Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does Docker use ports 2375 and 4243?

Tags:

docker

port

I see various instances of ports 2375 and 4243 being used for seemingly the same thing while searching the internet. Also, my local machine requires I use 2375 to connect whereas when I push it to our CI server it requires it be set to 4243.

What does Docker use these ports for and how do they differ?

like image 278
TerekC Avatar asked Apr 13 '17 19:04

TerekC

People also ask

How do ports work in Docker?

Port mapping is used to access the services running inside a Docker container. We open a host port to give us access to a corresponding open port inside the Docker container. Then all the requests that are made to the host port can be redirected into the Docker container.

What port is 2375?

It is conventional to use port 2375 for un-encrypted, and port 2376 for encrypted communication with the daemon. If you're using an HTTPS encrypted socket, keep in mind that only TLS1. 0 and greater are supported. Protocols SSLv3 and under are not supported anymore for security reasons.

Does Docker use port 8080?

Docker also finds ports you expose with --expose 8080 (assuming you want to expose port 8080). Docker maps all of these ports to a host port within a given epehmeral port range . You can find the configuration for these ports (usually 32768 to 61000) in /proc/sys/net/ipv4/ip_local_port_range .

1 Answers

The docker socket can be configured on any port with the dockerd -H option. Common docker ports that I see include:

  • 2375: unencrypted docker socket, remote root passwordless access to the host
  • 2376: tls encrypted socket, most likely this is your CI servers 4243 port as a modification of the https 443 port
  • 2377: swarm mode socket, for swarm managers, not for docker clients
  • 5000: docker registry service
  • 4789 and 7946: overlay networking

Only the first two are set with dockerd -H, swarm mode can be configured as part of docker swarm init --listen-addr or docker swarm join --listen-addr.

I strongly recommend disabling the 2375 port and securing your docker socket. It's trivial to remotely exploit this port to gain full root access without a password from remote. The command to do so is as simple as:

docker -H $your_ip:2375 run -it --rm \
  --privileged -v /:/rootfs --net host --pid host busybox

That can be run on any machine with a docker client to give someone a root shell on your host with the full filesystem available under /rootfs, your network visible under ip a, and every process visible under ps -ef.

To setup TLS security on the docker socket, see these instructions. https://docs.docker.com/engine/security/https/

like image 56
BMitch Avatar answered Sep 24 '22 03:09

BMitch
Sign in to Comment

Related questions

Docker services stops communicating after some time
pip install AttributeError: _DistInfoDistribution__dep_map
Prometheus (in Docker container) Cannot Scrape Target on Host
Updating Environment Variables of a Container using Docker
AWS Cloudwatch logs with Docker Container - NoCredentialProviders: no valid providers in chain
How to check the docker-compose file version?
Docker issue: /bin/sh: pip: not found
gcloud docker push hanging
Docker add files to VOLUME
Changing default subnet for docker custom networks
Docker alpine + oracle java: cannot find java
Adding fonts in server core 2019ltsc container image
Openshift v3 - update image stream to fetch changes from external docker registry
Number of threads used by Go runtime
Ansible task timeout max length
Failed to resolve 'kafka:9092': Name or service not known - docker / php-rdkafka
Docker Desktop for Windows: cannot access service on exposed port in windows container mode
What's the difference between Kubernetes and Flynn/Deis
Can I put my docker repository/image on GitHub/Bitbucket?
Stopping stubborn container?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!