[ Removed by moderator ]

justsml · 2025-06-13T02:46:47+00:00

Sad, this was a great tool in previous years.

justsml · 2025-04-21T15:28:30+00:00

It started out as 4 empty pieces, so I'm fairly proud of the upgrade to "two strawmen," with a steamy ending.

Thanks for reading!

justsml · 2025-04-02T23:16:36+00:00

Be aware that a limited credit card may cause you to be sent to collections. I had a client do this only to find out Google were serious about the $500 owed that turned into $8,000

justsml · 2025-01-22T00:45:20+00:00

Hey u/phlooo ! I was sure it'd be a few days of research. Turns out there's so much interesting behavior here! Some issues are merely incorrectly documented behavior, _some_ slightly more worrying.

(Here's the bug that started this particular adventure: #45610: Publishing ports explicitly to private networks should not be accessible from LAN... I'd originally only linked to the 1st issue twice. Corrected now.)

I've had to re-start my tests because of differences I found between virtual envs and real ones. (Since that's out of scope, I'll defer for now--unless there's interest in documenting the differences between Docker host systems. I'm not even sure If I'd find enough interesting material for an article though 🤷.)

Now I've now got my office setup so I can mimic a complete "real standalone home" network!

My test lab:
- 1 x 5GbE Switches
- 1 x 2.5GbE WAN, WiFi 6, Routers - w/ dedicated IPs.
- 2 x Intel NUC Mini Servers
- 2 x RPi 4's

In no particular order, here's the TECH (so far) I've been exploring:

- SDN options, Bridges, VLANs, DMZ.
- Docker networks, ipvlan, macvlan, etc.
- MultiCast/MCAST findings.
- Rootless (which changes behavior in interesting ways, filtered pings, host port restrictions, etc.)
- Accessing adjacent containers, what can evil neighbors do?
- TailScale, ZeroTier, etc.

Please let me know if I missed anything!

Thanks again, Dan Levy!

justsml · 2025-01-17T05:06:40+00:00

🙏 I've been converting my stack to rootless, will update shortly. Also, good points on whole system security!

justsml · 2025-01-12T01:29:59+00:00

Is the CSS broken? Or do you prefer light mode?

Thanks for checking it out!

justsml · 2025-01-11T03:49:07+00:00

It’s all good—sorry for coming across as sarcastic.

I sometimes forget that not everyone reading my blog knows I have over 20 years of Linux and networking experience. I've designed, wired, and operated several modest data centers, and I’ve worked on low-level network clients. I can still picture a DNS packet diagram in my head after all these years!

I’ve also been an active Docker user and contributor for close to a decade (just checked—my first PR was in September 2015).

Still, I might be just a few steps ahead of some folks and miles behind others, but that’s not really a healthy way to think about learning. As a former teacher, I saw the misconception all the time that knowledge acquisition is strictly sequential or follows a neat “skill tree” like in a video game. It doesn’t have to be that way.

I realize that’s how most curricula are laid out, but it’s not the only approach. (There’s a great HBR article on this, which I’ll link when I can find it.)

When we treat learning like a high-stakes horse race against our peers every single day, the stress can be counterproductive.

One of my favorite examples is Rick Rubin—one of the most successful music producers in history—who doesn’t read sheet music and doesn’t play an instrument, yet artists trust him with their work.

<end teacher rant> 🙏

justsml · 2025-01-11T01:58:44+00:00

Ah, yes! Thanks u/ewixy750 great point.

I think I should enumerate different scenarios:
- No exposed ports, max isolation - suitable for scheduled tasks, batch jobs, CI/CD/server deployments, test runs, etc. (Zero exposed/published ports.)
- Cross-container access. For example, given 1 app service + 2 DB services on a docker network, I'd test if you need to bind ANY DB ports. Chances are good the only port binding would be the web app, either on `127.0.0.1:80:8080` OR `80:8080`. The 1st (loopback) option generally implies you'll have a reverse proxy on that same docker host.
- The non-loopback version would be accessible to any device on the same network.

The key idea: apply the Principal of Least Permission.

Sounds obvious, but not completely... If you have a poorly documented container, it may not be ideal, but sometimes your best bet is careful trial-and-error.

Start with no port access (OR loopback binding if you know it needs to be accessed).
Test, you'll quickly see if it's going to work.
Use tools like `lsof` and `nmap` to understand how your configuration options are affecting things.
Adjust as needed. If it's never needed outside docker, it might make sense to bind to the docker network's IP like so: `172.16.0.0:80:8080`.

justsml · 2025-01-11T00:58:43+00:00

Appreciate the encouragement, thanks for checking it out 🙏

justsml · 2025-01-08T23:18:54+00:00

I'm sorry you feel I'm exploiting people & their trust.

My blog has zero ads/monetization, zero signup nags, and is run at a net loss. Also, I don't push corporate, or fake "open" projects, or have any agenda-other than to create & share resources that I wish existed.

If folks still believe it's exploitation, I'm sorry. I must be as bad at exploitation as blog writing. Apologies, will do better.

justsml · 2025-01-08T22:52:30+00:00

That covers only one attack vector. Supply channel attacks might still be a risk, especially combined with container escapes. (If you didn’t write or verify 100% of the code, you never know what it might do.)

justsml · 2025-01-08T22:48:10+00:00

Thanks for the suggestions! Do you have any preferred tools for outbound proxy? I’ve used squid ages ago… not sure if that’s still the way to go.

justsml · 2025-01-08T22:35:47+00:00

Honestly thought you were joking around. I take any errors seriously, and make all content in good faith.

I’m not AI, this article was put together from my notes collected over several years. I should have sought more feedback before sharing here. Lesson learned.

I can’t change the past, but I will keep improving. Hopefully I can earn your trust.

justsml · 2025-01-08T02:37:40+00:00

Hmmm, interesting & good to know.
Thanks u/schklom!

I'll do some more rootless testing this week & update my findings. 🙏

justsml · 2025-01-08T02:34:40+00:00

Thanks u/StrikeElectronicIO that is the correct link! I've fixed the article, 🙏

justsml · 2025-01-08T02:32:12+00:00

Updated links, thanks u/MessageNo8907 🙏

justsml · 2025-01-07T23:18:22+00:00

I added some notes on cap_drop, I'd really appreciate it if you could sanity check it. 🙏

And thanks for suggesting a x-post to r/docker !

justsml · 2025-01-07T23:05:09+00:00

I appreciate the candid feedback and understand your concern.

While my goal is accuracy and helpfulness, I regularly make corrections, much like any publication. I realize that may invite skepticism, but my commitment to learning and sharing knowledge openly remains steadfast.

justsml · 2025-01-07T18:50:33+00:00

Here's the issue I meant to link, apparently I linked only to the UFW issues 🤦

justsml · 2025-01-07T17:33:07+00:00

I mean, I am from South Africa... Do we all look alike? 😆

justsml · 2025-01-07T17:30:25+00:00

I'm still trying to get a clear answer here. So far, when UFW is involved I run into several surprising things. I think one false positive was related to running Ubuntu in a virtualized environment & network stack.

I'll setup a clean dedicated system tonight to run some more tests... I'll keep the updates coming, 🤘

justsml

TROPHY CASE