[ecsserver] Make address configurable

Question

[ecsserver] Make address configurable

nVlast opened this issue a year ago · comments

I am using the latest release of AWS Vault
I have provided my .aws/config (redacted if necessary)
I have provided the debug output using aws-vault --debug (redacted if necessary)

I'm trying to configure the ECS server with Docker as shown here on Linux (Debian 11). I didn't manage to make it work. As I tried to find out what's going on I tracked the issue down to the ecs server listening on the 127.0.0.1 interface. When I changed that to the address of my Docker daemon I managed to get it working. I'm thinking that maybe the different way docker is set up in these platforms causes this but I wasn't able to find any related documentation.

Would you consider making the ecs server address configurable or does this pose a security risk? Maybe we could somehow query the os to get the Docker daemon's address instead?

I saw that #810 seems similar but it refers to --server and it seems people there managed to make it work on Linux at some point.

Also, if that feature is meant to work only on macOS that's ok.

Jérémie Foucault · Answer 1 · Wed Mar 22 2023 17:36:45 GMT+0800 (China Standard Time)

I have exactly the same issue, I was about to open one. I made it work on MacOS with docker Desktop but it is not working on Linux with docker-engine.
It seems the issue is that the ecs-server is only listening on the loopback (127.0.0.1) which is not available from docker on Linux.
@mtibben, an easy fix would be instead of making it configurable to make the server listen on (0.0.0.0) which is what is recommended here : https://stackoverflow.com/a/73859760/5024020

I've tested this with a random python server listening locally on 0.0.0.0:8000 and it is reachable from the docker container. While if it is listening on 127.0.0.1:8000 it is not.

Michael Tibben · Answer 2 · Mon Mar 27 2023 06:51:38 GMT+0800 (China Standard Time)

It seems to me the problem is that the proxy is proxying the host host.docker.internal but this may not be present on linux?

Have a read of https://stackoverflow.com/questions/24319662/from-inside-of-a-docker-container-how-do-i-connect-to-the-localhost-of-the-mach.

Does adding

extra_hosts:
    - "host.docker.internal:host-gateway"

to the docker-compose file work?

Jérémie Foucault · Answer 3 · Mon Mar 27 2023 14:38:01 GMT+0800 (China Standard Time)

Yes as I said, we need to add the extra_hosts entry in the docker compose file otherwise it won't work.
But still then, the listening interface is important as indicated here https://stackoverflow.com/a/73859760/5024020

Adrian Wilkins · Answer 4 · Wed Aug 02 2023 17:08:56 GMT+0800 (China Standard Time)

Came here to open this issue also!

I can understand the totally reasonable default choice of not using 0.0.0.0 because that leaves your ECS server open to your entire network, even if there is a secret involved.

Listening to the default bridge interface works and will be more secure than 0.0.0.0.

You can get that with

docker network inspect bridge | jq '.[0].IPAM.Config[0].Gateway'

Nikos Vlastaras · Answer 5 · Sun Oct 08 2023 23:05:30 GMT+0800 (China Standard Time)

Listening to the default bridge interface works and will be more secure than 0.0.0.0.

This would be a great solution as this is original intention of the mechanism (if I'm not missing something).

@mtibben would you consider either @awilkins' suggestion or making the interface configurable acceptable for the project?

github-actions · Answer 6 · Sat Apr 06 2024 18:22:08 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.