Containers only see IP of docker gateway when using nextcloud in docker rootless due to rootless "builtin" default port driver #4621
Labels
2. developing
Work in progress
documentation
Improvements or additions to documentation
good first issue
Small tasks with clear documentation about how and in which place you need to fix things in.
help wanted
Extra attention is needed
Steps to reproduce
Expected behavior
Correct IP logged.
Actual behavior
IP of the docker network gateway logged.
Host OS
linux
Nextcloud AIO version
Nextcloud AIO v8.2.1
Current channel
latest
Root cause
When using rootless docker defaults to using the "builtin" port driver.
See https://docs.docker.com/engine/security/rootless/#networking-errors.
But that port driver doesn't allow forwarding of the remote IP, instead containers see connections as coming from the IP of the docker network gateway (e.g. 172.19.0.1).
This means that nextclouds IP-based security measures don't work correctly and it is e.g. possible to do a denial of service attack against the nextcloud instance by spamming invalid logins and getting the IP of the gateway throtteled or even blocked.
Fix
In order to fix this one can also use
slirp4netns
as a port driver.slirp4netns
access to priviliged ports by addingnet.ipv4.ip_unprivileged_port_start=0
in/etc/sysctl.conf
. (Only adding via netcap doesn't work, Rootless Docker: Error starting userland proxy: error while calling PortManager.AddPort(): reply.Error: map[desc:bad request: add_hostfwd: slirp_add_hostfwd failed] rootless-containers/slirp4netns#251 (comment) says this is because rootlesskit drops the privs again before they could be used).~/.config/systemd/user/docker.service.d/override.conf
with content
Note that this will likely decrease performance.
See also: Following https://rootlesscontaine.rs/getting-started/docker/#changing-the-port-forwarder
Update docs
I propose to updating the documentation for nextcloud in docker rootless.
Mention that if not using a non-dockerized reverse proxy the logged remote IPs will be that of the docker gateway and how to fix that.
The text was updated successfully, but these errors were encountered: