You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 27, 2023. It is now read-only.
/!\ Docker Compose V2 has moved to github.com/docker/compose, this repository is for "Cloud Integrations". You can report issues related to docker composehere.
Description
Redo of #2135.
All tasks are assigned a public IP.
Combined with #1783, this creates a bit of a security gap.
Assume the following:
While nginx is open to the public (by publishing ports and causing a LB to be attached), we don't want sensitive_backend to be exposed.
However, they're both assigned a public IP and being joined to this secgroup:
This effectively allows public access to the container.
The steps that IMO should be taken are:
Steps to reproduce the issue:
See compose file above
Describe the results you received:
All services are assigned a public IP address
Describe the results you expected:
Only services asking for a public IP (if any) should be assigned one
Additional information you deem important (e.g. issue happens only occasionally):
I'm not sure any service should have a public IP considering access should be done via LBs, but it's cheap to allow an optin.
Output of docker-compose --version:
(paste your output here)
Output of docker version:
Docker version 20.10.22, build 3a2c30b63a
Output of docker context show:
You can also run docker context inspect context-name to give us more details but don't forget to remove sensitive content.
This is a massive security flaw. It makes the Cloud Integration on AWS unusable for production use for the common scenarios (any architecture where you have some services which are not public facing, hard to imagine a scenario that would not have that.
Thanks for validating my findings on this @BackSlasher .
To anyone looking at this issue in the repo, I can tell you that this tool set seems to have been abandoned by Docker as of 2023. This is only one of many deal breaking issues that have come up in the last six months with no reply from the maintainers. (You will see a guy post about his own tool that does the same thing, that he suggests as an alternative. But the maintainers have been in radio silence for some time). I wish I had know this was going to happen when I picked this tool in mid 2022.
/!\ Docker Compose V2 has moved to github.com/docker/compose, this repository is for "Cloud Integrations". You can report issues related to
docker compose
here.Description
Redo of #2135.
All tasks are assigned a public IP.
Combined with #1783, this creates a bit of a security gap.
Assume the following:
While nginx is open to the public (by publishing ports and causing a LB to be attached), we don't want
sensitive_backend
to be exposed.However, they're both assigned a public IP and being joined to this secgroup:
This effectively allows public access to the container.
The steps that IMO should be taken are:
Steps to reproduce the issue:
See compose file above
Describe the results you received:
All services are assigned a public IP address
Describe the results you expected:
Only services asking for a public IP (if any) should be assigned one
Additional information you deem important (e.g. issue happens only occasionally):
I'm not sure any service should have a public IP considering access should be done via LBs, but it's cheap to allow an optin.
Output of
docker-compose --version
:Output of
docker version
:Output of
docker context show
:You can also run
docker context inspect context-name
to give us more details but don't forget to remove sensitive content.Output of
docker info
:Additional environment details (AWS ECS, Azure ACI, local, etc.):
AWS ECS
The text was updated successfully, but these errors were encountered: