Userland Proxy is Disabled
Set up the docker integration.
Description
The Docker daemon starts a userland proxy service for port forwarding whenever a port is exposed. Where hairpin NAT is available, the userland proxy service is generally superfluous to requirements and can be disabled.
Rationale
The Docker engine provides two mechanisms for forwarding ports from the host to containers, hairpin NAT, and the use of a userland proxy. In most circumstances, the hairpin NAT mode is preferred as it improves performance and makes use of native Linux iptables functionality instead of using an additional component. Where hairpin NAT is available, the userland proxy should be disabled on startup to reduce the attack surface of the installation.
Audit
Check that the userland proxy service is turned off by reviewing the dockerd startup options and the settings in the /etc/docker/daemon.json file. To review the dockerd startup options, run:
Ensure that the --userland-proxy parameter is set to false.
Also review the /etc/docker/daemon.json settings to see that userland-proxy is false.
Run the Docker daemon as: dockerd --userland-proxy=false
Impact
Some systems with older Linux kernels may not be able to support hairpin NAT and therefore require the userland proxy service. Also, some networking setups can be impacted by the removal of the userland proxy.
Default value
By default, the userland proxy is enabled.
References
- http://windsock.io/the-docker-proxy/
- https://github.com/docker/docker/issues/14856
- https://github.com/docker/docker/issues/22741
- https://docs.docker.com/engine/userguide/networking/default_network/binding/
CIS controls
Version 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system.
Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.
