On this page: Docker - OpenSearch documentation
I think it might be better to warn people to bind the docker container to localhost. It may be a surprise to some new to docker that this instance is available to the web by default.
Suggested change from:
docker run -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" opensearchproject/opensearch:2.0.0
to
docker run -p 127.0.0.1:9200:9200 -p 127.0.0.1:9600:9600 -e "discovery.type=single-node" opensearchproject/opensearch:2.0.0
2 Likes
Hey Tim! I think this is a really good call out. If you want to put in an Issue/PR I think it would be well received. It’s open for contributions here
Only 7 months later…
opened 04:49PM - 01 Mar 23 UTC
untriaged
**What do you want to do?**
- [*] Request a change to existing documentation…
- [ ] Add new documentation
- [ ] Report a technical problem with the documentation
- [ ] Other
**Tell us about your request.** Provide a summary of the request and all versions that are affected.
Docker does some, um, interesting things with iptables by default.
If you run your demo commandline `docker run -d -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" opensearchproject/opensearch:latest` on a linux server that is not air-gapped from the internet, this instance will be open to the internet even though a docker-naive junior admin may say, "but we locked down those ports!"
That admin is correct about actions they took.
However, Docker may overwrite those protections unless the users have disabled Docker's default behavior: `iptables=false`or modifying the `daemon.json` file.
To fix this vulnerability, include a bind to localhost in your examples.
`docker run -d -p 127.0.0.1:9200:9200 -p 127.0.0.1:9600:9600 -e "discovery.type=single-node" opensearchproject/opensearch:latest`
**What other resources are available?** Provide links to related issues, POCs, steps for testing, etc.
We did this over on Tika: https://hub.docker.com/r/apache/tika with an explanatory note about binding to localhost.
Ref:
https://stackoverflow.com/questions/64081992/docker-opened-up-ports-to-public-how-do-i-close-them
https://serverfault.com/questions/1077849/why-is-firewalld-allowing-public-traffic-to-my-non-public-ports-bound-to-docker
Note that even this binding might not be enough!
https://www.jeffgeerling.com/blog/2020/be-careful-docker-might-be-exposing-ports-world
I really like that there’s a link on the page for opening an issue on the documentation! Thank you!