Following the Setting up the Development Environment instructions to build SCION results in running a Bazel remote cache in a Docker container. The container and remote cache are configured to allow connections from anywhere without authentication. This is a potential security risk if the machine building SCION is connected to the Internet, as the build cache will be accessible to unauthorized third-parties.
I'm not sure if this is the intended behavior or a bug, but it was certainly surprising to me. The documentation should at least warn about the implications of running a local build cache. The minimal Bazel build instructions already recommend disabling the remote cache, but don't mention anything about exposing the cache to other hosts either.
There seems to have been an attempt at limiting the remote cache to listen only on localhost with "--host=127.0.0.1" in bazel-remote.yml. That setting is deprecated and not effective in v2.3.3 of bazel-remote. The cache's HTTP server binds to *:8080 anyway.
I've tried to bind the cache only to localhost by setting --http_address=127.0.0.1:8080 and --grpc_address=127.0.0.1:9092 which replace the deprecated --host option, but that still leaves a listening socket at *:6060. I couldn't find any mention of that port in the documentation. Perhaps it would be best to remove the network_mode: host option from the Docker Compose file and expose only the necessary ports.
Following the Setting up the Development Environment instructions to build SCION results in running a Bazel remote cache in a Docker container. The container and remote cache are configured to allow connections from anywhere without authentication. This is a potential security risk if the machine building SCION is connected to the Internet, as the build cache will be accessible to unauthorized third-parties.
I'm not sure if this is the intended behavior or a bug, but it was certainly surprising to me. The documentation should at least warn about the implications of running a local build cache. The minimal Bazel build instructions already recommend disabling the remote cache, but don't mention anything about exposing the cache to other hosts either.
There seems to have been an attempt at limiting the remote cache to listen only on localhost with
"--host=127.0.0.1"in bazel-remote.yml. That setting is deprecated and not effective in v2.3.3 of bazel-remote. The cache's HTTP server binds to *:8080 anyway.I've tried to bind the cache only to localhost by setting
--http_address=127.0.0.1:8080and--grpc_address=127.0.0.1:9092which replace the deprecated--hostoption, but that still leaves a listening socket at *:6060. I couldn't find any mention of that port in the documentation. Perhaps it would be best to remove thenetwork_mode: hostoption from the Docker Compose file and expose only the necessary ports.