docker swarm access service

Question

How to access swarm services on a multi-host docker swarm.

For a docker swarm, lets say that the services are named: abc, pqr, xyz

If the services are placed in the same host, they are able to access by http://pqr/a or http://xyz/a

but if they are on different host they are not able to access by http://pqr/a or http://xyz/a. Even ping to the other service names are not working.

docker service create --constraint 'node.labels.momachinename == t4301' --name abc --network=ni_default mo-vo:7.10.0s node /a/src/start.js

docker service create --constraint 'node.labels.momachinename == t4302' --name pqr --network=ni_default mo-vo:7.10.0s node /a/src/start.js

docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
d7478273de19        bridge              bridge              local
485112e08c0f        docker_gwbridge     bridge              local
c8a75eb27f1f        host                host                local
5rmqgswur2lp        ingress             overlay             swarm
q26p8tdr0xw6        networld            overlay             swarm
d2kf3bfdbmol        ni_default          overlay             swarm
64094b86b804        none                null                local

Answer 1

From your symptoms, it sounds like you have the containers running on the same overlay network and can communicate using DNS resolution on the same host, but you're just having problems between hosts. For overlay networking between hosts, you need the following firewall rules:

iptables -A INPUT -p tcp -m tcp --dport 7946 -j ACCEPT
iptables -A INPUT -p tcp -m udp --dport 7946 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4789 -j ACCEPT
iptables -A INPUT -p 50 -j ACCEPT

That's port 7946 for tcp/udp (this is the control port), port 4789 for tcp (this is the data port), and protocol 50 (needed for secure networks using IPSEC).