Hi there,

We have been using Docker 1.10.3 for a while to run containers with no outbound access to the external Internet. We have configured iptables on the external host to manage this, and we run the docker containers with --net=host.

This has worked just fine until now. However, we just upgraded our testing environment to 1.11.0 and now the containers appear to have full access to the Internet.

Our IPTables on the external host looks like this:

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             localhost           
ACCEPT     all  --  anywhere             anywhere             state ESTABLISHED
REJECT     all  --  anywhere             anywhere             owner GID match unregistered_users reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             owner GID match registered_users reject-with icmp-port-unreachable

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere    

We haven’t been able to find anything in the 1.11.0 release notes that mentions anything like this, and we’re not sure how the containers are getting through the IPTables restrictions.

Any advice much appreciated!

Aha! We worked it out. You can see that the IPTables config was dependent on users being in one of two specific groups, either unregistered_users or registered_users. We were starting our containers using -u uid. Previously that put the user inside the container into the same group as they would be outside. But in 1.11.0, it appears to put them in group 0.

This seems to be something very specific with our docker image, not a general thing – I’ve tried a simple docker run -ti -u 33 ubuntu /bin/bash to start a normal Ubuntu container as www-data, and it’s in the right group.