100501 (1) [Avatar] Offline
#1
The text regarding starting the docker daemon with the argument "-H tcp://0.0.0.0" (page 56):
“opens up to all IP addresses (with 0.0.0.0), ”

is misleading. It means bind to all network interfaces using their IP address. So if a host has one network interface with one IP, the docker daemon will be available at that one address (on the specified port). This has nothing to do with IP addresses used to connect to the docker daemon.
The footnote (page 57):
“BEWARE: If you open your daemon up, be sure to open up to a specific IP range only, and not to 0.0.0.0, which is highly insecure!”

is also misleading: the only danger is that one might not want the daemon available on all the network interface addresses. Not sure you can even specify a range, and this would not be helpful if, for example, one had network addresses of "10.1.0.50" and "15.122.12.55" -- you'd just want to specify these IP's. Again, there is no restriction on incoming IP addresses.
See the docker documentation: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option
Ian Miell (17) [Avatar] Offline
#2
Yes, absolutely right - we'll change this in the second edition.
Ian