Profile Applicability:

  • Level 1 

Description:

The Docker Userland Proxy is used for network address translation (NAT) and port forwarding for containers when using the default bridge network. Disabling the userland proxy reduces overhead and avoids potential security risks related to the proxy.

Rationale:

The Userland Proxy can be a potential attack vector and introduces additional complexity in networking. Disabling it helps improve the overall security and performance of the containerized environment by preventing unnecessary proxy processes and reducing the network stack's attack surface.

Impact:

Pros:

  • Reduces security risks by removing the need for additional proxy processes.

  • Improves network performance by eliminating the overhead of userland proxying.

Cons:

  • Some legacy applications or container setups may require the proxy, so compatibility testing may be necessary before disabling it.

Default Value:

The Userland Proxy is enabled by default in Docker when using the default bridge network.

Pre-requisites:

  • Docker installed and running.

  • Administrative privileges to modify Docker configuration.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Verify if the Userland Proxy is enabled by checking the Docker daemon configuration:

docker info | grep "Userland Proxy"

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to check if the Userland Proxy is enabled:

docker info | grep "Userland Proxy"

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Modify the Docker configuration file /etc/docker/daemon.json to disable the Userland Proxy:

    {
  "userland-proxy": false
}

  1. Restart Docker to apply the changes:

sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to disable the Userland Proxy and restart Docker:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"userland-proxy\": false}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Revert the Userland Proxy setting by editing the /etc/docker/daemon.json file and setting "userland-proxy": true:

    {
  "userland-proxy": true
}

  1. Restart Docker:

Using AWS CLI:

  1. Use SSM to revert the Userland Proxy setting and restart Docker:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"userland-proxy\": true}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

References: