rkt/rkt

Expose port only on loopback device

Open

#2230 opened on Feb 25, 2016

View on GitHub
 (9 comments) (1 reaction) (0 assignees)Go (8,871 stars) (865 forks)batch import
area/networkinghelp wantedkind/support

Description

My current setup uses docker containers that expose their ports only on localhost and are accessible via a reverse proxy from the outside world. Now I wanted to switch some services to rkt, but I couldn't get it managed to expose ports only on localhost. In fact, the rkt container was accessible from everywhere but not from localhost. I tried to run a gogs git server like this: sudo rkt run --insecure-options=image --port=3000-tcp:3000 docker://gogs/gogs. Is it possible to publish ports only on localhost with rkt run?

Contributor guide

Tech stack
go
Domain
infrastructuresecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
container networkingGo programmingrkt architecture
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
25
Research direction
Investigate rkt's networking implementation, particularly the port mapping in stage0 or stage1. Look for existing flags or configuration options that could restrict binding to loopback. Consider adding a flag like port bind address or modifying the net plugin to honor a loopback only setting. Review similar issues and PRs in the repo for prior discussions.