Docker service exposed publicly though made to exp

2019-04-05 07:04发布

站内问答 / Docker
1534 2 4

I have created one service and exposed it to run only on localhost in one of my docker swarm node but I can access the service publicly too easily.

I have deleted and redeployed the docker stack but still same issue.

Here is my docker-compose.yml I have used to deploy the service in stack

version: "3"
networks:
    api-net:
        ipam:
            config:
                - subnet: 10.0.10.0/24

services:
    health-api:
        image: myprivateregistry:5000/healthapi:qa
        ports:
            - "127.0.0.1:9010:9010"
        networks:
            - api-net
        depends_on:
            - config-server
        deploy:
            mode: replicated
            replicas: 1
            placement:
                constraints:
                    - node.role == manager

I haven't added the service on which it depends as I don't think that is the problem.

Few says its not supported in docker swarm mode. Than what is solution in that case.

2条回答
The star\"
2楼-- · 2019-04-05 07:50

In order to access in swarm mode, you need to expose the port either to same or another port which would outside the container.

Something like this:

ports:
    - "80:80"
    - "443:443"
查看更多
0人赞 添加讨论(0) 举报
Juvenile、少年°
3楼-- · 2019-04-05 07:56

Quoting https://github.com/moby/moby/issues/32299#issuecomment-290978794:

On swarm mode, if you publish something (ports for stack deploy), it is published on the ingress network, and thus it is public. There is a few ways to get around, but putting kind/bug on that because we should at least warn people about that when doing a stack deploy with ports that have this notation (i.e. host:port:port).

To work around this, there is a few ways:

- first, you should publish mongo ports only if you want it to be public, otherwise, it is available through the name discovery bundle in docker (another container/service on the same network will be able to reach it through mongo dns name).
- If you want to publish it in the host and not in ingress (so not swarm public, just on the host it is running, same way as without swarm mode), you need to use ports expanded syntax.

... (example and some more details regarding the effect of the extended syntax).

So, the reason is Swarm's ingress network, which makes every port publicly available. The workaround using the extended syntax doesn't bind to the loopback interface, but to the host's 0.0.0.0 interface, which is still an improvement compared to an externally exposed port via the ingress network.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)