Swarm services are bound to a specific host interface

docker

Classification:

compliance

Framework:

cis-docker

Control:

7.3

Set up the docker integration.

Description

By default, Docker swarm services will listen on all interfaces on the host. This may not be necessary for the operation of the swarm where the host has multiple network interfaces.

Rationale

When a swarm is initialized the default value for the --listen-addr flag is 0.0.0.0:2377 which means that swarm services will listen on all interfaces on the host. If a host has multiple network interfaces this may be undesirable as it could expose swarm services to networks which are not involved with the operation of the swarm. By passing a specific IP address to the --listen-addr, a specific network interface can be specified, limiting this exposure.

Audit

Check the network listener on port 2377/TCP (the default for Docker swarm) to confirm it is only listening on specific interfaces. For example, in Ubuntu run the command:

netstat -lt | grep -i 2377

Remediation

Resolving this issues requires re-initialization of the swarm, specifying a specific interface for the --listen-addr parameter.

Impact

None

Default value

By default, Docker swarm services listen on all available host interfaces.

References

  1. https://docs.docker.com/engine/reference/commandline/swarm_init/#--listen-addr
  2. https://docs.docker.com/engine/swarm/admin_guide/#recover-from-disaster

CIS controls

Version 6

9 Limitation and Control of Network Ports, Protocols, and Services