Reputation: 661
How can I set up a Docker network with restricted communication?
I'm trying to create something like this:
The server containers each have port 8080 exposed, and accept requests from the client, but crucially, they are not allowed to communicate with each other.
The problem here is that the server containers are launched after the client container, so I can't pass container link flags to the client like I used to, since the containers it's supposed to link to don't exist yet.
I've been looking at the newer Docker networking stuff, but I can't use a bridge because I don't want server cross-communication to be possible. It also seems to me like one bridge per server doesn't scale well, and would be difficult to manage within the client container.
Is there some kind of switch-like docker construct that can do this?
Upvotes: 4
Views: 515
Answers (2)
Reputation: 2127
It seems like you will need to create multiple bridge networks, one per container. To simplify that, you may want to use docker-compose to specify how the networks and containers should be provisioned, and have the docker-compose tool wire it all up correctly.
Resources:
- https://docs.docker.com/engine/userguide/networking/dockernetworks/
- https://docs.docker.com/compose/
- https://docs.docker.com/compose/compose-file/#version-2
One more side note: I think that exposed ports are accessible to all networks. If that's right, you may be able to set all of the server networking to none and rely on the exposed ports to reach the servers.
Upvotes: 1
Reputation: 2823
Hope this is relevant to your use-case - I'm attempting to draw context regards your actual application from the diagram and comments. I'd recommend you go the Service Discovery route. It may involve a little bit of simple API over a central store (say Redis, or SkyDNS), but would make things simple in the long run.
Kubernetes, for instance, uses SkyDNS to do so with DNS. At the end of the day, any orchestration tool of your choice would most likely do something like this out of the box: https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/dns
The idea is simple:
- Use a DNS container that keeps entries of newly spawned servers
- Allow the Client Container to query it for a list of servers. e.g. Picture a DNS response with a bunch of
server-<<ISO Timestamp of Server Creation>>s - Disallow client containers read-access to this DNS (how to manage this permission-configuration without indirection, i.e. without proxying through an endpoint that allows writing into the DNS Container, but not reading, is going to exotic)
Bonus Edit: I just realised you can use a simpler Redis-like setup to do this, and that DNS might just be overengineering :)
Upvotes: 0
Related Questions
- How do I get into a Docker container's shell?
- How to copy files from host to Docker container?
- How to copy Docker images from one host to another without using a repository
- How to force Docker for a clean build of an image
- How is Docker different from a virtual machine?
- How to get a Docker container's IP address from the host
- How to remove old Docker containers
- Difference between links and depends_on in docker_compose.yml