Suggestion for getting started page, bind to container to localhost

tallison · June 14, 2022, 6:27pm

On this page: Docker - OpenSearch documentation

I think it might be better to warn people to bind the docker container to localhost. It may be a surprise to some new to docker that this instance is available to the web by default.

Suggested change from:

docker run -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" opensearchproject/opensearch:2.0.0

to

docker run -p 127.0.0.1:9200:9200 -p 127.0.0.1:9600:9600 -e "discovery.type=single-node" opensearchproject/opensearch:2.0.0

dtaivpp · June 14, 2022, 8:44pm

Hey Tim! I think this is a really good call out. If you want to put in an Issue/PR I think it would be well received. It’s open for contributions here

github.com

opensearch-project/documentation-website/blob/main/_opensearch/install/docker.md

---
layout: default
title: Docker
parent: Install OpenSearch
nav_order: 3
---

# Docker image

You can pull the OpenSearch Docker image from either Docker Hub or the public gallery hosted on AWS Elastic Container Registry (ECR).

From [Docker Hub](https://hub.docker.com/u/opensearchproject):
```bash
docker pull opensearchproject/opensearch:latest
docker pull opensearchproject/opensearch-dashboards:latest
```

From [AWS ECR](https://gallery.ecr.aws/opensearchproject/):
```bash
docker pull public.ecr.aws/opensearchproject/opensearch:latest

This file has been truncated. show original

tallison · March 1, 2023, 7:39pm

Only 7 months later…

github.com/opensearch-project/documentation-website

[DOC] Fix docker port mapping examples to prevent opening demo servers to the internet

opened 04:49PM - 01 Mar 23 UTC

tballison

untriaged

**What do you want to do?** - [*] Request a change to existing documentation… - [ ] Add new documentation - [ ] Report a technical problem with the documentation - [ ] Other **Tell us about your request.** Provide a summary of the request and all versions that are affected. Docker does some, um, interesting things with iptables by default. If you run your demo commandline `docker run -d -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" opensearchproject/opensearch:latest` on a linux server that is not air-gapped from the internet, this instance will be open to the internet even though a docker-naive junior admin may say, "but we locked down those ports!" That admin is correct about actions they took. However, Docker may overwrite those protections unless the users have disabled Docker's default behavior: `iptables=false`or modifying the `daemon.json` file. To fix this vulnerability, include a bind to localhost in your examples. `docker run -d -p 127.0.0.1:9200:9200 -p 127.0.0.1:9600:9600 -e "discovery.type=single-node" opensearchproject/opensearch:latest` **What other resources are available?** Provide links to related issues, POCs, steps for testing, etc. We did this over on Tika: https://hub.docker.com/r/apache/tika with an explanatory note about binding to localhost. Ref: https://stackoverflow.com/questions/64081992/docker-opened-up-ports-to-public-how-do-i-close-them https://serverfault.com/questions/1077849/why-is-firewalld-allowing-public-traffic-to-my-non-public-ports-bound-to-docker Note that even this binding might not be enough! https://www.jeffgeerling.com/blog/2020/be-careful-docker-might-be-exposing-ports-world

I really like that there’s a link on the page for opening an issue on the documentation! Thank you!

Topic		Replies	Views
The best way in order to see this product? OpenDistro	4	1784	June 28, 2021
Docker container as development environment? OpenSearch	3	320	July 2, 2022
'Download' or 'Get Started' on OpenSearch.org General Feedback	20	1099	November 17, 2021
Docker container intermittently failing to start in CI OpenDistro	8	2863	March 22, 2023
Performance Analyzer Report OpenSearch troubleshoot	4	78	April 17, 2024

Suggestion for getting started page, bind to container to localhost

Related Topics