movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-12 04:35:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/oci-containers: document firewall bypass

Browse source 
Add explanation about the security impact of the
ports option.
Provide a safer example.

The problem is discussed in greater depth here:
https://github.com/NixOS/nixpkgs/issues/111852
This commit is contained in:
Jakob Klepp 2024-07-18 14:29:06 +02:00
parent 9def6d0121
commit c5c92feff7
No known key found for this signature in database
GPG key ID: 5B3D75E720D55016
1 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
nixos/modules/virtualisation/oci-containers.nix
View file

@ -148,12 +148,17 @@ let
somewhere within the specified `hostPort` range. somewhere within the specified `hostPort` range.
Example: `1234-1236:1234/tcp` Example: `1234-1236:1234/tcp`
Publishing a port bypasses the NixOS firewall. If the port is not
supposed to be shared on the network, make sure to publish the
port to localhost.
Example: `127.0.0.1:1234:1234`
Refer to the Refer to the
[Docker engine documentation](https://docs.docker.com/engine/reference/run/#expose-incoming-ports) for full details. [Docker engine documentation](https://docs.docker.com/engine/reference/run/#expose-incoming-ports) for full details.
''; '';
example = literalExpression '' example = literalExpression ''
[ [
"8080:9000" "127.0.0.1:8080:9000"
] ]
''; '';
}; };