Bind daemon to 0.0.0.0 in Vagrant

[titanous]

Fixes #1304.

[keeb-zz]

LGTM.

[creack]

/cc @mzdaniel

[vieux]

LGTM

[brynary]

Does this present a security issue? e.g. If someone is running the Docker Vagrant VM, and is on public wifi in an SF coffee shop, can you run arbitrary processes on their machine?

Ideally Docker would be accessible on the host OS, but not to the entire network.

[titanous]

Good call @brynary, I guess I just assumed that people heavily firewalled their machines when on untrusted networks, as Vagrant had this issue with the SSH port and insecure key for years.

It looks like hashicorp/vagrant#1785 discusses this and there is a new host_ip parameter in v1.2.3, so we are essentially reopening that issue when you run this VM.

@mzdaniel Is there a reason why we are maintaining compatibility with the pre-1.2 Vagrantfile format?

[mzdaniel]

This is getting too specific to Vagrant use in production. One of the main goals of the Vagrantfile is to introduce docker to the widest audience. It seems reverting the PR is the best compromise for now.

[titanous]

This PR fixes usage in development, not production. it allows use of Docker from the host no matter what OS is in the use.

[metalivedev]

I would prefer to be secure by default, and document how to modify the Vagrantfile for access from outside the VM.

The commandline warns you strongly to not bind -H 0.0.0.0 unless you know what you're doing, but the Vagrant user will get no such warning and the Vagrant user has a higher chance of not knowing the consequences.

I would be happy to add a section to the Vagrant docs to describe how to change the setting manually, or, better, maybe we could tweak the Vagrantfile to read an environment variable, defaulting to secure settings unless you explicitly tell Vagrant to expose docker.

[titanous]

Why not leave this and add a host_ip: 127.0.0.1 to the Vagrantfile, mitigating the security problem and allowing use from the host?

[weisjohn]

@titanous do you have an example of using the host_ip directive? I'm trying to build something for all of my team to use docker form thier CLI without sshing (we all use Macs) and I either need this PR to land or to find out how to use Vagrant a little better.

I've looked at the documentation on Vagrantfiles here: http://docs.vagrantup.com/v2/vagrantfile/machine_settings.html and didn't see a host_ip parameter.

[titanous]

@weisjohn This PR has been merged. The host_ip directive is needed to secure a hole that it opens up. Here is an example of usage: https://github.com/mitchellh/vagrant/blob/16002d03c07f842a23497543129fa99f40f2bbc0/config/default.rb#L24

[weisjohn]

@titanous thanks for such a quick reply and the link!

[titanous]

@mzdaniel Do we need to keep Vagrant pre-1.2 compatibility? I'd like to add the host_ip fix, but it's only available in Vagrant >= 1.2.3.

[mzdaniel]

@titanous:
'This PR fixes usage in development, not production.'

/Vagrantfile is meant for 'production' and for general use. Requiring users to upgrade their Vagrant installation and making docker more insecure doesn't seem good tradeoffs for this PR.

/hack/Vagrantfile is the development one.

Your PR changed /Vagrantfile. Do you mind doing the corresponding changes?

[titanous]

@mzdaniel Ah, that makes sense, I'm on the same page now. In that case, let's just revert this PR. The /hack/Vagrantfile requires running Docker manually, so there's nothing to modify. Revert PR incoming.