all-in-one icon indicating copy to clipboard operation
all-in-one copied to clipboard

Published 20 hours ago • verified publisher icon nextcloud

Containers only see IP of docker gateway when using nextcloud in docker rootless due to rootless "builtin" default port driver

Open ccaccb opened this issue 9 months ago • 1 comments

Steps to reproduce

  1. Setup nextcloud aio with docker rootless as documented in docker-rootless.md. Don't use an external reverse proxy.
  2. Try logging in with an invalid password.
  3. The IP logged in the admin logs is the IP of the docker network gateway, not the actual remote IP of the client.

Expected behavior

Correct IP logged.

Actual behavior

IP of the docker network gateway logged.

Host OS

linux

Nextcloud AIO version

Nextcloud AIO v8.2.1

Current channel

latest

Root cause

When using rootless docker defaults to using the "builtin" port driver. See https://docs.docker.com/engine/security/rootless/#networking-errors. But that port driver doesn't allow forwarding of the remote IP, instead containers see connections as coming from the IP of the docker network gateway (e.g. 172.19.0.1). This means that nextclouds IP-based security measures don't work correctly and it is e.g. possible to do a denial of service attack against the nextcloud instance by spamming invalid logins and getting the IP of the gateway throtteled or even blocked.

Fix

In order to fix this one can also use slirp4netns as a port driver.

  • Give slirp4netns access to priviliged ports by adding net.ipv4.ip_unprivileged_port_start=0 in /etc/sysctl.conf. (Only adding via netcap doesn't work, https://github.com/rootless-containers/slirp4netns/issues/251#issuecomment-761415404 says this is because rootlesskit drops the privs again before they could be used).
  • Create ~/.config/systemd/user/docker.service.d/override.conf with content 
    [Service]
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"
  • And then restart the daemon: 
    $ systemctl --user daemon-reload 
$ systemctl --user restart docker

Note that this will likely decrease performance. See also: Following https://rootlesscontaine.rs/getting-started/docker/#changing-the-port-forwarder

Update docs

I propose to updating the documentation for nextcloud in docker rootless. Mention that if not using a non-dockerized reverse proxy the logged remote IPs will be that of the docker gateway and how to fix that.

ccaccb avatar May 05 '24 14:05 ccaccb

Hi, would you mind opening a PR that improves the documentation? :)

szaimen avatar May 13 '24 16:05 szaimen

Hi @ccaccb can you please retest this with v9.1.0 or higher as we did some changes internally that works around having to configure this

szaimen avatar Jul 12 '24 09:07 szaimen

Hi @ccaccb can you please retest this with v9.1.0 or higher as we did some changes internally that works around having to configure this

I just tried by removing ~/.config/systemd/user/docker.service.d/override.conf but I still get

Login failed: abcdefg (Remote IP: 127.0.0.1)

ccaccb avatar Jul 15 '24 18:07 ccaccb