Docker exposes itself to your LAN

Jarle Fosen — Mon, 28 Oct 2024 16:32:25 +0000

TL;DR

Docker binds to IP 0.0.0.0 by default, meaning that all containers exposed on your machine are also accessible to anyone who can reach your IP address.

This is very useful for a server that serves content online, but not necessarily so useful for local development.

You can change the default by setting "ip": "127.0.0.1" in daemon.json.
See here for more information.

Are you exposing your containers to your friends?

If you use Docker you might be familiar with running commands like this

docker run -p 8080:80 my-cool-service

It starts a container from the my-cool-service image and exposes the container port 80 on the host machine port 8080. But it doesn't stop there. By default on Mac this also exposes your cool service to anyone who can access your IP address - which typically would be everyone on the same LAN.

Why?

By default Docker binds to the IP 0.0.0.0 which means it accepts incoming connections to all IPv4 interfaces on your machine. This makes sense if you run Docker on a server and expect people to be able to access your content.
But locally you may not want this as the default behavior. Especially if you run a database for local development without any changing the default password.

Fear not, you can change this behavior!

In the Docker daemon.json config file you have the ability to set which IP it binds to by default.
By setting this to 127.0.0.1 it will only accept connections from your own machine.
https://docs.docker.com/engine/network/packet-filtering-firewalls/#default-bridge

If you need to expose a service to your friends on the same LAN, you can easily do so when starting up a container

# docker run -p HOST_IP:HOST_PORT:CONTAINER_PORT IMAGE
docker run -p 0.0.0.0:8080:80 my-cool-service

DEV Community: Jarle Fosen

Docker exposes itself to your LAN

TL;DR

Are you exposing your containers to your friends?

Why?

Fear not, you can change this behavior!