this says there was an assumption that the two containers would access each other services via the original exposed ports on the containers IP, and not via third routing interfaces. In fact, once two containers are linked their etc/hosts file is populated accordingly so that direct resolution can happen, so that they can reach each other directly via their own IP + exposed ports.

I am just trying to understand better the context in which the statement was written.

It therefore appears to me that the blockage of accessing the container ports via host mapped port on the bridge L3 interface just came as for free by the way other rules were implemented and not by design.

Given this, -- and the main host -- should not have been mentioned in the docs, because that was not true for access via any host L3 interface besides the docker0.

My advice is to fix the documentation.

[vincentwoo]

That's totally fine as an outcome, but regardless of the environment in which the initial statement was written I think there's a clear practical need serviced by "block containers from accessing the host". Historically users who want this would probably just turn off ICC and call it a day. If we decided to remove that functionality from ICC, can Docker either

a) provide an option to disable container-to-host networking
b) document how that might be achieved stably on your own?

[thaJeztah]

@vincentwoo perhaps you're looking for the --internal option for networks #19276

docker network create --internal private-network

docker run -d --net=private-network --name web nginx

docker run -it --rm --net=private-network ubuntu

Inside that container; contacting the outside world fails:

root@eb7b58ee4a9f:/# ping -c1 google.com
ping: unknown host google.com

But communication with other containers on the same network is allowed;

root@eb7b58ee4a9f:/# ping -c1 web
PING web (172.21.0.2) 56(84) bytes of data.
64 bytes from web.private-network (172.21.0.2): icmp_seq=1 ttl=64 time=0.080 ms

--- web ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.080/0.080/0.080/0.000 ms

[vincentwoo]

No, I want my containers to be able to contact the world, just not each other or the host.

[thaJeztah]

If each container is in its own network, they should only be able to connect to containers on the same network, or containers that publish a port (so are publicly accessible from outside the docker host). Given that those port are already publicly accessible, I'm not sure if changing this brings much extra

[vincentwoo]

The host may have a port open on localhost, but be behind a firewall (the default on cloud providers). A potentially malicious actor in a container gets past the firewall by virtue of running on the same host. In so much as icc=false is a security measure, I (and other users) almost certainly apply it as a measure of protection.

[vincentwoo]

This has a 1.11 label but I don't think it was addressed.

[thaJeztah]

@vincentwoo the "version/1.11" label is added based on the version it was originally reported with

[vincentwoo]

Okay, that's fair. Are there plans to address this?